document<\/code>\u6216\u811a\u672c\uff0c\u5bf9\u5f53\u524ddocument<\/code>\u8bfb\u53d6\u6216\u8bbe\u7f6e\u67d0\u4e9b\u5c5e\u6027\u3002<\/strong><\/p>\n\u5f71\u54cd\u201c\u6e90\u201d\u7684\u56e0\u7d20\u6709\uff1ahost\uff08\u57df\u540d\u6216ip\uff09\u3001\u5b50\u57df\u540d\u3001\u7aef\u53e3\u3001\u534f\u8bae\u3002<\/p>\n
\u5bf9\u4e8e\u5f53\u524d\u9875\u9762\u6765\u8bf4\uff0c\u9875\u9762\u5185\u5b58\u653eJavaScript\u6587\u4ef6\u7684\u57df\u5e76\u4e0d\u91cd\u8981\uff0c\u91cd\u8981\u7684\u662f\u52a0\u8f7dJavaScript\u7684\u9875\u9762\u6240\u5728\u7684\u57df\u662f\u4ec0\u4e48\u3002<\/p>\n
\u5728\u6d4f\u89c8\u5668\u4e2d\uff0c<script> <img> <iframe> <link><\/code>\u7b49\u6807\u7b7e\u90fd\u53ef\u4ee5\u8de8\u57df\u52a0\u8f7d\u8d44\u6e90\uff0c\u800c\u4e0d\u53d7\u540c\u6e90\u7b56\u7565\u9650\u5236\u3002\u8fd9\u4e9b\u5e26\u201csrc\u201d\u5c5e\u6027\u7684\u6807\u7b7e\u6bcf\u6b21\u52a0\u8f7d\u65f6\uff0c\u6d4f\u89c8\u5668\u53d1\u8d77\u4e00\u6b21GET\u8bf7\u6c42\u3002
\n\u4e0d\u540c\u4e8eXMLHttpRequest\uff0c\u901a\u8fc7src<\/code>\u5c5e\u6027\u52a0\u8f7d\u7684\u8d44\u6e90\uff0c\u6d4f\u89c8\u5668\u9650\u5236\u4e86JavaScript\u7684\u6743\u9650\uff0c\u4f7f\u5176\u4e0d\u80fd\u8bfb\u3001\u5199\u8fd4\u56de\u7684\u5185\u5bb9\u3002<\/p>\nFlash \u4e3b\u8981\u662f\u901a\u8fc7\u76ee\u6807\u7f51\u7ad9\u63d0\u4f9b\u7684crossdomain.xml<\/code>\u6587\u4ef6\u6765\u5224\u65ad\u662f\u5426\u5141\u8bb8\u5f53\u524d\u201c\u6e90\u201d\u7684Flash\u8de8\u57df\u8bbf\u95ee\u76ee\u6807\u8d44\u6e90\u3002
\n<\/p>\n\u6d4f\u89c8\u5668\u6c99\u7bb1<\/h2>\n
Sandbox \u5373\u6c99\u7bb1\uff0c\u5df2\u7ecf\u6210\u4e3a\u6cdb\u6307\u201c\u8d44\u6e90\u9694\u79bb\u7c7b\u6a21\u5757\u201d\u7684\u4ee3\u540d\u8bcd\u3002
\nSandbox \u7684\u8bbe\u8ba1\u76ee\u7684\u4e00\u822c\u662f\u4e3a\u4e86\u8ba9\u4e0d\u53ef\u4fe1\u4efb\u7684\u4ee3\u7801\u8fd0\u884c\u5728\u4e00\u5b9a\u7684\u73af\u5883\u4e2d\uff0c\u9650\u5236\u4e0d\u53ef\u4fe1\u4efb\u7684\u4ee3\u7801\u8bbf\u95ee\u9694\u79bb\u533a\u4e4b\u5916\u7684\u8d44\u6e90\u3002<\/p>\n
\u5982\u679c\u4e00\u5b9a\u8981\u8de8\u57dfSandbox\u8fb9\u754c\u4ea7\u751f\u6570\u636e\u4ea4\u6362\uff0c\u5219\u53ea\u80fd\u901a\u8fc7\u6307\u5b9a\u7684\u6570\u636e\u901a\u9053\uff0c\u6bd4\u5982\u7ecf\u8fc7\u5c01\u88c5\u7684API\u6765\u5b8c\u6210\uff0c\u5728\u8fd9\u4e9bAPI\u4e2d\u4e25\u683c\u68c0\u67e5\u8bf7\u6c42\u7684\u5408\u6cd5\u6027\u3002<\/p>\n
\u6076\u610f\u7f51\u5740\u62e6\u622a<\/h2>\n
\u57fa\u4e8e \u9ed1\u540d\u5355<\/em> \u7684\u3002
\n\u6076\u610f\u7f51\u5740\u62e6\u622a\u4e3b\u8981\u662f\u6d4f\u89c8\u5668\u5468\u671f\u6027\u5730\u4ece\u670d\u52a1\u5668\u7aef\u83b7\u53d6\u4e00\u4efd\u6700\u65b0\u7684\u6076\u610f\u7f51\u5740\u540d\u5355\uff0c\u5982\u679c\u7528\u6237\u8981\u8bbf\u95ee\u7684\u7f51\u5740\u5b58\u5728\u4e8e\u9ed1\u540d\u5355\uff0c\u5219\u5f39\u51fa\u4e00\u4e2a\u8b66\u544a\u9875\u9762\u3002<\/p>\n\u8de8\u7ad9\u811a\u672c\u653b\u51fb\uff08XSS\uff09<\/h1>\nXSS\u7b80\u4ecb<\/h2>\n
