Behavioral extensions are designed to work by acting as modifiers to the existing base of cache directives. Both the new directive and the standard directive are supplied, such that applications which do not understand the new directive will default to the behavior specified by the standard directive, and those that understand the new directive will recognize it as modifying the requirements associated with the standard directive.
In this way, extensions to the cache-control directives can be made without requiring changes to the base protocol. This extension mechanism depends on an HTTP cache obeying all of the cache-control directives defined for its native HTTP-version, obeying certain extensions, and ignoring all directives that it does not understand.
For example, consider a hypothetical new response directive called community which acts as a modifier to the private directive. We define this new directive to mean that, in addition to any non-shared cache, any cache which is shared only by members of the community named within its value may cache the response.
An origin server wishing to allow the UCI community to use an otherwise private response in their shared cache s could do so by including. A cache seeing this header field will act correctly even if the cache does not understand the community cache-extension, since it will also see and understand the private directive and thus default to the safe behavior.
The Connection general-header field allows the sender to specify options that are desired for that particular connection and MUST NOT be communicated by proxies over further connections.
Connection options are signaled by the presence of a connection-token in the Connection header field, not by any corresponding additional header field s , since the additional header field may not be sent if there are no parameters associated with that connection option.
See section The Content-Encoding entity-header field is used as a modifier to the media-type. When present, its value indicates what additional content codings have been applied to the entity-body, and thus what decoding mechanisms must be applied in order to obtain the media-type referenced by the Content-Type header field. Content-Encoding is primarily used to allow a document to be compressed without losing the identity of its underlying media type.
Content codings are defined in section 3. An example of its use is. The content-coding is a characteristic of the entity identified by the Request-URI. Typically, the entity-body is stored with this encoding and is only decoded before rendering or analogous usage. However, a non-transparent proxy MAY modify the content-coding if the new coding is known to be acceptable to the recipient, unless the "no-transform" cache-control directive is present in the message.
If the content-coding of an entity is not "identity", then the response MUST include a Content-Encoding entity-header section If the content-coding of an entity in a request message is not acceptable to the origin server, the server SHOULD respond with a status code of Unsupported Media Type.
If multiple encodings have been applied to an entity, the content codings MUST be listed in the order in which they were applied. Additional information about the encoding parameters MAY be provided by other entity-header fields not defined by this specification.
The Content-Language entity-header field describes the natural language s of the intended audience for the enclosed entity. Note that this might not be equivalent to all the languages used within the entity-body. The primary purpose of Content-Language is to allow a user to identify and differentiate entities according to the user's own preferred language. Thus, if the body content is intended only for a Danish-literate audience, the appropriate field is.
If no Content-Language is specified, the default is that the content is intended for all language audiences. This might mean that the sender does not consider it to be specific to any natural language, or that the sender does not know for which language it is intended. Multiple languages MAY be listed for content that is intended for multiple audiences. For example, a rendition of the "Treaty of Waitangi," presented simultaneously in the original Maori and English versions, would call for.
However, just because multiple languages are present within an entity does not mean that it is intended for multiple linguistic audiences. An example would be a beginner's language primer, such as "A First Lesson in Latin," which is clearly intended to be used by an English-literate audience. In this case, the Content-Language would properly only include "en".
Content-Language MAY be applied to any media type -- it is not limited to textual documents. Applications SHOULD use this field to indicate the transfer-length of the message-body, unless this is prohibited by the rules in section 4. Any Content-Length greater than or equal to zero is a valid value. Section 4. The Content-Location entity-header field MAY be used to supply the resource location for the entity enclosed in the message when that entity is accessible from a location separate from the requested resource's URI.
A server SHOULD provide a Content-Location for the variant corresponding to the response entity; especially in the case where a resource has multiple entities associated with it, and those entities actually have separate locations by which they might be individually accessed, the server SHOULD provide a Content-Location for the particular variant which is returned.
The Content-Location value is not a replacement for the original requested URI; it is only a statement of the location of the resource corresponding to this particular entity at the time of the request. However, the Content- Location can be used to differentiate between multiple entities retrieved from a single requested resource, as described in section Note: a MIC is good for detecting accidental modification of the entity-body in transit, but is not proof against malicious attacks.
