8月24日 | 英语翻译 | 关于Cross-Site Script大体介绍
前言:注重翻译,翻译目标信达雅支座前两者即可。
目录选择:
1.XSS漏洞是如何产生的?
翻译1:
Cross-Site Scripting (XSS) vulnerabilities
are some of the most common vulnerabilities
throughout the internet,and have appeared
as a direct response to the increasingamount of
user interaction in today’s web applications.
跨站脚本(XSS)漏洞是已经通过互联网
变成了最常见的漏洞之一
,并已经由于web应用中的用户交互量
而日益增加
翻译2:
At its core, an XSS attack functions
by taking advantage of the fact that
web applications execute scripts on
users’ browsers. Any type of dynamically
created script that isexecuted puts
a web application at risk if the script
being executed can be contaminated or
modified in any way—in particular
by an end user
XSS攻击的核心是利用web应用程序
在用户的浏览器上执行脚本。
动态创建的任何类型的脚本都可能是污染的,
以任何方式修改-特别是由终端用户
会使web应用程序处于危险之中
翻译3:
At its core, an XSS attack functions by taking advantage of the fact that web applications execute scripts on users’ browsers. Any type of dynamically created script that is executed puts a web application at risk if the script being executed can be contaminated or modified in any way—in particular by an end user.
XXS attacks are categorized a number of ways, with the big three being:
• Stored (the code is stored on a database prior to execution)
• Reflected (the code is not stored in a database, but reflected by a server)
• DOM-based (code is both stored and executed in the browser)
There are indeed categorical variations beyond this, but these three encompass the types of XSS that most modern web applications need to look out for on a regular basis. These three types of XSS attacks have been designated by committees like the Open Web Application Security Project (OWASP) as the most common XSS attack vectors on the web.
We will discuss all three of these further, but first let’s take a look at how an XSS attack could be generated and a bug enabling such an attack could be found.
XSS攻击的核心是利用web应用程序在用户的浏览器上执行脚本这一事实。如果执行的任何类型的动态创建的脚本可能以任何方式被污染或修改——特别是被终端用户——那么将使web应用程序处于危险之中。
XXS攻击可以分为几种方式,其中最主要的三种是:
• 存储(代码在执行前存储在数据库中)
• 反射(代码不存储在数据库中,而是被服务器反射)
• 基于dom的(代码在浏览器中存储和执行)
除此之外,确实还有其他种类的XSS,但这三种类型包含了大多数现代web应用程序需要定期注意的XSS类型。开放Web应用程序安全项目(OWASP)等委员会将这三种类型的跨站攻击指定为Web上最常见的跨站攻击向量。
我们将进一步讨论这三种攻击方式,但首先让我们看看如何生成XSS攻击,以及如何找到支持这种攻击的bug。
2.XSS漏洞是如何发现的?
翻译4:
XSS Discovery and Exploitation
Imagine you are unhappy with the level of service provided by mega-bank.com. Fortunately for you, mega-bank.com offers a customer support portal, support.megabank.com, where you can write feedback and hopefully hear back from a customer
support representative.
You write a comment in the support portal, with the following text:
I am not happy with the service provided by your bank.
I have waited 12 hours for my deposit to show up in the web application.
Please improve your web application.
Other banks will show deposits instantly.
—Unhappy Customer, support.mega-bank.com
XSS的发现和漏洞利用:
假设你对mega-bank.com提供的服务水平不满意。对你来说幸运的是,mega-bank.com提供了一个客户支持门户网站support - megabank.com,在那里你可以写下反馈,希望能得到客户的反馈
支持代表。
您可以在支持门户网站上写下评论,并附上以下文字:
我对贵行提供的服务不满意。
我已经等了12个小时,我的存款显示在网络应用程序。
请改进您的web应用程序。
其他银行会立即显示存款。
不满意客户,support.mega-bank.com
翻译5:
Now, in order to emphasize how unhappy you are with this fictional bank, you decide you want to bold a few words. Unfortunately the UI for submitting support requests does not support bolding text.