XSS \u5168\u79f0\u662fCross Site Script\uff0c\u4e3a\u4e0e\u5c42\u53e0\u6837\u5f0f\u8868CSS\u533a\u5206\uff0c\u53ebXSS\u3002<\/p>\n
XSS\u653b\u51fb\uff0c\u901a\u5e38\u662f\u6307\u9ed1\u5ba2\u901a\u8fc7\u201cHTML\u6ce8\u5165\u201d\u7be1\u6539\u4e86\u7f51\u9875\uff0c\u63d2\u5165\u6076\u610f\u7684\u811a\u672c\uff0c\u4ece\u800c\u5728\u7528\u6237\u6d4f\u89c8\u7f51\u9875\u65f6\uff0c\u63a7\u5236\u7528\u6237\u6d4f\u89c8\u5668\u7684\u4e00\u79cd\u653b\u51fb\u65b9\u5f0f\u3002<\/p>\n
\u8fd9\u79cd\u653b\u51fb\u7684\u6f14\u793a\u65b9\u5f0f\u4e00\u5f00\u59cb\u662f\u8de8\u57df\u7684\uff0c\u7531\u4e8e\u73b0\u5728JavaScript\u7684\u5f3a\u5927\u529f\u80fd\u4ee5\u53ca\u7f51\u7ad9\u524d\u7aef\u5e94\u7528\u7684\u590d\u6742\u5316\uff0c\u662f\u5426\u8de8\u57df\u5df2\u7ecf\u4e0d\u518d\u91cd\u8981\u3002<\/p>\n
XSS\u5206\u7c7b<\/h2>\n\n- \u53cd\u5c04\u578bXSS\u3002\u7b80\u5355\u5730\u628a\u7528\u6237\u8f93\u5165\u7684\u6570\u636e\u201c\u53cd\u5c04\u201d\u7ed9\u6d4f\u89c8\u5668\u3002\u9700\u8981\u7528\u6237\u70b9\u51fb\u624d\u80fd\u653b\u51fb\u6210\u529f\u3002<\/li>\n
- \u5b58\u50a8\u578bXSS\u3002\u628a\u7528\u6237\u8f93\u5165\u6570\u636e\u201c\u5b58\u50a8\u201d\u5728\u670d\u52a1\u5668\u7aef\u3002\u4e5f\u53eb\u6301\u4e45\u578bXSS\u3002<\/li>\n
- DOM Based XSS\u3002\u901a\u8fc7\u4fee\u6539\u9875\u9762\u7684DOM\u8282\u70b9\u6765\u5f62\u6210XSS\u3002\u79f0\u4e3aDOM Based XSS\u3002<\/li>\n<\/ul>\n
XSS \u653b\u51fb\u8fdb\u9636<\/h2>\n
XSS\u653b\u51fb\u6210\u529f\u540e\uff0c\u653b\u51fb\u8005\u80fd\u591f\u5bf9\u7528\u6237\u5f53\u524d\u6d4f\u89c8\u7684\u9875\u9762\u690d\u5165\u6076\u610f\u811a\u672c\uff0c\u901a\u8fc7\u6076\u610f\u811a\u672c\uff0c\u63a7\u5236\u7528\u6237\u7684\u6d4f\u89c8\u5668\u3002\u8fd9\u4e9b\u7528\u4e8e\u5b8c\u6210\u5404\u79cd\u5177\u4f53\u529f\u80fd\u7684\u6076\u610f\u811a\u672c\uff0c\u88ab\u79f0\u4e3a\u201cXSS Payload \u201d\u3002<\/p>\n
Cookie \u52ab\u6301<\/h3>\n
Cookie\u4e2d\u4e00\u822c\u52a0\u5bc6\u4fdd\u5b58\u4e86\u7528\u6237\u7684\u767b\u5f55\u51ed\u8bc1\uff0c\u901a\u8fc7\u8bfb\u53d6\u6d4f\u89c8\u5668\u7684Cookie\u5bf9\u8c61\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u4e0d\u901a\u8fc7\u5bc6\u7801\u800c\u76f4\u63a5\u767b\u5f55\u8fdb\u7528\u6237\u7684\u8d26\u6237\u3002<\/p>\n
\u653b\u51fb\u8fc7\u7a0b<\/h4>\n\n- \u653b\u51fb\u8005\u5148\u8fdc\u7a0b\u52a0\u8f7d\u4e00\u6bb5\u811a\u672c\uff0c\u771f\u6b63\u7684XSS Payload \u5199\u5728\u8fd9\u4e2a\u811a\u672c\u91cc\uff0c\u907f\u514d\u5728URL\u7684\u53c2\u6570\u91cc\u5199\u5165\u5927\u91cf\u7684JavaScript\u4ee3\u7801\u3002<\/li>\n
- \u5728\u811a\u672c\u91cc\u8bfb\u53d6Cookie\u5bf9\u8c61\uff0c\u6784\u5efa\u4e00\u4e2a
