汉英对照:
Chinese-English Translation:
XSS(Cross Site Scripting)的中文意思为“跨站脚本漏洞”,XSS攻击通常指的是通过利用网页开发时留下的漏洞,通过巧妙的方法注入恶意指令代码到网页,使用户加载并执行攻击者恶意制造的网页程序。
XSS (cross site scripting) means “cross site scripting vulnerability” in Chinese. XSS attack usually refers to injecting malicious instruction code into the web page through ingenious methods by taking advantage of the vulnerability left by web page development, so that users can load and execute the web page program maliciously created by the attacker.
XSS(Cross Site Scripting)的中文意思为“跨站脚本漏洞”,XSS 攻击通常指的是通过利用网页开发时留下的漏洞,通过巧妙的方法注入恶意指令代码到网页,使用户加载并执行攻击者恶意制造的网页程序。
XSS (cross site scripting) means “cross site scripting vulnerability” in Chinese. XSS attack usually refers to injecting malicious instruction code into the web page through ingenious methods by taking advantage of the vulnerability left by web page development, so that users can load and execute the web page program maliciously created by the attacker.
这些恶意网页程序通常是 JavaScript,但实际上也可以包括 Java、 VBScript、ActiveX、 Flash 或者甚至是普通的 HTML。攻击成功后,攻击者可能得到包括但不限于更高的权限(如执行一些操作)、私密网页内容、会话和 cookie 等各种内容。
These malicious web programs are usually JavaScript, but they can also include Java, VBScript, ActiveX, flash or even plain HTML. After the attack is successful, the attacker may obtain various contents including but not limited to higher permissions (such as performing some operations), private web page content, session and cookie.
人们经常将跨站脚本攻击(Cross Site Scripting)缩写为 CSS,但这会与层叠样式表(Cascading Style Sheets,CSS)的缩写混淆。因此,有人将跨站脚本攻击缩写为 XSS。
Cross site scripting is often abbreviated to CSS, but this can be confused with the abbreviation of cascading style sheets (CSS). Therefore, some people abbreviate cross site scripting attacks to XSS.
跨站脚本攻击(XSS),是最普遍的 Web 应用安全漏洞。这类漏洞能够使得攻击者嵌入恶意脚本代码到正常用户会访问到的页面中,当正常用户访问该页面时,则可导致嵌入的恶意脚本代码的执行,从而达到恶意攻击用户的目的。
Cross site scripting (XSS) is the most common security vulnerability in web applications. This kind of vulnerability can enable attackers to embed malicious script code into the page that normal users will visit. When normal users visit the page, it can lead to the execution of embedded malicious script code, so as to achieve the purpose of malicious attacks on users.
攻击者可以使用户在浏览器中执行其预定义的恶意脚本,其导致的危害可想而知,如劫持用户会话,插入恶意内容、重定向用户、使用恶意软件劫持用户浏览器、繁殖 XSS 蠕虫,甚至破坏网站、修改路由器配置信息等。
The attacker can enable users to execute their predefined malicious script in the browser, and the harm caused by it can be imagined, such as hijacking user’s session, inserting malicious content, redirecting users, hijacking user’s browser with malicious software, breeding XSS worms, even damaging websites, modifying router configuration information, etc.
XSS 漏洞可以追溯到上世纪 90 年代。大量的网站曾遭受 XSS 漏洞攻击或被发现此类漏洞,如 Twitter、Facebook、MySpace、Orkut、新浪微博和百度贴吧。研究表明,最近几年 XSS 已经超过缓冲区溢出成为最流行的攻击方式,有 68%的网站可能遭受此类攻击。根据开放网页应用安全计划(Open Web Application Security Project)公布的 2010 年统计数据,在 Web 安全威胁前 10 位中,XSS 排名第 2,仅次于代码注入(Injection)。
XSS vulnerabilities can be traced back to the 1990s. A large number of websites have been attacked or discovered by XSS vulnerabilities, such as twitter, Facebook, MySpace, Orkut, Sina Weibo and Baidu Weibo. Research shows that XSS has become the most popular attack mode in recent years, which is more than buffer overflow. 68% of websites are likely to suffer from such attacks. According to the statistics of 2010 released by the open web application security project, XSS ranks the second in the top 10 web security threats, second only to code injection.
