FixVibe
Covered by FixVibehigh

Ukuthola Nokuvimbela Ukuba sengozini Kwe-Cross-Site Scripting (XSS)

I-Cross-Site Scripting (XSS) yenzeka uma uhlelo lokusebenza luhlanganisa idatha engathenjiwe ekhasini lewebhu ngaphandle kokuqinisekisa okufanele noma ukubhala ngekhodi. Lokhu kuvumela abahlaseli ukuthi basebenzise izikripthi ezinonya esipheqululini sesisulu, okuholela ekudunjweni kweseshini, izenzo ezingagunyaziwe, nokuvezwa kwedatha ebucayi.

CWE-79

Umthelela

Umhlaseli osebenzisa ngempumelelo ukuba sengozini kwe-Cross-Site Scripting (XSS) angakwazi ukuzenza njengomsebenzisi oyisisulu, enze noma yisiphi isenzo umsebenzisi agunyazwe ukuthi asenze, futhi afinyelele noma iyiphi idatha yomsebenzisi [S1]. Lokhu kuhlanganisa ukweba amakhukhi esikhathi ukuze untshontshe ama-akhawunti, ukuthwebula imininingwane yokungena ngamafomu omgunyathi, noma ukwenza ukonakala okubonakalayo [S1][S2]. Uma isisulu sinamalungelo okuphatha, umhlaseli angathola ukulawula okugcwele kuhlelo lokusebenza kanye nedatha yalo [S1].

Imbangela

I-XSS yenzeka uma uhlelo lokusebenza luthola okokufaka okulawulwa umsebenzisi futhi kukufaka ekhasini lewebhu ngaphandle kokungathathi hlangothi okufanele noma ukufaka ikhodi [S2]. Lokhu kuvumela okokufaka ukuthi kuhunyushwe njengokuqukethwe okusebenzayo (i-JavaScript) yisiphequluli sesisulu, kweqa Inqubomgomo Yomsuka ofanayo oklanyelwe ukuhlukanisa amawebhusayithi kusuka kwamanye [S1][S2].

Izinhlobo Zobungozi

  • I-XSS ebonisiwe: Imibhalo engalungile iboniswa ohlelweni lokusebenza lwewebhu esipheqululini somuntu ohlukumezekile, ngokuvamile kusetshenziswa ipharamitha ye-URL [S1].
  • Kugciniwe XSS: Iskripthi sigcinwa unomphela kuseva (isb., kusizindalwazi noma esigabeni samazwana) futhi sinikezwa abasebenzisi kamuva [S1][S2].
  • I-DOM-based XSS: Ukuba sengozini kukhona ngokuphelele kukhodi yohlangothi lweklayenti ecubungula idatha esuka kumthombo ongathembekile ngendlela engaphephile, njengokubhalela ku-innerHTML [S1].

Ukulungiswa kukakhonkolo

  • Ngenisa Idatha Kokukhiphayo: Guqula idatha elawulekayo ibe ifomu eliphephile ngaphambi kokuyinikeza. Sebenzisa umbhalo webhizinisi we-HTML kumzimba we-HTML, kanye nombhalo wekhodi we-JavaScript ofanele noma we-CSS walezo zimo ezithize [S1][S2].
  • Hlunga Okokufaka Ekufikeni: Sebenzisa izinhla zokuvumela eziqinile zamafomethi okokufaka alindelekile futhi wenqabe noma yini engahambisani [S1][S2].
  • Sebenzisa Izihloko Zokuvikela: Setha ifulegi le-HttpOnly kumakhukhi weseshini ukuze uvimbele ukufinyelela nge-JavaScript [S2]. Sebenzisa i-Content-Type kanye ne-X-Content-Type-Options: nosniff ukuze uqinisekise ukuthi iziphequluli azitoli kahle izimpendulo njengekhodi esebenzisekayo [S1].
  • Inqubomgomo Yokuphepha Kokuqukethwe (CSP): Sebenzisa i-CSP eqinile ukuze ukhawulele imithombo lapho imibhalo ingalayishwa futhi isetshenziswe kuyo, unikeze isendlalelo esijulile sokuvikela [S1]ZXCVENFIXBEX.

I-FixVibe iyihlolela kanjani

I-FixVibe ingathola i-XSS ngendlela enezendlalelo eziningi esekelwe ezindleleni zokuskena ezisunguliwe [S1]:

  • Ama-Passive Scans: Ukuhlonza izihloko zokuphepha ezingekho noma ezibuthakathaka njenge-Content-Security-Policy noma X-Content-Type-Options eziklanyelwe ukunciphisa i-XSS [S1].
  • Iziphequluli Ezisebenzayo: Ijova iyunithi yezinhlamvu zezinhlamvu nezinombolo ezihlukile, ezingenalo unya kumapharamitha e-URL futhi kwakha izinkambu ukuze kutholwe ukuthi ziyavela yini emzimbeni wokuphendula ngaphandle kombhalo wekhodi ofanelekile [S1].
  • I-Repo Scans: Ihlaziya i-JavaScript yohlangothi lweklayenti "ngamasinki" aphatha idatha engathenjiwe ngokungaphephile, njenge-innerHTML, document.write, noma setTimeout, okuyizinkomba ezivamile ze-DOMVIXCVBETOXCVENFIXBETOXCVENFIXZ ezisekelwe ku-DOMVIXCV [S1].