img<\/code>\u5143\u7d20\uff0c\u8fd9\u4e2a\u5143\u7d20\u7684URL\u91cc\u5305\u542b\u4e86Cookie\uff0c\u5e76\u6307\u5411\u6076\u610f\u7684\u670d\u52a1\u5668\uff1b\u63d2\u5165HTML DOM\uff0c\u6d4f\u89c8\u5668\u52a0\u8f7d\u8fd9\u4e2a\u56fe\u50cf\uff0c\u5c31\u628aCookie\u53d1\u9001\u5230\u4e86\u653b\u51fb\u8005\u7684\u670d\u52a1\u5668\u3002<\/li>\n- \u653b\u51fb\u8005\u5728\u670d\u52a1\u5668\u4e0a\u53ef\u4ee5\u83b7\u53d6\u5230\u7528\u6237Cookie\uff0c\u5229\u7528\u8fd9\u4e2aCookie\u66ff\u6362\u6389\u81ea\u5df1\u6d4f\u89c8\u5668\u7684Cookie\u5c31\u53ef\u4ee5\u767b\u5f55\u7528\u6237\u8d26\u6237\u4e86\u3002<\/li>\n<\/ol>\n
\u5e94\u5bf9\u63aa\u65bd<\/h4>\n\n- \u5728Cookie\u91cc\u7ed1\u5b9a\u5ba2\u6237\u7aef\u4fe1\u606f\uff0c\u5982\u5ba2\u6237\u7aefIP\u3001\u6d4f\u89c8\u5668\u7c7b\u578b\u7b49\u3002<\/li>\n
- \u5229\u7528Cookie\u7684
HttpOnly<\/code>\u6807\u8bc6\u9632\u6b62\u201cCookie\u52ab\u6301\u201d\u3002<\/li>\n<\/ul>\n\u6784\u5efaGet\u4e0ePOST\u8bf7\u6c42<\/h3>\n
\u8fd9\u79cd\u653b\u51fb\u65b9\u5f0f\u662f\u6307\u653b\u51fb\u8005\u6784\u5efaHTTP GET\u6216POST\u8bf7\u6c42\u6765\u8fdb\u884c\u7834\u574f\u3002\u5728\u5177\u4f53\u7684\u653b\u51fb\u4e2d\uff0c\u653b\u51fb\u8005\u901a\u8fc7XSS\u8bf1\u4f7f\u7528\u6237\u6267\u884cXSS Payload \u3002<\/p>\n
\u6784\u5efaHTTP GET\uff1a<\/p>\n
\nvar img = document.createElement(\"img\");\nimg.src = \"http:\/\/bolg.sohu.com\/manage\/entry.do?m=delete&id=123456\";\ndocument.body.appendChild(img);\n<\/code><\/pre>\n\u6784\u5efaHTTP POST\uff1a<\/p>\n
\nvar dd= document.createElement(\"div\");\ndocument.body.apendChild(dd);\ndd.innerHTML = '<form action=\"\" method=\"post\" id=\"xssform\" name=\"mbform\">' + \n '<input type=\"hidden\" value=\"JiUY\" name=\"ck\" \/>' + \n '<input type=\"text\" value=\"test value\" name=\"mb_text\" \/>' + \n '<\/form>';\n\ndocument.getElementById('xssform').submit();\n<\/code><\/pre>\n\u901a\u8fc7\u6784\u5efaGET\u4e0ePost \u8bf7\u6c42\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u7834\u574f\u7528\u6237\u6570\u636e\uff0c\u6216\u8005\u7a83\u53d6\u7528\u6237\u6570\u636e\u5e76\u53d1\u9001\u5230\u81ea\u5df1\u7684\u670d\u52a1\u5668\u3002<\/p>\n
XSS\u9493\u9c7c<\/h3>\n
\u524d\u9762\u7684\u653b\u51fb\u662f\u901a\u8fc7\u811a\u672c\u81ea\u52a8\u5b8c\u6210\uff0c\u7f3a\u5c11\u4e0e\u7528\u6237\u7684\u4ea4\u4e92\u8fc7\u7a0b\u3002<\/p>\n
\u5bf9\u4e8e\u63d0\u4ea4\u8868\u5355\u9700\u8981\u9a8c\u8bc1\u7801\u7684\u60c5\u51b5\uff0cXSS Payload \u53ef\u4ee5\u8bfb\u53d6\u9875\u9762\u5185\u5bb9\uff0c\u8bb2\u9a8c\u8bc1\u7801\u7684\u56fe\u7247URL\u53d1\u9001\u5230\u8fdc\u7a0b\u670d\u52a1\u5668\uff0c\u653b\u51fb\u8005\u5728\u8fdc\u7a0bXSS\u540e\u53f0\u63a5\u6536\u5f53\u524d\u9a8c\u8bc1\u7801\uff0c\u5e76\u5c06\u9a8c\u8bc1\u7801\u7684\u503c\u8fd4\u56de\u7ed9\u5f53\u524d\u7684XSS Payload \uff0c\u4ece\u800c\u7ed5\u8fc7\u9a8c\u8bc1\u7801\u3002<\/p>\n
