什么是跨站脚本? [英] What is cross site scripting?
问题描述
On this site (archived snapshot) under "The Theory of XSS’, it says:
黑客用他的恶意客户端脚本感染一个合法的网页
the hacker infects a legitimate web page with his malicious client-side script
我在阅读本文时的第一个问题是:如果应用程序部署在安全的服务器上(例如银行的情况),黑客如何才能访问网页的源代码?或者他/她可以在不访问源代码的情况下注入恶意脚本吗?
My first question on reading this is: if the application is deployed on a server that is secure (as is the case with a bank for example), how can the hacker ever get access to the source code of the web page? Or can he/she inject the malicious script without accessing the source code?
推荐答案
通过跨站脚本,可以感染 HTML document 生成的 HTML document 而不会导致 web 服务器自己被感染.XSS 攻击使用服务器作为载体,将恶意内容呈现给客户端,无论是从请求中立即(反射攻击),还是通过存储和检索延迟(存储攻击).
With cross-site scripting, it's possible to infect the HTML document produced without causing the web server itself to be infected. An XSS attack uses the server as a vector to present malicious content back to a client, either instantly from the request (a reflected attack), or delayed though storage and retrieval (a stored attack).
XSS 攻击利用服务器生成页面中的一个弱点,该弱点允许请求数据以原始形式显示在响应中.该页面仅反映请求中提交的内容......但该请求的内容可能包含超出普通文本内容的字符,并引入开发人员不想要的 HTML 或 JavaScript 内容.
An XSS attack exploits a weakness in the server's production of a page that allows request data to show up in raw form in the response. The page is only reflecting back what was submitted in a request... but the content of that request might hold characters that break out of ordinary text content and introduce HTML or JavaScript content that the developer did not intend.
这是一个简单的例子.假设您使用某种模板语言来生成 HTML 页面(如 PHP、ASP、CGI 或 Velocity 或 Freemarker 脚本).它需要以下页面并替换<?=$name?>"使用name"查询参数的未转义值.
Here's a quick example. Let's say you have some sort of templating language made to produce an HTML page (like PHP, ASP, CGI, or a Velocity or Freemarker script). It takes the following page and substitutes "<?=$name?>" with the unescaped value of the "name" query parameter.
<html>
<head><title>Example</title></head>
<body>Hi, <?=$name?></body>
</html>
有人使用以下 URL 调用该页面:
Someone calling that page with the following URL:
http://example.com/unsafepage?name=Rumplestiltskin
应该会看到这条消息:
Hi, Rumplestiltskin
使用更恶意的内容调用同一页面可用于显着改变页面或用户体验.
Calling the same page with something more malicious can be used to alter the page or user experience substantially.
http://example.com/unsafepage?name=Rumplestiltskin<script>alert('Boo!')</script>
这个 URL 不仅会说Rumplestiltskin",还会导致页面弹出一条警告消息,上面写着Boo!".当然,这是一个简单的例子.可以提供一个复杂的脚本来捕获击键或要求验证名称和密码,或者清除屏幕并完全重写页面的震撼内容.它仍然看起来来自example.com,因为页面本身确实如此,但是内容是在请求中的某处提供的,并且只是作为请求的一部分反射回来页面.
Instead of just saying, "Hi, Rumplestiltskin", this URL would also cause the page to pop up an alert message that says, "Boo!". That is, of course, a simplistic example. One could provide a sophisticated script that captures keystrokes or asks for a name and password to be verified, or clears the screen and entirely rewrites the page with shock content. It would still look like it came from example.com, because the page itself did, but the content is being provided somewhere in the request and just reflected back as part of the page.
因此,如果页面只是回吐请求者提供的内容,而您正在请求该页面,那么黑客如何感染您的请求?通常,这是通过在网页上或通过电子邮件发送给您的链接或在 URL 缩短的请求中提供链接来实现的,因此很难看到 URL 中的混乱.
So, if the page is just spitting back content provided by the person requesting it, and you're requesting that page, then how does a hacker infect your request? Usually, this is accomplished by providing a link, either on a web page or sent to you by e-mail, or in a URL-shortened request, so it's difficult to see the mess in the URL.
<a href="http://example.com?name=<script>alert('Malicious content')</script>">
Click Me!
</a>
具有可利用的 XSS 漏洞的服务器本身不会运行任何恶意代码——它的编程保持不变——但它可以被用来向客户端提供恶意内容.
A server with an exploitable XSS vulnerability does not run any malicious code itself-- its programming remains unaltered-- but it can be made to serve malicious content to clients.
这篇关于什么是跨站脚本?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
