Self-XSS

Self-XSS（英語：self cross-site scripting），又稱「Self型跨站脚本攻击」，是一种可以获得受害者网络账号的社会工程学攻击手段。在Self-XSS攻击中，受害者无意中在浏览器里运行了恶意代码，通过一种称为跨站脚本的漏洞将个人信息暴露给攻击者。^[1]

概述[编辑]

Self-XSS通过诱骗用户将恶意内容复制并粘贴到浏览器的Web开发者控制台进行攻击。^[1]通常，攻击者会发布一条消息，称通过复制和运行某些代码，用户将能够入侵另一个用户的帐户。实际上，该代码允许攻击者劫持受害者的帐户。^[2]

历史与预防手段[编辑]

过去也有出现类似的攻击手段，即诱骗用户将恶意JavaScript代码粘贴到地址栏中。当浏览器厂商通过阻止从地址栏中轻松运行 JavaScript 来阻止这一攻击时，^[3]^[4]攻击者开始使用如今的Self-XSS。Web浏览器厂商已经采取措施预防这一攻击。Firefox^[5]以及Google Chrome^[6]通过在浏览器控制台中警告用户防止Self-XSS攻击。Facebook等网站在用户打开控制台时显示警告消息，并附有链接解释这一攻击的原理。^[7]^[8]

词源[编辑]

名词中的“self”指的是用户攻击自己的事实。“XSS”是跨站脚本的缩写。XSS和Self-XSS攻击都会导致在合法站点上运行恶意代码。然而，这两种攻击手段没有太多共同点，因为 XSS 是针对网站本身的攻击（用户无法保护自己，但可以由网站运营商修复，使他们的网站更安全），而 Self-XSS 是一种针对用户的社会工程攻击（精明的用户可以保护自己免受攻击，但网站运营商对此无能为力）。^[9]

参考资料[编辑]

^ ^1.0 ^1.1 Scharr, Jill. Facebook Scam Tricks Users Into Hacking Themselves. Tom's Guide US. Purch. July 28, 2014 [September 27, 2014]. （原始内容存档于2022-12-05）.
^ Social Networking Security Threats. Sophos. n.d. [September 27, 2014]. （原始内容存档于2021-11-08）.
^ Bug 656433 – Disallow javascript: and data: URLs entered into the location bar from inheriting the principal of the currently-loaded page. Bugzilla. Mozilla Foundation. May 11, 2011 [September 28, 2014]. （原始内容存档于2022-09-01）.
^ Issue 82181: [Linux] Strip javascript: schema from pastes/drops to omnibox. Google Code. Google. May 10, 2011 [September 28, 2014]. （原始内容存档于2015-10-31）.
^ Bug 994134 – Warn first-time users on pasting code into the console. Bugzilla. Mozilla Foundation. April 9, 2014 [September 28, 2014]. （原始内容存档于2022-11-27）.
^ Issue 345205: DevTools: Combat self-XSS. Google Code. Google. May 10, 2011 [September 28, 2014]. （原始内容存档于2015-12-05）.
^ What do Self-XSS scams look like?. Facebook Help. Facebook. July 11, 2014 [September 27, 2014]. （原始内容存档于2022-08-05）.
^ What is Self-XSS?. Facebook Help. Facebook. July 15, 2014 [September 27, 2014]. （原始内容存档于2023-01-17）.
^ Ilascu, Ionut. Hackers Trick Facebook Users into Self Cross-Site Scripting (XSS) Scam. Softpedia. SoftNews NET SRL. July 28, 2014 [September 27, 2014]. （原始内容存档于2021-11-08）.

外部链接[编辑]

McCaney, Kevin. 4 ways to avoid the exploit in Facebook spam attack. GCN. 1105 Public Sector Media Group. November 16, 2011 [September 28, 2014]. （原始内容存档于2021-11-07）.

[tomsguide-1] 1.0 ^1.1 Scharr, Jill. Facebook Scam Tricks Users Into Hacking Themselves. Tom's Guide US. Purch. July 28, 2014 [September 27, 2014]. （原始内容存档于2022-12-05）.

[sophos-2] Social Networking Security Threats. Sophos. n.d. [September 27, 2014]. （原始内容存档于2021-11-08）.

[firefox656433-3] Bug 656433 – Disallow javascript: and data: URLs entered into the location bar from inheriting the principal of the currently-loaded page. Bugzilla. Mozilla Foundation. May 11, 2011 [September 28, 2014]. （原始内容存档于2022-09-01）.

[chrome82181-4] Issue 82181: [Linux] Strip javascript: schema from pastes/drops to omnibox. Google Code. Google. May 10, 2011 [September 28, 2014]. （原始内容存档于2015-10-31）.

[firefox994134-5] Bug 994134 – Warn first-time users on pasting code into the console. Bugzilla. Mozilla Foundation. April 9, 2014 [September 28, 2014]. （原始内容存档于2022-11-27）.

[chrome345205-6] Issue 345205: DevTools: Combat self-XSS. Google Code. Google. May 10, 2011 [September 28, 2014]. （原始内容存档于2015-12-05）.

[facebookhelp1-7] What do Self-XSS scams look like?. Facebook Help. Facebook. July 11, 2014 [September 27, 2014]. （原始内容存档于2022-08-05）.

[facebookhelp2-8] What is Self-XSS?. Facebook Help. Facebook. July 15, 2014 [September 27, 2014]. （原始内容存档于2023-01-17）.

[softpedia-9] Ilascu, Ionut. Hackers Trick Facebook Users into Self Cross-Site Scripting (XSS) Scam. Softpedia. SoftNews NET SRL. July 28, 2014 [September 27, 2014]. （原始内容存档于2021-11-08）.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]