XSS\u9493\u9c7c\u662f\u6307\u653b\u51fb\u8005\u5229\u7528XSS Payload \u4f2a\u9020\u51fa\u4e00\u4e9b\u4ea4\u4e92\u7684\u9875\u9762\uff0c\u5f15\u8bf1\u7528\u6237\u8f93\u5165\u4ed6\u4eec\u60f3\u8981\u7684\u6570\u636e\uff0c\u5982\u4f2a\u9020\u767b\u9646\u6846\uff0c\u5f15\u8bf1\u7528\u6237\u8f93\u5165\u5bc6\u7801\u3002<\/p>\n
\u5145\u5206\u53d1\u6325\u60f3\u8c61\u529b\uff0c\u53ef\u4ee5\u4f7f\u5f97XSS\u653b\u51fb\u7684\u5a01\u529b\u66f4\u5de8\u5927\u3002<\/strong><\/p>\n\u8bc6\u522b\u7528\u6237\u6d4f\u89c8\u5668<\/h3>\n
\u653b\u51fb\u8005\u4e3a\u4e86\u83b7\u53d6\u66f4\u5927\u5229\u76ca\uff0c\u5f80\u5f80\u9700\u8981\u51c6\u786e\u5730\u6536\u96c6\u7528\u6237\u7684\u4e2a\u4eba\u4fe1\u606f\u3002\u6bd4\u5982\uff0c\u5982\u679c\u77e5\u9053\u7528\u6237\u4f7f\u7528\u7684\u6d4f\u89c8\u5668\u3001\u64cd\u4f5c\u7cfb\u7edf\uff0c\u653b\u51fb\u8005\u5c31\u6709\u53ef\u80fd\u5b9e\u65bd\u4e00\u6b21\u7cbe\u51c6\u7684\u6d4f\u89c8\u5668\u5185\u5b58\u653b\u51fb\uff0c\u6700\u7ec8\u7ed9\u7528\u6237\u7535\u8111\u690d\u5165\u4e00\u4e2a\u6728\u9a6c\u3002<\/p>\n
\u901a\u8fc7JavaScript\u811a\u672c\u8bc6\u522b\u6d4f\u89c8\u5668\uff0c\u6700\u76f4\u63a5\u7684\u662f\u901a\u8fc7XSS\u8bfb\u53d6\u6d4f\u89c8\u5668\u7684UserAgent\u5bf9\u8c61\uff0c\u4f46\u6d4f\u89c8\u5668\u7684UserAgent\u662f\u53ef\u4ee5\u4f2a\u9020\u7684\u3002\u653b\u51fb\u8005\u901a\u8fc7\u53e6\u4e00\u79cd\u65b9\u6cd5\u8bc6\u522b\u6d4f\u89c8\u5668\u3002<\/p>\n
\u7531\u4e8e\u6d4f\u89c8\u5668\u4e4b\u95f4\u7684\u5b9e\u73b0\u5b58\u5728\u5dee\u5f02\uff0d\uff0d\u4e0d\u540c\u6d4f\u89c8\u5668\u4f1a\u5b9e\u73b0\u4e00\u4e9b\u72ec\u7279\u7684\u529f\u80fd\uff0c\u800c\u540c\u4e00\u4e2a\u6d4f\u89c8\u5668\u7684\u4e0d\u540c\u7248\u672c\u4e4b\u95f4\u4e5f\u53ef\u80fd\u4f1a\u5b58\u5728\u7ec6\u5fae\u5dee\u522b\u3002\u901a\u8fc7\u5206\u8fa8\u8fd9\u4e9b\u6d4f\u89c8\u5668\u4e4b\u95f4\u7684\u5dee\u5f02\uff0c\u5c31\u80fd\u51c6\u786e\u5730\u5224\u65ad\u51fa\u6d4f\u89c8\u5668\u7248\u672c\u3002<\/p>\n
\u8bc6\u522b\u7528\u6237\u5b89\u88c5\u7684\u8f6f\u4ef6<\/h3>\n
\u5728IE\u4e2d\uff0c\u53ef\u4ee5\u901a\u8fc7\u5224\u65adActiveX\u63a7\u4ef6\u7684classid\u662f\u5426\u5b58\u5728\u6765\u63a8\u6d4b\u7528\u6237\u662f\u5426\u5b89\u88c5\u4e86\u8be5\u8f6f\u4ef6\u3002<\/p>\n
Firefox\u7684\u63d2\u4ef6\u5217\u8868\u5b58\u653e\u5728\u4e00\u4e2aDOM\u5bf9\u8c61\u4e2d\uff0c\u901a\u8fc7\u67e5\u8be2DOM\u5bf9\u8c61\u53ef\u4ee5\u904d\u5386\u51fa\u6240\u6709\u7684\u63d2\u4ef6\u5217\u8868\u3002<\/p>\n
XSS Worm<\/h3>\n
XSS Worm\u662fXSS\u7684\u4e00\u79cd\u7ec8\u6781\u5229\u7528\u65b9\u5f0f\u3002<\/p>\n
\u4e00\u822c\u6765\u8bf4\uff0c\u7528\u6237\u4e4b\u95f4\u53d1\u751f\u4ea4\u4e92\u884c\u4e3a\u7684\u9875\u9762\uff0c\u5982\u679c\u5b58\u5728\u5b58\u50a8\u578bXSS\uff0c\u5219\u6bd4\u8f83\u5bb9\u6613\u53d1\u8d77XSS Worm\u653b\u51fb\u3002<\/strong><\/p>\nXSS \u6784\u9020\u6280\u5de7<\/h2>\n\u5229\u7528\u5b57\u7b26\u7f16\u7801<\/h3>\n
