What ne Cross-Site Scripting (XSS) kuma ta yaya za ka shafe shi?

Question

Accepted Answer

**Cross-Site Scripting (XSS)** rektshi ne inda mai hari ya ba da jakartar **JavaScript** mai zafi a cikin shafin yanar gida da wasu masu amfani suke kallon - yana aiki a cikin nasu browsers don saci bayani, damre fasalbar aiki, ko aiwatar da ayyuka a matsayinsu. Itace caliscalin yanar gida mai kari kuma mai haɗari, wanda za a iya guje ta hanyar sarrafa fitarwa daidai. ## Yadda XSS ke aiki ```text When user input is rendered into a page WITHOUT proper escaping, injected SCRIPTS run: ``` ```html

Welcome, <%= userInput %>

``` Rubutun da aka ba da shi ya aiki a cikin browsers na wajen waje **kamar da daga shafin da aka amince - yana bai wa mai hari dama ya saci kwastofin aiki, samu jerin wajen gida, dauka bugun buga, ko aiwatawa ayyuka a matsayinsu. ## Nau'ikan XSS ```text STORED → malicious script SAVED on the server (e.g. in a comment) → served to all viewers REFLECTED → script in a request (e.g. a URL parameter) reflected back in the response DOM-based → client-side JS unsafely puts untrusted data into the DOM ``` ## Shafewa ```text ✓ ESCAPE/ENCODE output → render user data as TEXT, not HTML (the key defense): → frameworks (React, Angular, Vue) auto-escape by default → use them properly → escape based on context (HTML, attribute, JS, URL) ✓ AVOID dangerous APIs → innerHTML, dangerouslySetInnerHTML, eval with untrusted data ✓ SANITIZE HTML if you must allow it (e.g. DOMPurify for rich text) ✓ Content Security Policy (CSP) → restricts what scripts can run (defense in depth) ✓ HttpOnly cookies → JS can't read them (limits cookie theft via XSS) ``` ## Me ya sa ya mahalaci fahewa XSS da yadda za ka shafe shi yana da mahimmanci domin itace rektshi mai kari na yanar gida wanda ke bai wa mai hari dama ya aiwatar da rubutu mai zafi a cikin browsers na masu amfani, don haka itace ilimin gaskiya da dole ne masu baiwa yanar gida su sani. fahewa **yadda ya aiki** — cewa zara bayani na mai amfani a cikin shafi ba tare da tsaka-tsaki daidai ba yana ba da dama ga jakartar **JavaScript** ta aiki a cikin browsers na wasu masu amfani a halin da aka amince na gida, wanda ke bai ga mai hari dama ya saci kwastofin aiki da jerin wajen gida, samu aiki na asusu, da aiwatar a matsayinsu — yana da mahimmanci don fahewa da guje rektshi. XSS yana da haɗari domin yana bugi aiki da bayani na masu amfani, kuma yana yawuwa a cikin aikace-aikacen yanar gida wanda ke nuna abin da mai amfani ya samar. fahewa **nau'ikan** (kusar XSS — rubutu mai zafi da aka ajiye a cikin na'ura kuma aka ba wa duk wajen kallon, mafi haɗari; jujjuyuwar XSS — rubutu da ba daga buƙa; tushen DOM XSS — bugy ne na client-side bu DOM )(nene mai haɗari) yana taimakawa fahewa yadda daban-daban ta kai. fahewa **shafewa** yana da mahimmanci: **tsaka-tsaki/bada lambar fitarwa** (zara bayani na mai amfani azaman rubutu, ba HTML — karfi jiya, wanda aikacewan zamani kamar React ke yi ta atomatikanci idan aka yi daidai), **guje API mai haɗari** (innerHTML, dangerouslySetInnerHTML, eval tare da bayani wanda ba a amince — tushen XSS common), **tsaka-tsaki HTML** idan dole ne a bar abin da yawa (misali DOMPurify), **Kundin Tsarkin Yanar gida** (ƙuntatawa aiwatar da rubutu azaman karfi), da **HttpOnly kwastofin** (takewa JS daga karanta su). fahewa cewa aikacewan aiki-escape (don haka amfani da su daidai yana guje kakakin XSS, yayin da yin tsiya wa su tsaya aiki ba shi daidai) yana da mahimmanci a aikace-aikace. Tunda XSS rektshi mai yawuwa kuma mai haɗari wanda ke bugi aiki da bayani na masu amfani, musamman a cikin aikace-aikace da ke nuna abin waje mai amfani, kuma tunda fahewa yadda ya aiki da yadda za ka shafe shi (fitarwa tsaka-tsaki, guje API mai haɗari, CSP, aikacewan tushe) yana da mahimmanci ga masu baiwa yanar gida, fahewa XSS da shafewa shi yana da mahimmanci, ilimi da dole ne - cututtuka na yanar gida ta bade guje, inda sarrafa fitarwa daidai (tsaka-tsaki, amfani da aikacewan tushe, guje API mai haɗari) ilimi mai mahimmanci ne don kariya masu amfani daga jama'a mai yawuwa ta kai.