Owasp top 10 Security Risks & Vulnerabilities Note

Types of XSS

ross Site Scripting (XSS) ko'plab veb-ilovalarga ta'sir qiladigan keng tarqalgan zaiflikdir. XSS hujumlari veb-saytga zararli mijoz skriptlarini kiritish va veb-saytni tarqatish usuli sifatida foydalanishdan iborat. XSS ning xavf-xatarlari shundaki, u tajovuzkorga veb-saytga tarkibni kiritish va uning ko'rsatilishini o'zgartirish imkonini beradi, bu esa jabrlanuvchining brauzerini sahifani yuklashda tajovuzkor tomonidan taqdim etilgan kodni bajarishga majbur qiladi. XSS barcha ilovalarning uchdan ikki qismida mavjud. Umuman olganda, XSS zaifliklari foydalanuvchining ijtimoiy muhandislik yoki ma'lum bir sahifaga tashrif buyurish orqali qandaydir o'zaro ta'sirini talab qiladi. Agar XSS zaifligi tuzatilmagan bo'lsa, u har qanday veb-sayt uchun juda xavfli bo'lishi mumkin. XSS zaifliklariga misollar Tasavvur qiling-a, siz WordPress wp-admin panelida yangi post qo'shyapsiz. Agar siz xakerlar tomonidan foydalaniladigan saqlangan XSS zaifligiga ega plagindan foydalanayotgan bo‘lsangiz, u wp-admin panelida bo‘lganingizda brauzeringizni yangi administrator foydalanuvchi yaratishga majbur qilishi yoki postni tahrirlashi va shunga o‘xshash boshqa amallarni bajarishi mumkin. . XSS zaifligi tajovuzkorga bugungi kunda kompyuterlarning eng muhim dasturiy ta'minotini, ya'ni brauzerlarni deyarli to'liq boshqarish imkonini beradi. 2017 yilda bizning tadqiqot guruhimiz WordPress veb-saytlarining yadrosida saqlangan XSS zaifligini oshkor qildi. Masofaviy tajovuzkorlar ushbu zaiflikdan WordPress saytidagi tasodifiy postni buzish va unda zararli JavaScript kodini saqlash uchun foydalanishi mumkin. XSS turlari OWASP Top 10 ga ko'ra, saytlararo skriptlarning uchta turi mavjud

• 
  Reflected XSS: The application or API includes unvalidated and unescaped user input as part of HTML output. A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the victim’s browser. Typically the user will need to interact with some malicious link that points to an attacker-controlled page, such as malicious watering hole websites, advertisements, or similar.
  
• 
  Stored XSS: The application or API stores unsanitized user input that is viewed at a later time by another user or an administrator. Stored XSS is often considered high or critical risk.
  
• 
  DOM XSS: JavaScript frameworks, single-page applications, and APIs that dynamically include attacker-controllable data to a page are vulnerable to DOM XSS. Ideally, the application would not send attacker-controllable data to unsafe JavaScript APIs. Typical XSS attacks include session stealing, account takeover, MFA bypass, DOM-node replacement or defacement (such as Trojan login panels), attacks against the user’s browser such as malicious software downloads, keylogging, and other client-side attacks.