\u767e\u5ea6\u641c\u85cf\u5728\u4e00\u4e2a<Script><\/code>\u6807\u7b7e\u4e2d\u8f93\u51fa\u4e86\u4e00\u4e2a\u53d8\u91cf\uff0c\u5176\u4e2d\u8f6c\u4e49\u4e86\u53cc\u5f15\u53f7\uff1avar redirectUrl = \"\\\";alert(\/XSS\/);\";<\/code>
\n\u4e00\u822c\u6765\u8bf4\uff0c\u8fd9\u91cc\u6ca1\u6709XSS\u6f0f\u6d1e\uff0c\u56e0\u4e3a\u53d8\u91cf\u5904\u4e8e\u53cc\u5f15\u53f7\u4e4b\u5185\uff0c\u7cfb\u7edf\u8f6c\u4e49\u4e86\u53cc\u5f15\u53f7\u5bfc\u81f4\u53d8\u91cf\u65e0\u6cd5escape<\/code>\u3002<\/p>\n\u4f46\u662f\u767e\u5ea6\u8fd4\u56de\u7684\u9875\u9762\u662fGBK\/GB2312<\/code>\u7f16\u7801\u7684\uff0c\u56e0\u6b64 \"%c1\\\"<\/code> \u8fd9\u4e24\u4e2a\u5b57\u7b26\u7ec4\u5408\u5728\u4e00\u8d77\u540e\uff0c\u4f1a\u53d8\u6210\u4e00\u4e2aUnicode\u5b57\u7b26\u3002\u5728Firefox\u4e0b\u4f1a\u88ab\u8ba4\u4e3a\u662f\u4e00\u4e2a\u5b57\u7b26\u3002
\n\u6240\u4ee5\u6784\u9020\uff1a %c1\";alert(\/XSS\/);\";<\/code>\u3002
\n\u8fd9\u4e24\u4e2a\u5b57\u8282\"%c1\\\"<\/code>\u7ec4\u6210\u4e00\u4e2a\u65b0\u7684Unicode\u5b57\u7b26\uff0c\u628a\u8f6c\u4e49\u7b26\u53f7\\<\/code>\u7ed9\u5403\u6389\u4e86\uff0c\u4ece\u800c\u7ed5\u8fc7\u4e86\u7cfb\u7edf\u7684\u5b89\u5168\u68c0\u67e5\u3002<\/p>\n\u7ed5\u8fc7\u957f\u5ea6\u9650\u5236<\/h3>\n
\u4ea7\u751fXSS\u7684\u5730\u65b9\u4f1a\u6709\u53d8\u91cf\u7684\u957f\u5ea6\u9650\u5236\uff0c\u8fd9\u4e2a\u9650\u5236\u53ef\u80fd\u662f\u670d\u52a1\u5668\u7aef\u903b\u8f91\u9020\u6210\u7684\u3002<\/p>\n
\u7ed5\u8fc7\u65b9\u6cd5\uff1a<\/p>\n
\n- \u5229\u7528\u4e8b\u4ef6\uff08event\uff09\u6765\u7f29\u77ed\u9700\u8981\u7684\u5b57\u8282\u6570\u3002<\/li>\n
- \u628aXSS Payload \u5199\u5728\u522b\u5904\uff0c\u518d\u901a\u8fc7\u7b80\u77ed\u7684\u4ee3\u7801\u52a0\u8f7dXSS Payload\u3002<\/li>\n<\/ul>\n
\u6700\u5e38\u7528\u7684\u4e00\u4e2a\u201c\u85cf\u4ee3\u7801\u201d\u7684\u5730\u65b9\uff0c\u5c31\u662flocation.hash<\/code>\u3002\u800c\u4e14\u6839\u636eHTTP\u534f\u8bae\uff0clocation.hash<\/code>\u7684\u5185\u5bb9\u4e0d\u4f1a\u5728HTTP\u5305\u4e2d\u53d1\u9001\uff0c\u6240\u4ee5\u670d\u52a1\u5668\u7aef\u7684web\u65e5\u5fd7\u5e76\u4e0d\u4f1a\u8bb0\u5f55\u4e0b location.hash<\/code>\u7684\u5185\u5bb9\uff0c\u4ece\u800c\u66f4\u597d\u9690\u85cf\u9ed1\u5ba2\u7684\u771f\u5b9e\u610f\u56fe\u3002<\/p>\n\u6784\u9020\u4e00\u4e2a\u5730\u5740\uff1a http:\/\/www.a.com\/test.html#alert(1)<\/code>\uff0c\u5bf9\u4e8e\u76f4\u63a5\u8f93\u51fa\u7684$var\u7684html <input type=\"text\" value=\"$var\" \/><\/code>\uff0c
