Self-XSS

Self-XSS（英語：self cross-site scripting），又稱「Self型跨站腳本攻擊」，是一種可以獲得受害者網絡賬號的社會工程學攻擊手段。在Self-XSS攻擊中，受害者無意中在瀏覽器里運行了惡意代碼，通過一種稱為跨站腳本的漏洞將個人信息暴露給攻擊者。^[1]

概述[編輯]

Self-XSS通過誘騙用戶將惡意內容複製並粘貼到瀏覽器的Web開發者控制台進行攻擊。^[1]通常，攻擊者會發布一條消息，稱通過複製和運行某些代碼，用戶將能夠入侵另一個用戶的帳戶。實際上，該代碼允許攻擊者劫持受害者的帳戶。^[2]

歷史與預防手段[編輯]

過去也有出現類似的攻擊手段，即誘騙用戶將惡意JavaScript代碼粘貼到地址欄中。當瀏覽器廠商通過阻止從地址欄中輕鬆運行 JavaScript 來阻止這一攻擊時，^[3]^[4]攻擊者開始使用如今的Self-XSS。Web瀏覽器廠商已經採取措施預防這一攻擊。Firefox^[5]以及Google Chrome^[6]通過在瀏覽器控制台中警告用戶防止Self-XSS攻擊。Facebook等網站在用戶打開控制台時顯示警告消息，並附有鏈接解釋這一攻擊的原理。^[7]^[8]

詞源[編輯]

名詞中的「self」指的是用戶攻擊自己的事實。「XSS」是跨站腳本的縮寫。XSS和Self-XSS攻擊都會導致在合法站點上運行惡意代碼。然而，這兩種攻擊手段沒有太多共同點，因為 XSS 是針對網站本身的攻擊（用戶無法保護自己，但可以由網站運營商修復，使他們的網站更安全），而 Self-XSS 是一種針對用戶的社會工程攻擊（精明的用戶可以保護自己免受攻擊，但網站運營商對此無能為力）。^[9]

參考資料[編輯]

^ ^1.0 ^1.1 Scharr, Jill. Facebook Scam Tricks Users Into Hacking Themselves. Tom's Guide US. Purch. July 28, 2014 [September 27, 2014]. （原始內容存檔於2022-12-05）.
^ Social Networking Security Threats. Sophos. n.d. [September 27, 2014]. （原始內容存檔於2021-11-08）.
^ Bug 656433 – Disallow javascript: and data: URLs entered into the location bar from inheriting the principal of the currently-loaded page. Bugzilla. Mozilla Foundation. May 11, 2011 [September 28, 2014]. （原始內容存檔於2022-09-01）.
^ Issue 82181: [Linux] Strip javascript: schema from pastes/drops to omnibox. Google Code. Google. May 10, 2011 [September 28, 2014]. （原始內容存檔於2015-10-31）.
^ Bug 994134 – Warn first-time users on pasting code into the console. Bugzilla. Mozilla Foundation. April 9, 2014 [September 28, 2014]. （原始內容存檔於2022-11-27）.
^ Issue 345205: DevTools: Combat self-XSS. Google Code. Google. May 10, 2011 [September 28, 2014]. （原始內容存檔於2015-12-05）.
^ What do Self-XSS scams look like?. Facebook Help. Facebook. July 11, 2014 [September 27, 2014]. （原始內容存檔於2022-08-05）.
^ What is Self-XSS?. Facebook Help. Facebook. July 15, 2014 [September 27, 2014]. （原始內容存檔於2023-01-17）.
^ Ilascu, Ionut. Hackers Trick Facebook Users into Self Cross-Site Scripting (XSS) Scam. Softpedia. SoftNews NET SRL. July 28, 2014 [September 27, 2014]. （原始內容存檔於2021-11-08）.

外部連結[編輯]

McCaney, Kevin. 4 ways to avoid the exploit in Facebook spam attack. GCN. 1105 Public Sector Media Group. November 16, 2011 [September 28, 2014]. （原始內容存檔於2021-11-07）.

[tomsguide-1] 1.0 ^1.1 Scharr, Jill. Facebook Scam Tricks Users Into Hacking Themselves. Tom's Guide US. Purch. July 28, 2014 [September 27, 2014]. （原始內容存檔於2022-12-05）.

[sophos-2] Social Networking Security Threats. Sophos. n.d. [September 27, 2014]. （原始內容存檔於2021-11-08）.

[firefox656433-3] Bug 656433 – Disallow javascript: and data: URLs entered into the location bar from inheriting the principal of the currently-loaded page. Bugzilla. Mozilla Foundation. May 11, 2011 [September 28, 2014]. （原始內容存檔於2022-09-01）.

[chrome82181-4] Issue 82181: [Linux] Strip javascript: schema from pastes/drops to omnibox. Google Code. Google. May 10, 2011 [September 28, 2014]. （原始內容存檔於2015-10-31）.

[firefox994134-5] Bug 994134 – Warn first-time users on pasting code into the console. Bugzilla. Mozilla Foundation. April 9, 2014 [September 28, 2014]. （原始內容存檔於2022-11-27）.

[chrome345205-6] Issue 345205: DevTools: Combat self-XSS. Google Code. Google. May 10, 2011 [September 28, 2014]. （原始內容存檔於2015-12-05）.

[facebookhelp1-7] What do Self-XSS scams look like?. Facebook Help. Facebook. July 11, 2014 [September 27, 2014]. （原始內容存檔於2022-08-05）.

[facebookhelp2-8] What is Self-XSS?. Facebook Help. Facebook. July 15, 2014 [September 27, 2014]. （原始內容存檔於2023-01-17）.

[softpedia-9] Ilascu, Ionut. Hackers Trick Facebook Users into Self Cross-Site Scripting (XSS) Scam. Softpedia. SoftNews NET SRL. July 28, 2014 [September 27, 2014]. （原始內容存檔於2021-11-08）.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]