使用内容安全策略防止xss攻击（网络基本原理概述-翻译-XSS攻击以及防范）

使用内容安全策略防止xss攻击（网络基本原理概述-翻译-XSS攻击以及防范）最后，正如我们已经介绍过的，另一种方法是在整个应用程序中使用 HTTPS，以最大限度地减少攻击者获取会话 ID 的机会。另一个有用的解决方案是设置会话的过期时间。不会过期的会话给攻击者无限的时间来伪装成真实用户。会话过期，比如 30 分钟，给攻击者一个更窄的窗口来访问应用程序。不幸的是，如果攻击者获得了会话 ID，攻击者和用户现在都共享同一个会话，并且都可以访问 Web 应用程序。在会话劫持中，用户甚至不知道攻击者正在访问他或她的会话，甚至不知道用户名或密码。会话劫持对策解决会话劫持的一种流行方法是重置会话。对于身份验证系统，这意味着成功登录必须使旧会话 ID 无效并创建一个新会话 ID。有了这个，在下一个请求中，受害者将被要求进行身份验证。（译者：每次登录前都要做个认证，而且每次会话id都变化）此时，更改后的会话 id 会发生变化，攻击者将无法访问。大多数网站通过确保用户在进入任何潜在敏

Session Hijacking

We've already seen that the session plays an important role in keeping HTTP stateful. We also know that a session id serves as that unique token used to identify each session. Usually the session id is implemented as a random string and comes in the form of a cookie stored on the computer. With the session id in place on the client side now every time a request is sent to the server this data is added and used to identify the session. In fact this is what many web applications with authentication systems do. When a user's username and password match the session id is stored on their browser so that on the next request they won't have to re-authenticate.

Unfortunately if an attacker gets a hold of the session id both the attacker and the user now share the same session and both can access the web application. In session hijacking the user won't even know an attacker is accessing his or her session without ever even knowing the username or password.

Countermeasures for Session Hijacking

• One popular way of solving session hijacking is by resetting sessions. With authentication systems this means a successful login must render an old session id invalid and create a new one. With this in place on the next request the victim will be required to authenticate. At this point the altered session id will change and the attacker will not be able to have access. Most websites implement this technique by making sure users authenticate when entering any potentially sensitive area such as charging a credit card or deleting the account.
• Another useful solution is by setting an expiration time on sessions. Sessions that do not expire give an attacker an infinite amount of time to pose as the real user. Expiring sessions after say 30 minutes gives the attacker a far narrower window to access the app.
• Finally as we have already covered another approach is to use HTTPS across the entire app to minimize the chance that an attacker can get to the session id.

会话劫持

我们已经看到会话在保持 HTTP 状态方面起着重要作用。我们还知道会话 id 用作用于标识每个会话的唯一令牌。通常，会话 ID 以随机字符串的形式实现，并以存储在计算机上的 cookie 的形式出现。现在，每次向服务器发送请求时，在客户端都设置了会话 ID，此数据被添加并用于识别会话。事实上，这就是许多带有身份验证系统的 Web 应用程序所做的。当用户的用户名和密码匹配时，会话 ID 会存储在他们的浏览器中，这样在下一次请求时他们就不必重新进行身份验证。

不幸的是，如果攻击者获得了会话 ID，攻击者和用户现在都共享同一个会话，并且都可以访问 Web 应用程序。在会话劫持中，用户甚至不知道攻击者正在访问他或她的会话，甚至不知道用户名或密码。

会话劫持对策

解决会话劫持的一种流行方法是重置会话。对于身份验证系统，这意味着成功登录必须使旧会话 ID 无效并创建一个新会话 ID。有了这个，在下一个请求中，受害者将被要求进行身份验证。（译者：每次登录前都要做个认证，而且每次会话id都变化）此时，更改后的会话 id 会发生变化，攻击者将无法访问。大多数网站通过确保用户在进入任何潜在敏感区域（例如从信用卡收费或删除帐户）时进行身份验证来实现此技术。

另一个有用的解决方案是设置会话的过期时间。不会过期的会话给攻击者无限的时间来伪装成真实用户。会话过期，比如 30 分钟，给攻击者一个更窄的窗口来访问应用程序。

最后，正如我们已经介绍过的，另一种方法是在整个应用程序中使用 HTTPS，以最大限度地减少攻击者获取会话 ID 的机会。

Cross-Site Scripting (XSS)

The final security concern we'll talk about and a very important one for all web developers is called Cross-site scripting or XSS. This type of attack happens when you allow users to input HTML or JavaScript that ends up being displayed by the site directly.

For example the form below allows you to add comments which will then be displayed on the site.