\n\u53ef\u4ee5\u6784\u9020\u4e00\u4e2a\u6ce8\u5165\uff1a\" onclick=\"eval(location.hash.substr(1))<\/code>\uff0c\u90a3\u4e48\u6ce8\u5165\u4e4b\u540e\u8f93\u51fa\u7684html\u4e3a\uff1a <input type=\"text\" value=\"\" onclick=\"eval(location.hash.substr(1))\" \/><\/code>\u3002\uff08\u56e0\u4e3alocation.hash\u7684\u7b2c\u4e00\u4e2a\u5b57\u7b26\u662f#<\/code>\uff0c\u6240\u4ee5\u5fc5\u987b\u5148\u53bb\u9664\u3002\uff09<\/p>\n\u4f7f\u7528<base><\/code>\u6807\u7b7e<\/h3>\n<base><\/code> \u7528\u4e8e\u5b9a\u4e49\u9875\u9762\u4e0a\u6240\u6709\u4f7f\u7528\u201c\u76f8\u5bf9\u8def\u5f84\u201d\u7684\u6807\u7b7e\u7684hosting\u5730\u5740\u3002<base><\/code>\u6807\u7b7e\u53ef\u51fa\u73b0\u5728\u9875\u9762\u7684\u4efb\u4f55\u5730\u65b9\uff0c\u5e76\u4f5c\u7528\u4e8e\u4f4d\u4e8e\u8be5\u6807\u7b7e\u4e4b\u540e\u7684\u6240\u6709\u6807\u7b7e\u3002<\/p>\n\u653b\u51fb\u8005\u5982\u679c\u5728\u9875\u9762\u4e2d\u63d2\u5165\u4e86<base><\/code>\u6807\u7b7e\uff0c\u5c31\u53ef\u4ee5\u5728\u8fdc\u7a0b\u670d\u52a1\u5668\u4e0a\u4f2a\u9020\u56fe\u7247\u3001\u94fe\u63a5\u6216\u811a\u672c\uff0c\u52ab\u6301\u5f53\u524d\u9875\u9762\u4e2d\u4f7f\u7528\u201c\u76f8\u5bf9\u8def\u5f84\u201d\u7684\u6807\u7b7e\u3002<\/p>\n\u5982\u679c\u7528\u6237\u80fd\u63a7\u5236\u8f93\u5165\uff0c\u5219\u5fc5\u7136\u4f1a\u4ea7\u751fXSS\u3002<\/strong>
\n\u5728\u6807\u7b7e\u9009\u62e9\u4e0a\uff0c\u5e94\u8be5\u4f7f\u7528\u767d\u540d\u5355\uff0c\u907f\u514d\u4f7f\u7528\u9ed1\u540d\u5355\u3002<\/strong><\/p>\nXSS\u9632\u5fa1<\/h3>\n
XSS\u7684\u672c\u8d28\u662f\u4e00\u79cd\u201cHTML\u6ce8\u5165\u201d\uff0c\u7528\u6237\u7684\u6570\u636e\u88ab\u5f53\u4f5cHTML\u4ee3\u7801\u7684\u4e00\u90e8\u5206\u6765\u6267\u884c\u3002<\/p>\n
\n- \u8bbe\u7f6eCookie\u7684
HttpOnly<\/code>\u5c5e\u6027\uff0c\u8fd9\u4e2a\u5c5e\u6027\u4f7f\u6d4f\u89c8\u5668\u7981\u6b62\u9875\u9762\u7684JavaScript\u8bbf\u95eeCookie\u3002<\/li>\n- \u8f93\u5165\u68c0\u67e5\uff0c\u8f93\u5165\u68c0\u67e5\u7684\u903b\u8f91\u5fc5\u987b\u653e\u5728\u670d\u52a1\u5668\u7aef\u5b8c\u6210\uff0c\u4e3b\u8981\u68c0\u67e5\u7528\u6237\u8f93\u5165\u7684\u6570\u636e\u4e2d\u662f\u5426\u5305\u542b\u7279\u6b8a\u7684\u5b57\u7b26\uff0c\u8981\u6839\u636e\u5177\u4f53\u8bed\u5883\u8fdb\u884c\u5904\u7406\u3002<\/li>\n
- \u8f93\u51fa\u68c0\u67e5\uff0c\u8981\u5bf9\u8f93\u51fa\u8fdb\u884c\u6070\u5f53\u7684\u7f16\u7801\u3002<\/li>\n<\/ul>\n
\u8de8\u7ad9\u70b9\u8bf7\u6c42\u4f2a\u9020\uff08CSRF\uff09<\/h1>\n
CRSF\u7684\u5168\u79f0\u7684 Cross Size Request Forgery\u3002<\/p>\n
\u6d4f\u89c8\u5668\u7684Cookie\u7b56\u7565<\/h3>\n
\u6d4f\u89c8\u5668\u6240\u6301\u6709\u7684Cookie\u5206\u4e3a\u4e24\u79cd\uff1a\u4e00\u79cd\u662fSession Cookie\uff0c\u53c8\u79f0\u4e3a\u4e34\u65f6Cookie\uff1b\u53e6\u4e00\u79cd\u662fThird-party Cookie\uff0c\u4e5f\u79f0\u4e3a\u672c\u5730Cookie\u3002<\/p>\n
\u4e24\u8005\u7684\u533a\u522b\u5728\u4e8e\uff1aThird -party Cookie\u662f\u670d\u52a1\u5668\u5728Set -Cookie\u65f6\u6307\u5b9a\u4e86Expire\u65f6\u95f4\uff0c\u53ea\u6709\u5230\u4e86Expire\u65f6\u95f4\u540eCookie\u624d\u4f1a\u5931\u6548\uff0c\u8fd9\u79cdCookie\u4f1a\u4fdd\u5b58\u5728\u672c\u5730\u3002