The Content-MD5 header field MAY be generated by an origin server or client to function as an integrity check of the entity-body. Any recipient of the entity- body, including gateways and proxies, MAY check that the digest value in this header field matches that of the entity-body as received. The MD5 digest is computed based on the content of the entity-body, including any content-coding that has been applied, but not including any transfer-encoding applied to the message-body.
If the message is received with a transfer-encoding, that encoding MUST be removed prior to checking the Content-MD5 value against the received entity. This has the result that the digest is computed on the octets of the entity-body exactly as, and in the order that, they would be sent if no transfer-encoding were being applied. There are several consequences of this.
If a body-part has a Content-Transfer- Encoding or Content-Encoding header, it is assumed that the content of the body-part has had the encoding applied, and the body-part is included in the Content-MD5 digest as is -- i. The Transfer-Encoding header field is not allowed within body-parts. The Content-Range entity-header is sent with a partial entity-body to specify where in the full entity-body the partial body should be applied.
Range units are defined in section 3. The header SHOULD indicate the total length of the full entity-body, unless this length is unknown or difficult to determine. Unlike byte-ranges-specifier values see section A byte-content-range-spec with a byte-range-resp-spec whose last- byte-pos value is less than its first-byte-pos value, or whose instance-length value is less than or equal to its last-byte-pos value, is invalid.
The recipient of an invalid byte-content-range- spec MUST ignore it and any content transferred along with it. The instance-length specifies the current length of.
Examples of byte-content-range-spec values, assuming that the entity contains a total of bytes:. When an HTTP message includes the content of a single range for example, a response to a request for a single range, or to a request for a set of ranges that overlap without any holes , this content is transmitted with a Content-Range header, and a Content-Length header showing the number of bytes actually transferred.
When an HTTP message includes the content of multiple ranges for example, a response to a request for multiple non-overlapping ranges , these are transmitted as a multipart message. See appendix When a client requests multiple byte-ranges in one request, the server SHOULD return them in the order that they appeared in the request. If the server ignores a byte-range-spec because it is syntactically invalid, the server SHOULD treat the request as if the invalid Range header field did not exist.
Normally, this means return a response containing the full entity. If the server receives a request other than one including an If- Range request-header field with an unsatisfiable Range request- header field that is, all of whose byte-range-spec values have a first-byte-pos value greater than the current length of the selected resource , it SHOULD return a response code of Requested range not satisfiable section The Content-Type entity-header field indicates the media type of the entity-body sent to the recipient or, in the case of the HEAD method, the media type that would have been sent had the request been a GET.
Media types are defined in section 3. An example of the field is. Further discussion of methods for identifying the media type of an entity is provided in section 7. The Date general-header field represents the date and time at which the message was originated, having the same semantics as orig-date in RFC The field value is an HTTP-date, as described in section 3.
A received message that does not have a Date header field MUST be assigned one by the recipient if the message will be cached by that recipient or gatewayed via a protocol which requires a Date. It SHOULD represent the best available approximation of the date and time of message generation, unless the implementation has no means of generating a reasonably accurate date and time. In theory, the date ought to represent the moment just before the entity is generated. In practice, the date can be generated at any time during the message origination without affecting its semantic value.
Some origin server implementations might not have a clock available. An origin server without a clock MUST NOT assign Expires or Last- Modified values to a response, unless these values were associated with the resource by a system or user with a reliable clock. It MAY assign an Expires value that is known, at or before server configuration time, to be in the past this allows "pre-expiration" of responses without storing separate Expires values for each resource.
The ETag response-header field provides the current value of the entity tag for the requested variant. The headers used with entity tags are described in sections The entity tag MAY be used for comparison with other entities from the same resource see section The Expect request-header field is used to indicate that particular server behaviors are required by the client.
A server that does not understand or is unable to comply with any of the expectation values in the Expect field of a request MUST respond with appropriate error status. The server MUST respond with a Expectation Failed status if any of the expectations cannot be met or, if there are other problems with the request, some other 4xx status. This header field is defined with extensible syntax to allow for future extensions. If a server receives a request containing an Expect field that includes an expectation-extension that it does not support, it MUST respond with a Expectation Failed status.
Comparison of expectation values is case-insensitive for unquoted tokens including the continue token , and is case-sensitive for quoted-string expectation-extensions.
