FixVibe
Covered by FixVibehigh

Ganewa da Hana Rubutun Rubutun Rubutu (XSS) Rauni

Rubutun Yanar Gizo (XSS) yana faruwa lokacin da aikace-aikacen ya ƙunshi bayanan da ba a amince da su ba a cikin shafin yanar gizon ba tare da ingantaccen inganci ko ɓoyewa ba. Wannan yana ba maharan damar aiwatar da mugayen rubutun a cikin burauzar wanda abin ya shafa, wanda ke haifar da satar lokaci, ayyuka marasa izini, da fallasa bayanai masu mahimmanci.

CWE-79

Tasiri

Maharin da ya yi nasarar yin amfani da raunin Rubutun Rubutun Giciye (XSS) zai iya zama mai amfani da abin da aka azabtar, ya aiwatar da duk wani aiki da aka ba wa mai amfani izini ya yi, da samun damar kowane bayanan mai amfani [S1]. Wannan ya haɗa da satar kukis na zaman don sace asusu, ɗaukar takaddun shaidar shiga ta hanyar fom ɗin karya, ko yin ɓarna mai kama da [S1][S2]. Idan wanda aka azabtar yana da gata na gudanarwa, maharin zai iya samun cikakken iko akan aikace-aikacen da bayanan sa [S1].

Tushen Dalili

XSS yana faruwa ne lokacin da aikace-aikacen ya karɓi shigarwar mai sarrafa mai amfani kuma ya haɗa da shi a cikin shafin yanar gizon ba tare da daidaitawa daidai ba ko ɓoye [S2]. Wannan yana ba da damar shigar da bayanai don fassara shi azaman abun ciki mai aiki (JavaScript) ta mai binciken wanda aka azabtar, yana ƙetare ka'idar Tushen Asalin da aka tsara don ware gidajen yanar gizo daga juna [S1][S2].

Nau'in Lalacewa

  • An nuna XSS: Rubutun qeta suna fitowa daga aikace-aikacen gidan yanar gizo ga mai binciken wanda aka azabtar, yawanci ta hanyar sigar URL [S1].
  • Ana adana XSS: Rubutun an adana shi har abada akan uwar garken (misali, a cikin ma'ajin bayanai ko sashin sharhi) kuma a yi aiki ga masu amfani daga baya [S1][S2].

Saukewa: ZXCVFIXVIBESEG10

  • XSS na tushen DOM: Rashin lahani yana wanzu gaba ɗaya a lambar gefen abokin ciniki wanda ke sarrafa bayanai daga tushen da ba a amince da shi ba ta hanya mara aminci, kamar rubutawa zuwa innerHTML [S1].

Saukewa: ZXCVFIXVIBESEG11

Gyaran Kankare

Saukewa: ZXCVFIXVIBESEG12

  • Rufe bayanan da ake fitarwa: Mayar da bayanan mai amfani zuwa tsari mai aminci kafin yin shi. Yi amfani da rufaffiyar mahallin HTML don jikin HTML, da JavaScript ko CSS da suka dace don waɗancan takamaiman mahallin [S1][S2].

Saukewa: ZXCVFIXVIBESEG13

  • Tace shigarwar lokacin isowa: Aiwatar da tsauraran lissafin izini don tsarin shigar da ake sa ran kuma ƙin duk wani abu da bai dace da [S1][S2] ba.

Saukewa: ZXCVFIXVIBESEG14

  • Yi amfani da Maganganun Tsaro: Saita tutar HttpOnly akan kukis ɗin zaman don hana shiga ta JavaScript [S2]. Yi amfani da Content-Type da X-Content-Type-Options: nosniff don tabbatar da masu bincike ba sa fassara martani a matsayin lambar aiwatarwa [S1].

Saukewa: ZXCVFIXVIBESEG15

  • Manufofin Tsaro na Abun ciki (CSP): Yi amfani da CSP mai ƙarfi don taƙaita hanyoyin da za a iya lodawa da aiwatar da rubutun, yana ba da kariya mai zurfi mai zurfi

Saukewa: ZXCVFIXVIBESEG16

Yadda FixVibe yayi gwajinsa

Saukewa: ZXCVFIXVIBESEG17 FixVibe na iya gano XSS ta hanyar tsari mai nau'i-nau'i da yawa dangane da ingantattun hanyoyin dubawa [S1]:

  • Scan na wucewa: Gano bacewar ko raunata shugabannin tsaro kamar Content-Security-Policy ko X-Content-Type-Options waɗanda aka ƙera don rage XSS [S1].

Saukewa: ZXCVFIXVIBESEG19

  • Bincike masu aiki: Yin allura na musamman, kirtani haruffan haruffa marasa lahani a cikin sigogin URL da filayen tsari don sanin ko suna nunawa a cikin jikin amsawa ba tare da shigar da daidaitattun [S1] ba.
  • Repo Scans: Ana nazarin JavaScript-gefen abokin ciniki don "sinks" waɗanda ke sarrafa bayanan da ba a amince da su ba, kamar innerHTML, document.write, ko setTimeout, waɗanda ke tushen tushen ZXTOKEN2ZXCV, waɗanda suke gama gari na tushen ZXTOKEN2ZXCV. Saukewa: [S1].