Because you are a little bit tech savvy, you try to add in some HTML bold tags:
I am not happy with the service provided by your bank.
I have waited 12 hours for my deposit to show up in the web application.
<strong>Please improve your web application.</strong>
Other banks will show deposits instantly.
—Unhappy Customer, support.mega-bank.com
After you press Enter, your support request is shown to you. The text inside the<strong></strong> tags has been bolded.
现在,为了强调你对这个虚构的银行有多不满意,你决定要加粗几个字。不幸的是,提交支持请求的UI不支持粗体文本。
因为你有点懂技术,你尝试添加一些HTML粗体标签:
我对贵行提供的服务不满意。
我已经等了12个小时,我的存款显示在网络应用程序。
.请改进您的web应用程序
其他银行会立即显示存款。
不满意客户,support.mega-bank.com
在按下Enter后,支持请求将显示给您。<strong></strong>标记内的文本已加粗。
翻译6:
A customer support representative soon messages you back:
Hello, I am Sam with MegaBank support.
I am sorry you are unhappy with our application.
We have a scheduled update next month on the fourth that should increase the speed at which deposits are reflected in our app.
By the way, how did you bold that text?
—Sam from Customer Support, support.mega-bank.com
What is happening here is actually pretty common in many web applications. Here
we have a very simple architectural mistake that can be deadly to a company if left alone until a hacker finds it.
一名客户支持代表很快给您回了消息:
大家好,我是MegaBank的Sam。
很遗憾你对我们的申请不满意。
我们将在下个月4日进行定期更新,应该会提高在我们的应用程序中反映存款的速度。
对了,你是怎么把那条短信加粗的?
-来自Support - mega-bank.com客服中心的山姆
这里发生的事情实际上在许多web应用程序中都很常见。在这里
我们有一个非常简单的架构错误,如果置之不理,直到黑客发现它,可能会对公司造成致命的影响。
翻译7:
user submits comment via web form ->
user comment is stored in database ->
comment is requested via HTTP request by one or more users ->
comment is injected into the page ->
injected comment is interpreted as DOM rather than text
用户通过web表单提交评论>
用户注释存储在数据库中>
comment由一个或多个用户通过HTTP请求>
注释被注入到页面—>
注入的注释被解释为DOM而不是文本
翻译8:
Usually this happens as a result of a developer literally applying the result of the HTTP request to the DOM. Frequently this is done by a script like the following:
/*
* Create a DOM node of type 'div.
* Append to this div a string to be interpreted as DOM rather than text.
*/
const comment = 'my <strong>comment</strong>';
const div = document.createElement('div');
div.innerHTML = comment;
/*
* Append the div to the DOM, with it the innerHTML DOM from the comment.
* Because the comment is interpreted as DOM, it will be parsed
* and translated into DOM elements upon load.
*/
const wrapper = document.querySelector('#commentArea');
wrapper.appendChild(div);
通常,这是因为开发人员将HTTP请求的结果应用到DOM。这通常是通过以下脚本完成的:
创建一个类型为'div '的DOM节点。
添加一个字符串到这个div,解释为DOM而不是文本。
将div附加到DOM,并附带注释中的innerHTML DOM。
因为注释被解释为DOM,所以它会被解析
并在加载时转换为DOM元素。
翻译9:
Because the text is appended literally to the DOM, it is interpreted as DOM markup rather than text. Our customer support request included a <strong></strong> tag in this case.
In a more malicious case, we could have caused a lot of havoc using the same vulnerability. Script tags are the most popular way to take advantage of XSS vulnerabilities, but there are many ways to take advantage of such a bug.
因为文本是按字面意思追加到DOM的,所以它被解释为DOM标记而不是文本。我们的客户支持请求在本例中包含了<strong></strong>标签。
在更恶意的情况下,我们可以使用相同的漏洞造成大量破坏。脚本标记是利用XSS漏洞的最流行的方法,但是也有许多方法可以利用这种漏洞。
浙公网安备 33010602011771号