Self-XSS

Self-XSS（英语：self cross-site scripting），又称“Self型跨站脚本攻击”，是一种可以获得受害者网络账号的社会工程学攻击手段。在Self-XSS攻击中，受害者无意中在浏览器里运行了恶意代码，通过一种称为跨站脚本的漏洞将个人信息暴露给攻击者。^[1]

概述

Self-XSS通过诱骗用户将恶意内容复制并粘贴到浏览器的Web开发者控制台进行攻击。^[1]通常，攻击者会发布一条消息，称通过复制和运行某些代码，用户将能够入侵另一个用户的帐户。实际上，该代码允许攻击者劫持受害者的帐户。^[2]

历史与预防手段

过去也有出现类似的攻击手段，即诱骗用户将恶意JavaScript代码粘贴到地址栏中。当浏览器厂商通过阻止从地址栏中轻松运行 JavaScript 来阻止这一攻击时，^[3]^[4]攻击者开始使用如今的Self-XSS。Web浏览器厂商已经采取措施预防这一攻击。Firefox^[5]以及Google Chrome^[6]通过在浏览器控制台中警告用户防止Self-XSS攻击。Facebook等网站在用户打开控制台时显示警告消息，并附有链接解释这一攻击的原理。^[7]^[8]

词源

名词中的“self”指的是用户攻击自己的事实。“XSS”是跨站脚本的缩写。XSS和Self-XSS攻击都会导致在合法站点上运行恶意代码。然而，这两种攻击手段没有太多共同点，因为 XSS 是针对网站本身的攻击（用户无法保护自己，但可以由网站运营商修复，使他们的网站更安全），而 Self-XSS 是一种针对用户的社会工程攻击（精明的用户可以保护自己免受攻击，但网站运营商对此无能为力）。^[9]

参考资料

[1]
Scharr, Jill. Facebook Scam Tricks Users Into Hacking Themselves. Tom's Guide US. Purch. July 28, 2014 [September 27, 2014]. （原始内容存档于2022-12-05）.
[2]
Social Networking Security Threats. Sophos. n.d. [September 27, 2014]. （原始内容存档于2021-11-08）.
[3]
Bug 656433 – Disallow javascript: and data: URLs entered into the location bar from inheriting the principal of the currently-loaded page. Bugzilla. Mozilla Foundation. May 11, 2011 [September 28, 2014]. （原始内容存档于2022-09-01）.
[4]
Issue 82181: [Linux] Strip javascript: schema from pastes/drops to omnibox. Google Code. Google. May 10, 2011 [September 28, 2014]. （原始内容存档于2015-10-31）.
[5]
Bug 994134 – Warn first-time users on pasting code into the console. Bugzilla. Mozilla Foundation. April 9, 2014 [September 28, 2014]. （原始内容存档于2022-11-27）.
[6]
Issue 345205: DevTools: Combat self-XSS. Google Code. Google. May 10, 2011 [September 28, 2014]. （原始内容存档于2015-12-05）.
[7]
What do Self-XSS scams look like?. Facebook Help. Facebook. July 11, 2014 [September 27, 2014]. （原始内容存档于2022-08-05）.
[8]
What is Self-XSS?. Facebook Help. Facebook. July 15, 2014 [September 27, 2014]. （原始内容存档于2023-01-17）.
[9]
Ilascu, Ionut. Hackers Trick Facebook Users into Self Cross-Site Scripting (XSS) Scam. Softpedia. SoftNews NET SRL. July 28, 2014 [September 27, 2014]. （原始内容存档于2021-11-08）.

外部链接

McCaney, Kevin. 4 ways to avoid the exploit in Facebook spam attack. GCN. 1105 Public Sector Media Group. November 16, 2011 [September 28, 2014]. （原始内容存档于2021-11-07）.

[tomsguide-1] [1]
Scharr, Jill. Facebook Scam Tricks Users Into Hacking Themselves. Tom's Guide US. Purch. July 28, 2014 [September 27, 2014]. （原始内容存档于2022-12-05）.

[sophos-2] [2]
Social Networking Security Threats. Sophos. n.d. [September 27, 2014]. （原始内容存档于2021-11-08）.

[firefox656433-3] [3]
Bug 656433 – Disallow javascript: and data: URLs entered into the location bar from inheriting the principal of the currently-loaded page. Bugzilla. Mozilla Foundation. May 11, 2011 [September 28, 2014]. （原始内容存档于2022-09-01）.

[chrome82181-4] [4]
Issue 82181: [Linux] Strip javascript: schema from pastes/drops to omnibox. Google Code. Google. May 10, 2011 [September 28, 2014]. （原始内容存档于2015-10-31）.

[firefox994134-5] [5]
Bug 994134 – Warn first-time users on pasting code into the console. Bugzilla. Mozilla Foundation. April 9, 2014 [September 28, 2014]. （原始内容存档于2022-11-27）.

[chrome345205-6] [6]
Issue 345205: DevTools: Combat self-XSS. Google Code. Google. May 10, 2011 [September 28, 2014]. （原始内容存档于2015-12-05）.

[facebookhelp1-7] [7]
What do Self-XSS scams look like?. Facebook Help. Facebook. July 11, 2014 [September 27, 2014]. （原始内容存档于2022-08-05）.

[facebookhelp2-8] [8]
What is Self-XSS?. Facebook Help. Facebook. July 15, 2014 [September 27, 2014]. （原始内容存档于2023-01-17）.

[softpedia-9] [9]
Ilascu, Ionut. Hackers Trick Facebook Users into Self Cross-Site Scripting (XSS) Scam. Softpedia. SoftNews NET SRL. July 28, 2014 [September 27, 2014]. （原始内容存档于2021-11-08）.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]