\nSession Cookie\u5219\u6ca1\u6709\u6307\u5b9aExpire\u65f6\u95f4\uff0c\u6d4f\u89c8\u5668\u5173\u95ed\u540e\uff0cSession Cookie\u5c31\u5931\u6548\u4e86\u3002Session Cookie\u4fdd\u5b58\u5728\u6d4f\u89c8\u5668\u8fdb\u7a0b\u7684\u5185\u5b58\u7a7a\u95f4\u4e2d\uff0c\u5728\u6d4f\u89c8\u5668\u8fdb\u7a0b\u7684\u751f\u547d\u5468\u671f\u5185\uff0c\u5373\u4f7f\u6d4f\u89c8\u5668\u65b0\u6253\u5f00\u4e86Tab\u9875\uff0cSession Cookie\u4e5f\u662f\u6709\u6548\u7684\u3002<\/p>\n
\u5bf9\u4e8esession cookie\uff0c\u6d4f\u89c8\u5668\u8bbf\u95ee\u7ad9\u70b9\u65f6\u9ed8\u8ba4\u4f1a\u53d1\u9001\u3002
\n\u5bf9\u4e8eThird-party Cookie\uff0cIE678\uff0cSafari\u6d4f\u89c8\u5668\u7981\u6b62\u5728<img>, <iframe>, <script>, <link><\/code> \u7b49\u6807\u7b7e\u4e2d\u53d1\u9001\uff0c\u4f46Firefox2\u30013\uff0cChrome\uff0cOpera\u5219\u5141\u8bb8\u3002<\/p>\n\u5982\u679c\u83b7\u53d6\u5230Cookie\u5c31\u80fd\u8fdb\u884cCSRF\uff0c\u8981\u7279\u522b\u7559\u610f\u4e0d\u540c\u6d4f\u89c8\u5668\u7684Cookie\u7b56\u7565\u4e86\u3002<\/p>\n
P3P\u5934\u7684\u526f\u4f5c\u7528<\/h3>\n
P3P Header\uff0c\u5168\u79f0\u662fThe Plarform for Privacy Preferences\u3002<\/p>\n
\u5982\u679c\u7f51\u7ad9\u8fd4\u56de\u7ed9\u6d4f\u89c8\u5668\u7684HTTP\u5934\u4e2d\u5305\u542bP3P\u5934\uff0c\u5219\u5728\u67d0\u79cd\u7a0b\u5ea6\u4e0a\u6765\u8bf4\uff0c\u5c06\u5141\u8bb8\u6d4f\u89c8\u5668\u53d1\u9001\u7b2c\u4e09\u65b9Cookie\uff0c\u5728IE\u4e0b\u5373\u4f7f\u662f<iframe>, <script><\/code>\u7b49\u6807\u7b7e\u4e5f\u5c06\u4e0d\u518d\u62e6\u622a\u7b2c\u4e09\u65b9Cookie\u7684\u53d1\u9001\u3002<\/p>\nCSRF \u9632\u5fa1<\/h2>\n\u9a8c\u8bc1\u7801<\/h3>\n
CSRF\u653b\u51fb\u7684\u8fc7\u7a0b\u5f80\u5f80\u662f\u5728\u7528\u6237\u4e0d\u77e5\u60c5\u7684\u60c5\u51b5\u4e0b\u6784\u9020\u4e86\u7f51\u7edc\u8bf7\u6c42\uff0c\u9a8c\u8bc1\u7801\u4f1a\u5f3a\u5236\u7528\u6237\u5fc5\u987b\u4e0e\u5e94\u7528\u4ea4\u4e92\uff0c\u624d\u80fd\u5b8c\u6210\u6700\u7ec8\u7684\u8bf7\u6c42\uff0c\u56e0\u6b64\u901a\u5e38\u60c5\u51b5\u4e0b\uff0c\u9a8c\u8bc1\u7801\u80fd\u591f\u5f88\u597d\u5730\u9632\u5fa1CSRF\u653b\u51fb\u3002<\/p>\n
Referer Check<\/h3>\n
\u6d4f\u89c8\u5668\u7684Referer\u5934\u4e00\u822c\u7528\u4e8e\u544a\u8bc9\u670d\u52a1\u5668\u94fe\u63a5\u662f\u4ece\u54ea\u4e2a\u9875\u9762\u94fe\u63a5\u8fc7\u6765\u7684\uff0cReferer Check\u5728\u4e92\u8054\u7f51\u4e2d\u6700\u5e38\u89c1\u7684\u5e94\u7528\u5c31\u662f\u201c\u9632\u6b62\u56fe\u7247\u76d7\u94fe\u201d\u3002<\/p>\n
\u5e38\u89c1\u7684\u4e92\u8054\u7f51\u5e94\u7528\uff0c\u9875\u9762\u4e0e\u9875\u9762\u4e4b\u95f4\u90fd\u5177\u6709\u4e00\u5b9a\u7684\u903b\u8f91\u5173\u7cfb\uff0c\u8fd9\u5c31\u4f7f\u6bcf\u4e2a\u6b63\u5e38\u8bf7\u6c42\u7684Referer\u5177\u6709\u4e00\u5b9a\u7684\u89c4\u5f8b\u3002\u901a\u8fc7Referer\uff0c\u53ef\u4ee5\u5224\u65ad\u4e00\u4e2a\u8bf7\u6c42\u6709\u6ca1\u6709\u53ef\u80fd\u662fCSRF\u3002<\/p>\n
