跨站点脚本（XSS）：Web应用程序敌人

偏执的太偏执、 2022-12-07 12:58 137阅读 0赞

Web applications are both a valuable resource for organizations and one of the biggest threats to their cyber security. Web apps are designed to be exposed to users via the Internet, allowing them the convenience of interacting with their accounts via their browser. However, this same easy access also makes these web apps a prime target for attackers trying to breach the organization’s defenses.

Web应用程序既是组织的宝贵资源，也是对其网络安全的最大威胁之一。 Web应用程序旨在通过Internet向用户公开，从而使他们可以方便地通过浏览器与帐户进行交互。 但是，同样的便捷访问方式也使这些Web应用程序成为试图破坏组织防御的攻击者的主要目标。

When attempting to secure a web application (or any software), it is extremely useful to know what to look for. The wide variety of potential attacks against web applications makes it easy to overlook a certain vulnerability class when performing a search for vulnerabilities.

尝试保护Web应用程序(或任何软件)的安全时，知道要查找的内容非常有用。 针对Web应用程序的各种潜在攻击使得在执行漏洞搜索时很容易忽略某些漏洞类别。

An extremely valuable resource for this is the [OWASP Top 10][] list, which lists the ten most common vulnerabilities based off of the analysis of the Open Web Application Security Project (OWASP). This list is updated every few years and is based upon a combination of data and the opinions of experts in the field.

一个非常有价值的资源是[OWASP Top 10][]列表，它基于对Open Web Application Security Project(OWASP)的分析列出了十个最常见的漏洞。 此列表每隔几年更新一次，并且基于数据和该领域专家的意见。

However, there are also other useful sources of data regarding the vulnerability threat landscape in the real world. Penetration testers see the vulnerabilities that exist in the wild, so they’re worth listening to when they provide information regarding the threats that they are seeing most often.

但是，在现实世界中，还有其他有用的数据来源也涉及漏洞威胁情况。 渗透测试人员会看到野外存在的漏洞，因此当他们提供有关他们最常看到的威胁的信息时，值得一听。

### 现实世界中的漏洞 **(**Vulnerabilities in the Real World**)** ###

When trying to figure out what the most common and important vulnerabilities are present in real-world software, it’s useful to go to the source. Penetration testers are the cybersecurity experts commonly tasked with testing an organization’s cyber defenses and reporting on the vulnerabilities that they find.

当试图弄清实际软件中存在哪些最常见和最重要的漏洞时，请务必参考源代码。 渗透测试人员是网络安全专家，通常负责测试组织的网络防御并报告发现的漏洞。

In the past, it has been difficult to acquire large-scale cyber vulnerability data since the results of assessments are typically kept confidential and few companies have the scale necessary to discover general trends. However, the rise of crowd-sourced vulnerability detection organizations, like HackerOne, have changed this.

过去，很难获得大规模的网络漏洞数据，因为评估结果通常是保密的，而且很少有公司拥有发现总体趋势所必需的规模。 但是，像HackerOne这样的众包漏洞检测组织的兴起改变了这一情况。

Unlike traditional penetration testing companies, which have a team of pen testers on staff to perform assessments, HackerOne acts as a middleman between companies and groups of freelance testers. Access to the test environment is provided through HackerOne, allowing them to collect statistical data about the assessments performed and the types of vulnerabilities discovered.

与传统的渗透测试公司不同，传统的渗透测试公司拥有一支由笔测试人员组成的团队来执行评估，而HackerOne则充当公司与自由测试人员团队之间的中间人。 通过HackerOne提供对测试环境的访问，使他们能够收集有关所执行的评估和发现的漏洞类型的统计数据。

[According to the][] company, currently the most common type of vulnerability on web applications is cross-site scripting (XSS). This may come as a surprise since most attacks that make the headlines don’t involve XSS. This is because the headlines are usually focused on data breaches, and XSS vulnerabilities rarely lead to large-scale data breaches. However, $8 million of the $55 million paid out in bug bounties on HackerOne went to discoveries of XSS vulnerabilities in companies’ web applications. This underscores how common these vulnerabilities are since they carry lower rewards per detection that other “more damaging” vulnerabilities.

[据该][According to the]公司称，当前Web应用程序上最常见的漏洞类型是跨站点脚本(XSS)。 这可能令人惊讶，因为大多数成为头条新闻的攻击都不涉及XSS。 这是因为头条新闻通常关注数据泄露，而XSS漏洞很少导致大规模数据泄露。 但是，在通过HackerOne支付的5500万美元的漏洞赏金中，有800万美元用于发现公司Web应用程序中的XSS漏洞。 这突显了这些漏洞的普遍性，因为它们每次检测所带来的回报却低于其他“更具破坏性”漏洞。

### 什么是跨站点脚本(XSS) **(**What is Cross-Site Scripting (XSS)**)** ###

![Cross-Site Scripting (XSS)][Cross-Site Scripting _XSS]

[Image Source][]

[图片来源][Image Source]

The Internet use many different methods to control access to sensitive of protected resources. One of these mechanisms is the same-origin policy. According to the same-origin policy, if content from a site is granted access to a protected resource, other content coming from the same place (same URI, domain, and port number) can take advantage of the same access without being granted specific permission. Cross-site scripting (XSS) attacks take advantage of this policy to gain unauthorized access to protected resources.