跨站脚本 (XSS)

我们将讨论的最后一个安全问题，对所有 Web 开发人员来说非常重要，称为跨站点脚本或 XSS。当您允许用户输入最终由站点直接显示的 HTML 或 JavaScript 时，就会发生这种类型的攻击。

例如，下面的表格允许您添加评论，然后将显示在网站上。

Because it's just a normal HTML <textarea> users are free to input anything into the form. This means users can add raw HTML and JavaScript into the text area and submit it to the server as well:

因为它只是一个普通的 HTML <textarea>，用户可以自由地在表单中输入任何内容。这意味着用户可以将原始 HTML 和 JavaScript 添加到文本区域并将其提交给服务器：

If the server side code doesn't do any sanitization of input the user input will be injected into the page contents and the browser will interpret the HTML and JavaScript and execute it. In this case an alert message will pop up which is definitely not the desired outcome. Attackers can craft ingeniously malicious HTML and JavaScript and be very destructive to both the server as well as future visitors of this page. For example an attacker can use JavaScript to grab the session id of every future visitor of this site and then come back and assume their identity. It could happen silently without the victims ever knowing about it. Note that the malicious code would bypass the same-origin policy because the code lives on the site.

如果服务器端代码没有对输入进行任何清理，用户输入将被注入到页面内容中，浏览器将解释 HTML 和 JavaScript 并执行它。在这种情况下，会弹出一条警告消息，这绝对不是预期的结果。攻击者可以巧妙地制作恶意 HTML 和 JavaScript，并对服务器以及该页面的未来访问者造成极大的破坏。例如，攻击者可以使用 JavaScript 获取该站点每个未来访问者的会话 ID，然后返回并假设他们的身份。它可能会在受害者不知道的情况下悄然发生。请注意，恶意代码会绕过同源策略，因为代码存在于网站上。（译者：当年在传奇网站上，挂马偷账户信息，是不是就用的这个。哭）

Potential solutions for cross-site scripting

• One way to prevent this kind of attack is by making sure to always sanitize user input. Eliminate problematic input such as <script> tags or disallowing HTML and JavaScript input altogether in favor of a safer format like Markdown.
• The second way to guard against XSS is to escape all user input data when displaying it. If you do need to allow users to input HTML and JavaScript then when you print it out make sure to escape it so that the browser does not interpret it as code.

跨站点脚本的潜在解决方案

防止这种攻击的一种方法是确保始终清理用户输入。消除有问题的输入，例如 <script> 标签，或者完全禁止 HTML 和 JavaScript 输入，以支持更安全的格式，例如 Markdown。

防止 XSS 的第二种方法是在显示时转义所有用户输入数据。如果您确实需要允许用户输入 HTML 和 JavaScript，那么当您将其打印出来时，请确保将其转义，以便浏览器不会将其解释为代码。

Escaping

We mention the term "escaping" above. To escape a character means to replace an HTML character with a combination of ASCII characters which tells the client to display that character as is and to not process it; this helps prevent malicious code from running on a page. These combinations of ASCII characters are called HTML entities.

Consider the following HTML: <p>Hello World!<\p>. Let's say we don't want the browser to read this as HTML. To accomplish this we can escape special characters that the browser uses detect when HTML starts and ends namely < and > with HTML entities. If we write the following: <p>Hello World!<\p> then that HTML will be displayed as plain text instead.

转义

我们在上面提到了“转义”这个词。转义字符意味着用 ASCII 字符的组合替换 HTML 字符，这告诉客户端按原样显示该字符，而不是处理它；这有助于防止恶意代码在页面上运行。这些 ASCII 字符的组合称为 HTML 实体。

考虑以下 HTML：<p>Hello World!<\p>。假设我们不希望浏览器将其读取为 HTML。为此，我们可以使用 HTML 实体转义浏览器使用检测 HTML 何时开始和结束的特殊字符，即 < 和 >。如果我们编写以下内容：<p>Hello World!<\p>，那么该 HTML 将改为显示为纯文本。

Summary

In this section we covered various aspects of security in web applications. Needless to say this is a huge topic and we've only scratched the surface of a few common issues. The point of this chapter is to reveal how fragile and problematic developing and securing a web application is and it's mostly due to working with HTTP.

概括

在本节中，我们介绍了 Web 应用程序中安全性的各个方面。不用说，这是一个巨大的话题，我们只触及了一些常见问题的皮毛。本章的重点是揭示开发和保护 Web 应用程序的脆弱性和问题，这主要是由于使用 HTTP。

-- 翻译完了，提交了，结果浏览器崩溃了，谢谢你头条，让我重新从google 复制粘贴，发现google绝大多数情况下比我翻译的更精准。