However, the Expect request-header itself is end-to-end; it MUST be forwarded if the request is forwarded. See section 8. A stale cache entry may not normally be returned by a cache either a proxy cache or a user agent cache unless it is first validated with the origin server or with an intermediate cache that has a fresh copy of the entity.
The presence of an Expires field does not imply that the original resource will change or cease to exist at, before, or after that time. The format is an absolute date and time as defined by HTTP-date in section 3.
To mark a response as "already expired," an origin server sends an Expires date that is equal to the Date header value.
See the rules for expiration calculations in section To mark a response as "never expires," an origin server sends an Expires date approximately one year from the time the response is sent. The presence of an Expires header field with a date value of some time in the future on a response that otherwise would by default be non-cacheable indicates that the response is cacheable, unless indicated otherwise by a Cache-Control header field section This header field MAY be used for logging purposes and as a means for identifying the source of invalid or unwanted requests.
The interpretation of this field is that the request is being performed on behalf of the person given, who accepts responsibility for the method performed.
In particular, robot agents SHOULD include this header so that the person responsible for running the robot can be contacted if problems occur on the receiving end. The Internet e-mail address in this field MAY be separate from the Internet host which issued the request.
It is strongly recommended that the user be able to disable, enable, and modify the value of this field at any time prior to a request. A "host" without any trailing port information implies the default port for the service requested e.
See sections 5. The If-Match request-header field is used with a method to make it conditional. A client that has one or more entities previously obtained from the resource can verify that one of those entities is current by including a list of their associated entity tags in the If-Match header field.
But how do you verify this legitimacy without asking the user to log in after every single click? Fortunately for users, there is a way of doing that. After successful authentication, the server generates a string that uniquely identifies the current user session. This string is passed in a response header, in the form of cookie data. On subsequent visits to the server, the cookie data will be automatically included in the request.
This data will be used by the server to determine whether the request comes from a legitimate user. Naturally, the security of session cookies then becomes critical. Any interception of this information would enable impersonating a legitimate user. One of the classic ways to transfer session cookie data to an attacker is to send an HTTP request from the user's web browser to an attacker-controlled server. In this case, the request is generated by JavaScript that is embedded on a vulnerable web page.
The cookie data is then transmitted in the parameters of this request. One example of an attack vector could be the following:. In this example, the user's web browser creates an image object in the DOM model. After that, it tries to load the image from the address specified in the src tag. The browser then sends the cookie data to the attacker's site with the corresponding HTTP request handler:.
In this case, an attacker only needs to listen to incoming connections, or else configure event logs and obtain cookie data from the log files this is described later in more detail. JavaScript is a very capable programming language. An attacker can use these abilities, combined with XSS vulnerabilities, simultaneously as part of an attack vector.
So instead of XSS being a way just to obtain critical user data, it can also be a way to conduct an attack directly from the user's browser. These requests can be used to send comments or to conduct financial transactions:.
By exploiting an XSS vulnerability with this attack vector, malicious actors can transfer any specified amount of money to their accounts. This allows an attacker to change how the website appears to the user, such as by creating fake input forms. If a vulnerable web application permits modifications to the DOM model, an attacker could inject a fake authentication form into the web page by using the following attack vector:.
Any credentials that a user enters in this form will be sent as a POST request to the evil. Opportunities for exploiting XSS vulnerabilities are not limited to executable scripts.
If an attacker has an Internet server, malicious scripts can be loaded directly from it. An attacker could deploy the following script to capture keystrokes:. The script here implements a keystroke interceptor that saves the corresponding character and timestamp to the internal buffer. It also implements a function that sends data stored in the buffer twice per second to the evil.
In order to embed this keylogger script on a target web page, actors can use the following attack vector:. After the exploit is triggered, the user's keystrokes on the web page will be redirected to the attacker server:.
The screenshot shows entries from the event log on the attacker server. In this example, the user has typed "James" on the keyboard. These records show keystrokes presented in JSON format: the field "k" contains a character and the field "t" contains the corresponding timestamp. From these examples and attack vectors, it is clear that a successful XSS attack on a vulnerable web application gives attackers a very powerful tool.