互联网使用许多不同的方法来控制对敏感受保护资源的访问。 这些机制之一是同源策略。 根据同源策略，如果授予站点内容访问受保护资源的权限，则来自同一位置的其他内容(相同的URI，域和端口号)可以利用相同的访问权限，而无需授予特定权限。 跨站点脚本(XSS)攻击利用此策略来获得对受保护资源的未授权访问。

There are several different types of cross-site scripting, but they all involve injection of malicious code into a trusted website. This code injection is made possible by vulnerabilities in the web application itself, the web server where the code is hosted, or any plug-ins that the application uses.

跨站点脚本有几种不同类型，但是它们都涉及将恶意代码注入到受信任的网站中。 通过Web应用程序本身，托管代码的Web服务器或应用程序使用的任何插件中的漏洞，可以实现这种代码注入。

When a user browses to an affected website, they receive both the legitimate code of the site as well as a malicious script injected by the attacker. Since all of this code comes from “the same place”, the single-origin policy means that the malicious code has access to the same data and resources as the legitimate website code. This gives the attacker access to any protected, sensitive data used by the legitimate page, which may be used to steal personal data (like credit card information) or data (like session cookies) that can allow the attacker to access the user’s account directly.

当用户浏览到受影响的网站时，他们会收到该网站的合法代码以及攻击者注入的恶意脚本。 由于所有这些代码都来自“同一地方”，因此单一来源策略意味着恶意代码可以访问与合法网站代码相同的数据和资源。 这使攻击者可以访问合法页面使用的任何受保护的敏感数据，这些数据可能被用来窃取个人数据(例如信用卡信息)或数据(例如会话cookie)，这些数据可以使攻击者直接访问用户的帐户。

### 保护您的Web应用 **(**Protecting Your Web Apps**)** ###

Cross-site scripting (XSS) and other web application vulnerabilities can be a severe threat to an organization’s network and data security. Web applications are designed to be publicly exposed on the Internet and act as a gatekeeper for protected data or functionality. If they are compromised by a hacker, they can act as a foothold for the attacker to expand their access onto the protected network and/or as a means of collecting sensitive user data.

跨站点脚本(XSS)和其他Web应用程序漏洞可能严重威胁组织的网络和数据安全。 Web应用程序被设计为在Internet上公开显示，并充当受保护数据或功能的网守。 如果它们受到黑客的攻击，它们可以充当攻击者的立足点，将其访问权限扩展到受保护的网络和/或作为收集敏感用户数据的手段。

Protecting against XSS vulnerabilities and other web application vulnerabilities listed on the OWASP Top Ten is one of the main features of a web application firewall (WAF). The attacks used to exploit these vulnerabilities are well-known and can be detected and prevented using a WAF.

抵御OWASP十佳列出的XSS漏洞和其他Web应用程序漏洞是Web应用程序防火墙(WAF)的主要功能之一。 用于利用这些漏洞的攻击是众所周知的，可以使用WAF进行检测和阻止。

However, the threat surface of a web application is not limited to the attacks included on OWASP’s Top Ten list. These other attack vectors are where the best WAFs stand out from the rest of the pack. Signature-based detection helps with known attacks, but a WAF also needs anomaly-based detection to identify and protect against unknown threats. Protecting a web application requires the ability to stop any attack, so choosing a strong WAF is a crucial aspect of any organization’s network security strategy.

但是，Web应用程序的威胁面不仅限于OWASP的“十佳”列表中包括的攻击。 这些其他攻击媒介是最佳WAF在其他产品中脱颖而出的地方。 基于签名的检测有助于已知攻击，但是WAF还需要基于异常的检测以识别并防御未知威胁。 保护Web应用程序需要能够阻止任何攻击，因此，选择强大的WAF是任何组织的网络安全策略的关键方面。

> 翻译自: [https://www.thecrazyprogrammer.com/2019/08/cross-site-scripting.html][https_www.thecrazyprogrammer.com_2019_08_cross-site-scripting.html]

[OWASP Top 10]: https://www.imperva.com/learn/application-security/owasp-top-10/
[According to the]: https://www.darkreading.com/vulnerabilities---threats/cross-site-scripting-errors-continue-to-be-most-common-web-app-flaw/d/d-id/1334935
[Cross-Site Scripting _XSS]: /images/20221123/f1b38f690d97458c9eaf31b3e9bc376f.png
[Image Source]: https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/
[https_www.thecrazyprogrammer.com_2019_08_cross-site-scripting.html]: https://www.thecrazyprogrammer.com/2019/08/cross-site-scripting.html