问题描述
服务器 XSS 和客户端 XSS 之间的区别的明确解释是什么?
What is a clear explanation of the difference between server XSS and client XSS?
我在 OWASP 的网站上阅读了说明,但对我来说不是很清楚.我知道反射的、存储的 DOM 类型.
I read the explanation on the site of OWASP, but it wasn't very clear for me. I know the reflected, stored en DOM types.
推荐答案
首先,为了让其他人发现问题,我们有来自 OWASP 跨站脚本类型页面:
First, to set the scene for anyone else finding the question we have the text from the OWASP Types of Cross-Site Scripting page:
当不受信任的用户提供的数据包含在服务器生成的 HTML 响应中时,就会发生服务器 XSS.的来源此数据可能来自请求,也可能来自存储位置.作为这样,您可以同时拥有反射服务器 XSS 和存储服务器 XSS.
在这种情况下,整个漏洞都在服务器端代码中,并且浏览器只是渲染响应并执行任何有效的脚本嵌入其中.
In this case, the entire vulnerability is in server-side code, and the browser is simply rendering the response and executing any valid script embedded in it.
当使用不受信任的用户提供的数据进行更新时,会发生客户端 XSS带有不安全 JavaScript 调用的 DOM.JavaScript 调用是如果可用于将有效的 JavaScript 引入到其中,则被认为是不安全的DOM.此数据的来源可能来自 DOM,也可能来自已由服务器发送(通过 AJAX 调用或页面加载).这数据的最终来源可能来自请求,或来自存储在客户端或服务器上的位置.因此,您可以拥有反射客户端 XSS 和存储客户端 XSS.
Client XSS occurs when untrusted user supplied data is used to update the DOM with an unsafe JavaScript call. A JavaScript call is considered unsafe if it can be used to introduce valid JavaScript into the DOM. This source of this data could be from the DOM, or it could have been sent by the server (via an AJAX call, or a page load). The ultimate source of the data could have been from a request, or from a stored location on the client or the server. As such, you can have both Reflected Client XSS and Stored Client XSS.
这将 XSS 重新定义为两类:服务器和客户端.
This redefines XSS into two categories: Server and Client.
Server XSS 是指数据直接来自服务器到页面上.例如,包含未清理文本的数据来自构成易受攻击页面的 HTTP 响应.
Server XSS means that the data comes directly from the server onto the page. For example, the data containing the unsanitized text is from the HTTP response that made up the vulnerable page.
客户端 XSS 意味着数据来自操纵页面的 JavaScript.因此,是 JavaScript 将未经处理的文本添加到页面中,而不是在浏览器首次加载时位于该位置的页面中.
Client XSS means that the data comes from JavaScript which has manipulated the page. So it is JavaScript that has added the unsanitized text to the page, rather than it being in the page at that location when it was first loaded in the browser.
一个 ASP(或 ASP.NET)页面在生成时向 HTML 页面输出一个变量,该变量直接从数据库中获取:
An ASP (or ASP.NET) page outputs a variable to the HTML page when generated, which is taken directly from the database:
<%=firstName %>
由于 firstName 不是 HTML 编码的,恶意用户可能将他们的名字输入为 <script>alert('foo')</script>,导致成功的 XSS 攻击.
As firstName is not HTML encoded, a malicious user may have entered their first name as <script>alert('foo')</script>, causing a successful XSS attack.
另一个例子是在没有预先存储的情况下通过服务器处理的变量的输出:
Another example is the output of variables processed through the server without prior storage:
<%=Request.Form["FirstName"] %>
客户端 XSS 示例
<script type="text/javascript">
function loadXMLDoc() {
var xmlhttp;
if (window.XMLHttpRequest) {
// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp = new XMLHttpRequest();
} else {
// code for IE6, IE5
xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == 4 ) {
if(xmlhttp.status == 200){
document.getElementById("myDiv").innerHTML = xmlhttp.responseText;
}
else if(xmlhttp.status == 400) {
alert('There was an error 400')
}
else {
alert('something else other than 200 was returned')
}
}
}
xmlhttp.open("GET", "get_first_name.aspx", true);
xmlhttp.send();
}
</script>
请注意,我们的 get_first_name.aspx 方法不对返回的数据进行编码,因为它是其他系统也使用的 Web 服务方法(content-type设置为 text/plain).我们的 JavaScript 代码将 innerHTML 设置为这个值,因此它容易受到客户端 XSS 的攻击.在这种情况下,为了避免客户端 XSS,应该使用 innerText 而不是 innerHTML,这样不会导致解释 HTML 字符.最好使用 textContent 因为 Firefox 与非标准的 innerText 属性不兼容.
Note that our get_first_name.aspx method does no encoding of the returned data, as it is a web service method that is also used by other systems (content-type is set to text/plain). Our JavaScript code sets innerHTML to this value so it is vulnerable to Client XSS. To avoid Client XSS in this instance, innerText should be used instead of innerHTML which will not result in interpretation of HTML characters. It is even better to use textContent as Firefox is not compatible with the non-standard innerText property.
这篇关于服务器 XSS 与客户端 XSS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!