Referer Check\u7684\u7f3a\u9677\u5728\u4e8e\u670d\u52a1\u5668\u5e76\u975e\u4ec0\u4e48\u65f6\u5019\u90fd\u80fd\u53d6\u5230Referer\u3002<\/em>\u6709\u7684\u6d4f\u89c8\u5668\u5904\u4e8e\u9690\u79c1\u8003\u8651\u3001\u4eceHTTPS\u8df3\u8f6c\u5230HTTP\u7b49\u90fd\u4e0d\u4f1a\u53d1\u9001Referer\u3002<\/p>\nAnti CSRF Token<\/h3>\n
\u8fd9\u662f\u4e1a\u754c\u7684\u4e00\u81f4\u505a\u6cd5\uff0c\u4f7f\u7528\u4e00\u4e2aToken\u6765\u9632\u5fa1CSRF\u3002<\/p>\n
CSRF\u7684\u672c\u8d28\u662f\u91cd\u8981\u64cd\u4f5c\u7684\u6240\u6709\u53c2\u6570\u90fd\u662f\u53ef\u4ee5\u88ab\u653b\u51fb\u8005\u731c\u6d4b\u5230\u7684\u3002<\/strong><\/p>\nAnti CSRF Token \u662f\u8db3\u591f\u968f\u673a\u7684\uff0c\u4e3a\u7528\u6237\u4e0e\u670d\u52a1\u5668\u6240\u5171\u540c\u6301\u6709\uff0c\u4e0d\u80fd\u88ab\u7b2c\u4e09\u8005\u77e5\u6653\u3002Token\u53ef\u4ee5\u653e\u5728\u7528\u6237Session\u4e2d\uff0c\u6216\u8005\u6d4f\u89c8\u5668Cookie\u4e2d\u3002<\/p>\n
Token\u9700\u8981\u540c\u65f6\u653e\u5728\u8868\u5355\u548cSession\uff08\u6216Cookie\uff09\u4e2d\u3002\u5728\u5904\u7406\u8bf7\u6c42\u65f6\uff0c\u670d\u52a1\u5668\u53ea\u9700\u9a8c\u8bc1\u8868\u5355\u4e2d\u7684Token\u4e0e\u7528\u6237Session\u6216Cookie\u4e2d\u7684Token\u662f\u5426\u4e00\u81f4\uff0c\u5982\u679c\u4e00\u81f4\uff0c\u5219\u662f\u5408\u6cd5\u7684\u8bf7\u6c42\u7684\uff0c\u5426\u5219\u5c31\u662fCSRF\u3002<\/p>\n
Token \u4f7f\u7528\u539f\u5219<\/h4>\n\n- \u9632\u5fa1CSRF\u7684Token\u662f\u6839\u636e\u201c\u4e0d\u53ef\u9884\u6d4b\u6027\u539f\u5219\u201d\u8bbe\u8ba1\u7684\uff0c\u6240\u6709Token\u7684\u751f\u6210\u4e00\u5b9a\u8981\u8db3\u591f\u968f\u673a\uff0c\u9700\u8981\u4f7f\u7528\u5b89\u5168\u7684\u968f\u673a\u6570\u751f\u6210\u5668\u6765\u751f\u6210Token\u3002<\/li>\n
- \u5982\u679cToken\u662f\u653e\u5728Cookie\u4e2d\uff0c\u53ef\u4ee5\u8003\u8651\u751f\u6210\u591a\u4e2a\u6709\u6548\u7684Token\uff0c\u4ee5\u89e3\u51b3\u591a\u9875\u9762\u5171\u5b58\u7684\u573a\u666f\u3002<\/li>\n
- \u4f7f\u7528Token\u65f6\u5e94\u8be5\u4e3b\u8981Token\u7684\u4fdd\u5bc6\u6027\u3002<\/li>\n<\/ul>\n
CSRF Token\u4ec5\u4ec5\u7528\u4e8e\u5bf9\u6297CSRF\u653b\u51fb\uff0c\u5f53\u7f51\u7ad9\u8fd8\u540c\u65f6\u5b58\u5728XSS\u6f0f\u6d1e\u65f6\uff0c\u8fd9\u4e2a\u65b9\u6848\u5c31\u4f1a\u5931\u6548\u3002CSRF\u7684Token\u662f\u5efa\u7acbXSS\u9632\u5fa1\u65b9\u6848\u8db3\u591f\u5b89\u5168\u7684\u57fa\u7840\u4e0a\u7684\u3002<\/p>\n
\u70b9\u51fb\u52ab\u6301<\/h1>\nHTML5 \u5b89\u5168<\/h1>\n
\u6b22\u8fce\u5173\u6ce8\u6211\u7684\u5fae\u4fe1\u516c\u4f17\u53f7: coderbee\u7b14\u8bb0<\/strong>\uff0c\u53ef\u4ee5\u66f4\u53ca\u65f6\u56de\u590d\u4f60\u7684\u8ba8\u8bba\u3002<\/p>\n![](\"https:\/\/coderbee.net\/wp-content\/uploads\/2019\/01\/coderbee-note.jpg\")
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u6d4f\u89c8\u5668\u5b89\u5168 \u540c\u6e90\u7b56\u7565 \u540c\u6e90\u7b56\u7565\uff08Same Origin Policy\uff09\u662f\u4e00\u79cd\u7ea6\u5b9a … \u7ee7\u7eed\u9605\u8bfb