With XSS, attackers have the capability to:. Cross-site scripting attacks can also be leveraged for financial benefit in more indirect ways. Impact typically depends on the type of XSS vulnerability for example, stored or reflected , difficulty of implementation, and whether it requires authentication perhaps not everybody has access to the page in question.
Other factors include what, if any, additional actions are required from the user; whether the attack is triggered reliably; and what exactly could a potential attacker gain. If the site does not contain private information because of there being no authentication or distinction between users , then the impact is minimal.
A website might have stored XSS, resulting in High impact. However, if you need a certain level of access to visit that site, then the impact is reduced to Medium. It's also important to mention that in any case, impact depends on the author's assessment of criticality—researchers have their own viewpoints. XSS vulnerabilities can be of high severity, but typically they receive scores below those given to other types of attacks.
Severity levels are those valid as of the vulnerability publication date. A vulnerability in Wonderware Information Server allows attackers to inject arbitrary code into a web page viewed by other users or to bypass client-side security in web browsers. The attack can be initiated remotely and no authentication is required for successful exploitation. The best way to test your own application, or one for which you have source code, is by combining manual and automated techniques.
Static code analysis should be able to detect a number of XSS vulnerabilities. How well detection works depends heavily on the scanner. Different scanners vary in vectors and techniques, so some will be more reliable than others, and none of them will be perfect.
For example, there is a chance that a manual tester will be able to find issues that a black-box scanner missed. Another hazard to bear in mind is the possibility of false positives. Combining techniques and tools will improve the outcome, but certain issues will still take manual work to identify. Here is a video from our colleague with an example.
This particular case involves vulnerabilities in the Acorn JavaScript parser. Many other parsers have this vulnerability as well. If the parser can't recognize the JavaScript code in any part of the page, then this code will not be correctly passed to the analyzer.
This means that by tricking the parser, it is possible to make a successful XSS attack that bypasses the scanner entirely. The specific code that is not recognized by the Acorn parser as of the time of the video's release is presented below. In both cases, the program did not find potential XSS vulnerabilities in the code.
We can conclude that manual testing is likely the most effective method—as long you know what you're doing. Trial and error are unavoidable. But if you inject code, check the resulting HTML page, and see what happens after you change the vector, you are sure to find things.
BurpSuite or Acunetix can automate this process. After automatic verification, make sure to manually check filtering on any form of text input. The next step is analyzing the JavaScript code of the project. BlueClosure can automatically test the entire frontend. After eliminating vulnerabilities that can be found automatically, pay special attention to where the application displays user input and where it's passed to the server and subsequently being saved to the database.
Then consider not only the JavaScript code, but all parts of the system as a whole. For example, some elements involve turning user input data into links or other hypertext elements.
Embedding a link like "javascript: alert 1 " in a website field in a user profile is a very frequent vector in successful attacks. Any parser that converts text to HTML potentially opens the door to malicious code.
To get a better understanding of XSS vulnerabilities, let's analyze each of the major threat vectors. This one is a relatively simple XSS script. It can be placed as an external script reference external payload or embedded within the script tag itself. These are embedded in many different tags. This list is not comprehensive. Standalone scanners are mostly self-written by pentesters, who adjust them as needed. Most XSS testing tools are a part of larger, more comprehensive vulnerability scanners.
Research shows that most vulnerabilities are caused by errors in source code. Therefore, it is important that your cybersecurity arsenal include a comprehensive source code analysis solution, such as PT Application Inspector.
This is an enterprise solution that combines static, dynamic, and interactive approaches to make testing robust and thorough. For a more detailed look at how PT AI performs in practice, we've prepared a quick rundown of its capabilities at the end of this article. From a technical point of view, XSS is an injection-class vulnerability, in which the attacker manipulates the logic of the web application in a browser. So to prevent such vulnerabilities, one needs to thoroughly check any data that enters the application from the outside.
This plan divides the state into sixteen local EAS areas for planning purposes. The National Weather Service NWS is also included in the process for using EAS to disseminate critical emergency weather information to the public and government officials.
The EAS takes advantage of digital technology that will ultimately allow home devices such as AM and FM radios, TVs, or unique receivers to be turned on and an alarm sounded so the listener can hear the message. It will also allow devices serving the hearing and sight impaired to receive the message. As outlined in the State EAS Plan, all "signal originators" will initiate an alert message from one of the "smart box" devices.
0コメント