Cross-Site Scripting (XSS) 是一種injection attack, 將一些程式代碼加到網頁上. 若果注入成功, 當其他人開啟網頁時, 注入的代碼便會執行, 從而盜取資料.
通常用作測試的script如下:
-
><script>alert(document.cookie)</script>
-
"><script>alert(document.cookie)</script>
-
<script>alert(document.cookie)</script>
-
<script>alert (vulnerable)</script>
-
%3Cscript%3Ealert('XSS')%3C/script%3E
-
<script>alert('XSS')</script>
-
<img src="javascript:alert('XSS')">
-
<img src="http://xxx.com/yyy.png" onerror="alert('XSS')">
對Developer而言, 最佳的保護方法就是內容過濾, 將其encoded 或validation error.
Reference
- Cross-site Scripting (XSS), OWASP
- Excess XSS, Jakob Kallin and Irene Lobo Valbuena
- Malicious HTML Tags Embedded in Client Web Requests, CERT.org
Leave a Reply