Xss без xss
Содержание:
Execution Process and API
Similar to , Hubot executes middleware in definition order. Each middleware can either continue the chain (by calling ) or interrupt the chain (by calling ). If all middleware continues, the listener callback is executed and is called. Middleware may wrap the callback to allow executing code in the second half of the process (after the listener callback has been executed or a deeper piece of middleware has interrupted).
Middleware is called with:
-
- a Function with no additional properties that should be called to continue on to the next piece of middleware/execute the Listener callback
- should be called with a single, optional argument: either the provided function or a new function that eventually calls . If the argument is not given, the provided will be assumed.
- a Function with no additional properties that should be called to interrupt middleware execution and begin executing the chain of completion functions.
- should be called with no arguments
Every middleware receives the same API signature of , , and
. Different kinds of middleware may receive different information in the
object. For more details, see the API for each type of middleware.
Error Handling
For synchronous middleware (never yields to the event loop), hubot will automatically catch errors and emit an an event, just like in standard listeners. Hubot will also automatically call the most recent callback to unwind the middleware stack. Asynchronous middleware should catch its own exceptions, emit an event, and call . Any uncaught exceptions will interrupt all execution of middleware completion callbacks.
Listener middleware inserts logic between the listener matching a message and the listener executing. This allows you to create extensions that run for every matching script. Examples include centralized authorization policies, rate limiting, logging, and metrics. Middleware is implemented like other hubot scripts: instead of using the and methods, middleware is registered using .
Documenting Scripts
Hubot scripts can be documented with comments at the top of their file, for example:
The most important and user facing of these is . At load time, Hubot looks at the section of each scripts, and build a list of all commands. The included lets a user ask for help across all commands, or with a search. Therefore, documenting the commands make them a lot more discoverable by users.
When documenting commands, here are some best practices:
- Stay on one line. Help commands get sorted, so would insert the second line at an unexpected location, where it probably won’t make sense.
- Refer to the Hubot as hubot, even if your hubot is named something else. It will automatically be replaced with the correct name. This makes it easier to share scripts without having to update docs.
- For documentation, always prefix with . Hubot will automatically replace this with your robot’s name, or the robot’s alias if it has one
- Check out how man pages document themselves. In particular, brackets indicate optional parts, ‘…’ for any number of arguments, etc.
The other sections are more relevant to developers of the bot, particularly dependencies, configuration variables, and notes. All contributions to hubot-scripts should include all these sections that are related to getting up and running with the script.
Stealing Cookies Using XSS
Criminals often use XSS to steal cookies. This allows them to impersonate the victim. The attacker can send the cookie to their own server in many ways. One of them is to execute the following client-side script in the victim’s browser:
The figure below illustrates a step-by-step walkthrough of a simple XSS attack.
- The attacker injects a payload into the website’s database by submitting a vulnerable form with malicious JavaScript content.
- The victim requests the web page from the web server.
- The web server serves the victim’s browser the page with attacker’s payload as part of the HTML body.
- The victim’s browser executes the malicious script contained in the HTML body. In this case, it sends the victim’s cookie to the attacker’s server.
- The attacker now simply needs to extract the victim’s cookie when the HTTP request arrives at the server.
- The attacker can now use the victim’s stolen cookie for impersonation.
To learn more about how XSS attacks are conducted, you can refer to an article titled A comprehensive tutorial on cross-site scripting.
Cross-site Scripting Attack Vectors
The following is a list of common XSS attack vectors that an attacker could use to compromise the security of a website or web application through an XSS attack. A more extensive list of XSS payload examples is maintained by the OWASP organization: XSS Filter Evasion Cheat Sheet.
<script> tag
The tag is the most straightforward XSS payload. A tag can reference external JavaScript code or you can embed the code within the tag itself.
<body> tag
An XSS payload can be delivered inside the by using event attributes (see above) or other more obscure attributes such as the attribute.
<img> tag
<iframe> tag
The tag lets you embed another HTML page in the current page. An IFrame may contain JavaScript but JavaScript in the IFrame does not have access to the DOM of the parent page due to the Content Security Policy (CSP) of the browser. However, IFrames are still very effective for pulling off phishing attacks.
<input> tag
<link> tag
<table> tag
<div> tag
<object> tag
How to Prevent XSS
To keep yourself safe from XSS, you must sanitize your input. Your application code should never output data received as input directly to the browser without checking it for malicious code.
For more details, refer to the following articles: Preventing XSS Attacks and How to Prevent DOM-based Cross-site Scripting. You can also find useful information in the XSS Prevention Cheat Sheet maintained by the OWASP organization.
How to Prevent Cross-site Scripting (XSS) – Generic Tips
Preventing Cross-site Scripting (XSS) is not easy. Specific prevention techniques depend on the subtype of XSS vulnerability, on user input usage context, and on the programming framework. However, there are certain general strategic principles that you should follow to keep your web application safe.
To keep your web application safe, everyone involved in building the web application must be aware of the risks associated with XSS vulnerabilities. You should provide suitable security training to all your developers, QA staff, DevOps, and SysAdmins. You can start by referring them to this page. |
|
Treat all user input as untrusted. Any user input that is used as part of HTML output introduces a risk of an XSS. Treat input from authenticated and/or internal users the same way that you treat public input. |
|
Use an appropriate escaping/encoding technique depending on where user input is to be used: HTML escape, JavaScript escape, CSS escape, URL escape, etc. Use existing libraries for escaping, don’t write your own unless absolutely necessary. |
|
If the user input needs to contain HTML, you can’t escape/encode it because it would break valid tags. In such cases, use a trusted and verified library to parse and clean HTML. Choose the library depending on your development language, for example, HtmlSanitizer for .NET or SanitizeHelper for Ruby on Rails. |
|
To mitigate the consequences of a possible XSS vulnerability, set the HttpOnly flag for cookies. If you do, such cookies will not be accessible via client-side JavaScript. |
|
To mitigate the consequences of a possible XSS vulnerability, also use a Content Security Policy (CSP). CSP is an HTTP response header that lets you declare the dynamic resources that are allowed to load depending on the request source. |
|
Step 7: Scan regularly (with Acunetix)XSS vulnerabilities may be introduced by your developers or through external libraries/modules/software. You should regularly scan your web applications using a web vulnerability scanner such as Acunetix. If you use Jenkins, you should install the Acunetix plugin to automatically scan every build. |
Немного общей теории
расширение GreaseMonkey для браузера Firefoxhttp://wiki.greasespot.netкриворукостиGM APIGoogle Chrome
- Простым скриптам не нужна поддержка GM API (библиотека, доступная в GreaseMonkey)
- Google Chrome, в отличие от Firefox+GreaseMonkey, имеет отличнейший дебаггер.
- Сообщения об ошибках юзерскрипта в Firefox ужасны! Если вы не обладаете
даром телепатиитвердыми знаниями GreaseMonkey и javascript, написание юзерскрипта может превратится в муки! - Google Chrome не требует расширений для поддержки юзерскриптов. Интерфейс для удаления/отключения юзерскриптов доступен «из коробки».
- Нет доступа к «родному» window.
- Не поддерживается директива @ include метаданных. Директива @ match глючит, можно сказать, что она тоже не поддерживается.