|
Reducing the Risks of XSS
There are technologies like the Sucuri Firewall designed to help mitigate XSS attacks. If you are a developer, here is some insight on how to identify and account for these weaknesses.
How to Prevent XSS Vulnerabilities
Preventive measures to reduce the chances of XSS attacks should take into account the separation of untrusted data from active browser content. OWASP guidelines gives some practical tips on how to achieve it:
Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework’s XSS protection and appropriately handle the use cases which are not covered.
Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The OWASP Cheat Sheet for XSS Prevention has details on the required data escaping techniques.
Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS. When this cannot be avoided, similar context-sensitive escaping techniques can be applied to browser APIs as described in the OWASP Cheat Sheet for DOM based XSS Prevention.
Enabling a content security policy (CSP) is a defense-in-depth mitigating control against XSS. It is effective if no other vulnerabilities exist that would allow placing malicious code via local file includes (e.g. path traversal overwrites or vulnerable libraries from permitted content delivery networks).
Ko'rsatilgan XSS: Ilova yoki API HTML chiqishining bir qismi sifatida tasdiqlanmagan va o'chirilgan foydalanuvchi kiritishini o'z ichiga oladi. Muvaffaqiyatli hujum tajovuzkorga jabrlanuvchining brauzerida o'zboshimchalik bilan HTML va JavaScript-ni bajarishga imkon beradi. Odatda foydalanuvchi tajovuzkor tomonidan boshqariladigan sahifaga ishora qiluvchi ba'zi zararli havolalar bilan o'zaro aloqada bo'lishi kerak bo'ladi, masalan, zararli veb-saytlar, reklamalar yoki shunga o'xshash. Saqlangan XSS: Ilova yoki API keyinroq boshqa foydalanuvchi yoki administrator tomonidan koʻrib chiqiladigan, tozalanmagan foydalanuvchi maʼlumotlarini saqlaydi. Saqlangan XSS ko'pincha yuqori yoki tanqidiy xavf hisoblanadi. DOM XSS: JavaScript ramkalari, bitta sahifali ilovalar va sahifaga tajovuzkor tomonidan boshqariladigan ma'lumotlarni dinamik ravishda o'z ichiga olgan API'lar DOM XSS uchun zaifdir. Ideal holda, dastur tajovuzkor tomonidan boshqariladigan ma'lumotlarni xavfli JavaScript API-lariga yubormaydi. Odatiy XSS hujumlari seansni o'g'irlash, hisobni egallab olish, TIVni chetlab o'tish, DOM-tugunini almashtirish yoki buzish (masalan, troyan login panellari), zararli dasturlarni yuklab olish, kalitlarni yozish kabi foydalanuvchi brauzeriga hujumlar va boshqa mijoz tomonidan hujumlarni o'z ichiga oladi. XSS xavfini kamaytirish XSS hujumlarini yumshatishga yordam beradigan Sucuri Firewall kabi texnologiyalar mavjud. Agar siz ishlab chiquvchi bo'lsangiz, bu kamchiliklarni qanday aniqlash va hisobga olish haqida ba'zi tushunchalar mavjud. XSS zaifliklarini qanday oldini olish mumkin XSS hujumlari ehtimolini kamaytirish bo'yicha profilaktika choralari ishonchli bo'lmagan ma'lumotlarni faol brauzer tarkibidan ajratishni hisobga olishi kerak. OWASP ko'rsatmalari bunga qanday erishish bo'yicha ba'zi amaliy maslahatlar beradi: Dizayni bo'yicha XSS dan avtomatik ravishda qochib ketadigan ramkalardan foydalanish, masalan, eng yangi Ruby on Rails, React JS. Har bir ramkaning XSS himoyasi cheklovlarini bilib oling va qamrab olinmagan foydalanish holatlarini to'g'ri ko'rib chiqing. HTML chiqishidagi kontekstga (tana, atribut, JavaScript, CSS yoki URL) asoslangan ishonchsiz HTTP so'rovi ma'lumotlaridan qochish aks ettirilgan va saqlangan XSS zaifliklarini hal qiladi. XSS oldini olish uchun OWASP Cheat Sheet ma'lumotlardan qochishning zarur usullari haqida batafsil ma'lumotga ega. Mijoz tomonida brauzer hujjatini o'zgartirishda kontekstga sezgir kodlashni qo'llash DOM XSS ga qarshi ishlaydi. Agar buning oldini olishning iloji bo'lmasa, DOM-ga asoslangan XSS oldini olish uchun OWASP Cheat Sheetda tavsiflanganidek, kontekstga sezgir qochish usullarini brauzer API-lariga qo'llash mumkin. Kontent xavfsizligi siyosatini (CSP) yoqish - bu XSS ga qarshi chuqur mudofaa nazoratini yumshatishdir. Zararli kodni mahalliy fayl orqali joylashtirishga imkon beradigan boshqa zaifliklar mavjud bo'lmasa samarali bo'ladi (masalan, yo'lni qayta yozish yoki ruxsat etilgan kontentni etkazib berish tarmoqlaridan zaif kutubxonalar).
Do'stlaringiz bilan baham: |
