荣耀彩票代理

IT技术互动交流平台

关于XSS和XSSI的不同之处详细介绍

作者:whl  发布日期:2018-12-22 08:31:00
  在很早之前很多黑客就开始凭借XSS漏洞来进行入侵了,而且这些攻击主要是面向使用应用的用户而不是对应的应用或者是服务器。这些攻击主要是通过注入代码来实现web应用的输出。很多人对于XSS和XSSI总是分不清,经常把他们搞混,下面小编就给大家详细介绍一下他们的不同之处,希望对大家有所帮助。
XSS与XSSI异同

  DABUFENWANGZHANYOUHENDUOZHURUDIAN,BAOKUOSOUSUOYU、cookiesHEBIAOGE。SUIRANZHEIXIEEYIJIAOBENBUNENGZHIJIEGANRANFUWUQIDUANXINXI,TAMENRENGRANKEYIPOHUAIWANGZHANDEANQUANXING。TONGGUOSHIYONGDocument Object ModelCAOZUOLAIGENGGAIBIAOGEZHI,GAIBIANWANGYEDEWAIGUANHUOQIEHUANBIAOGECAOZUOYIZHANGTIETIJIAODESHUJUDAOGONGJIZHEDEWANGZHAN,GONGJIZHEKEYIQIEQUSHUJU、KONGZHIYONGHUDEHUIHUA、YUNXINGEYIDAIMAHUOYONGZUOWANGLUODIAOYUQIZHADEYIBUFEN。

  XSSISHIXSSDEYIZHONGXINGSHI,TALIYONGLEZHEIYANGYIGESHISHI,JILIULANQIBUHUIZUZHIWANGYEJIAZAITUXIANGHEWENZIDENGZIYUAN,ZHEIXIEZIYUANTONGCHANGTUOGUANZAIQITAYUHEFUWUQI。LIRU,JIAOBENKENENGTIGONGGONGJIZHEXUYAODEGONGNENG,BANGZHUCHUANGJIANTEDINGDEYEMIAN—HENDUOWANGZHANBAOHANTUOGUANZAIJavaScriptKUjQuery。RANER,ZHEIZHONGBAOHANKENENGBEILIYONGLAICONGYIGEYUMINGDUQUYONGHUSHUJU—DANGYONGHUZHENGZAIFANGWENLINGYIGEYUMINGSHI。LIRU,RUGUOABCYINXINGYOUYIGEJIAOBENYONGYUDUQUYONGHUDESIRENZHANGHUXINXI,GONGJIZHEKEYIZAIQIZIJIDEEYIWANGZHANBAOHANZHEIGEJIAOBEN,DANGABCYINXINGDEKEHUFANGWENGONGJIZHEDEWANGZHANSHI,GONGJIZHEJIUKEYICONGABCYINXINGDEFUWUQITIQUYONGHUXINXI。

  KAIFAZHEKEYIBUSHUDUOZHONGCUOSHILAIDIYUXSSIGONGJI。QIZHONGYIZHONGFANGFASHIXIANGYONGHUTIGONGDUTEDEBUKEYUCEDESHOUQUANLINGPAI,ZAIFUWUQIXIANGYINGRENHEQINGQIUZHIQIAN,XUYAOFASONGHUIGAILINGPAIZUOWEIEWAIDEHTTPCANSHU。JIAOBENYINGGAIZHINENGXIANGYINGPOSTQINGQIU,ZHEIKEYIFANGZHISHOUQUANLINGPAIZUOWEIGETQINGQIUZHONGDEURLCANSHUBEIBAOLU,TONGSHI,ZHEIKEYIFANGZHIJIAOBENTONGGUOJIAOBENBIAOQIANBEIJIAZAI。LIULANQIKENENGHUIZHONGXINFACHUGETQINGQIU,ZHEIKENENGHUIDAOZHIYIGECAOZUOHUIZHIXINGYICIYISHANG,ERZHONGXINFACHUDEPOSTQINGQIUXUYAOYONGHUDETONGYI。

  ZAICHULIJSONQINGQIUSHI,ZAIXIANGYINGZHONGZENGJIAFEIKEZHIXINGQIANZHUI,LIRU“\n”,YIQUEBAOJIAOBENBUKEZHIXING。ZAIXIANGTONGYUMINGYUNXINGDEJIAOBENKEYIDUQUXIANGYINGNEIRONGYIJISHANCHUQIANZHUI,DANZAIQITAYUMINGYUNXINGDEJIAOBENZEBUNENG。CIWAI,KAIFAZHEHAIYINGGAIBIMIANSHIYONGJSONP(JUYOUTIANCHONGGONGNENGDEJSON)LAICONGBUTONGYUMINGJIAZAIJIMISHUJU,YINWEIZHEIHUIYUNXUDIAOYUWANGZHANSHOUJISHUJU。TONGSHI,FASONGXIANGYINGBIAOTOU“X-Content-Type-Options: nosniff”YEJIANGBANGZHUBAOHUIEHEGUGEChromeYONGHUMIANSHOUXSSIGONGJI。

  为了应对XSS攻击,可在HTTP Content-Type响应表头或者HTML代码中meta标签中http-equiv属性中指定CHARSET,让浏览器不会解译其他字符集的特殊字符编码。对于使用ASP荣耀彩票代理.NET开发网站的开发者,微软Anti-Cross Site Scripting Library可以帮助保护Web应用抵御跨站脚本漏洞。

  现在有很多开源漏洞扫描工具可供开发者使用,以测试其代码是否容易遭受XSS攻击,例如Vega、Wapiti、OWASP荣耀彩票代理的Zed Attack Proxy和Skipfish。企业应该定期对网站进行扫描,同时,在底层代码变更或依靠第三方库的功能集成到各种网页时,也应该扫描网站。

荣耀彩票代理  SHANGMIANJIDAJIALIECHUDEBUTONGZHICHUHAISHIFEICHANGXIANGXIDE,DAJIAKEYIZIXIYANJIUYIXIA。KANDAOZHEILI,XIANGXINDAJIADUIYUXSSHEXSSIDEBUTONGZHICHUYINGGAIXINZHONGYOUSHUBUHUIZAIGAOHUNLEBA?RUGUODAJIADUIYUXSSHEXSSIHAIXIANGLEJIEGENGDUOHUANYINGCHAKANBENZHANQITAXIANGGUANWENJIAN。

延伸阅读:

Tag标签:      
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规