{"id":149,"date":"2025-07-09T10:04:59","date_gmt":"2025-07-09T10:04:59","guid":{"rendered":"https:\/\/www.mucahitakin.com\/blog\/?p=149"},"modified":"2025-07-09T10:06:19","modified_gmt":"2025-07-09T10:06:19","slug":"web-guvenligi-xss-cross-site-scripting-zafiyetlerini-anlamak","status":"publish","type":"post","link":"https:\/\/www.mucahitakin.com\/blog\/web-guvenligi-xss-cross-site-scripting-zafiyetlerini-anlamak\/","title":{"rendered":"Web G\u00fcvenli\u011fi XSS (Cross-site Scripting) Zafiyetlerini Anlamak"},"content":{"rendered":"\n

Web uygulamalar\u0131n\u0131n kullan\u0131c\u0131larla etkile\u015fimi artt\u0131k\u00e7a, g\u00fcvenlik a\u00e7\u0131klar\u0131 da ka\u00e7\u0131n\u0131lmaz hale geliyor. Bu a\u00e7\u0131klar\u0131n en yayg\u0131n ve tehlikeli olanlar\u0131ndan biri XSS (Cross-site Scripting)<\/strong> zafiyetidir. Bu yaz\u0131da, kendi sitem olan mucahitakin.com<\/strong> \u00fczerinden \u00f6rneklerle XSS a\u00e7\u0131klar\u0131n\u0131 nas\u0131l tespit edebilece\u011fimizi, nas\u0131l istismar edildi\u011fini ve nas\u0131l korunabilece\u011fimizi detayl\u0131ca ele alaca\u011f\u0131m.<\/p>\n\n\n\n

XSS Nedir?<\/strong><\/h3>\n\n\n\n

XSS<\/strong>, k\u00f6t\u00fc niyetli kullan\u0131c\u0131lar\u0131n web sayfalar\u0131na zararl\u0131 JavaScript kodlar\u0131 enjekte ederek di\u011fer kullan\u0131c\u0131lar\u0131n taray\u0131c\u0131lar\u0131nda bu kodlar\u0131n \u00e7al\u0131\u015fmas\u0131n\u0131 sa\u011flamas\u0131d\u0131r. Bu sayede kullan\u0131c\u0131lar\u0131n \u00e7erez bilgileri, oturum verileri ya da form girdileri gibi hassas bilgileri \u00e7al\u0131nabilir.<\/p>\n\n\n\n

XSS T\u00fcrleri<\/strong><\/h3>\n\n\n\n
    \n
  1. Stored XSS (Kal\u0131c\u0131 XSS)<\/strong>: K\u00f6t\u00fc ama\u00e7l\u0131 kod, veritaban\u0131na kaydedilir ve her sayfa y\u00fcklendi\u011finde tekrar \u00e7al\u0131\u015f\u0131r.<\/li>\n\n\n\n
  2. Reflected XSS (Yans\u0131t\u0131lan XSS)<\/strong>: Kullan\u0131c\u0131n\u0131n taray\u0131c\u0131s\u0131na URL \u00fczerinden g\u00f6nderilen k\u00f6t\u00fc ama\u00e7l\u0131 kod, do\u011frudan yan\u0131t\u0131n i\u00e7inde yans\u0131t\u0131l\u0131r.<\/li>\n\n\n\n
  3. DOM-based XSS<\/strong>: JavaScript taraf\u0131nda, DOM manip\u00fclasyonuyla ortaya \u00e7\u0131kan a\u00e7\u0131klard\u0131r.<\/li>\n<\/ol>\n\n\n\n

    Senaryo:<\/strong><\/p>\n\n\n\n

    mucahitakin.com \u00fczerinde basit bir yorum formu oldu\u011funu varsayal\u0131m:<\/p>\n\n\n\n

    <form method=\"POST\" action=\"\/yorum-gonder\">\n  <input type=\"text\" name=\"ad\" placeholder=\"Ad\u0131n\u0131z\">\n  <textarea name=\"yorum\" placeholder=\"Yorumunuzu yaz\u0131n\"><\/textarea>\n  <button type=\"submit\">G\u00f6nder<\/button>\n<\/form><\/code><\/pre>\n\n\n\n
    Ve bu yorumlar a\u015fa\u011f\u0131daki gibi sayfaya yans\u0131t\u0131l\u0131yor:<\/p>\n\n\n\n
    <p><strong>Ad:<\/strong> <?= $_POST['ad'] ?><\/p>\n<p><strong>Yorum:<\/strong> <?= $_POST['yorum'] ?><\/p><\/code><\/pre>\n\n\n\n
    Bu durumda kullan\u0131c\u0131, yorum k\u0131sm\u0131na a\u015fa\u011f\u0131daki gibi bir payload g\u00f6nderirse:<\/p>\n\n\n\n
    <script>alert('XSS Testi - mucahitakin.com');<\/script><\/code><\/pre>\n\n\n\n
    Yorum eklendi\u011finde bu script do\u011frudan \u00e7al\u0131\u015facakt\u0131r. \u0130\u015fte bu, klasik bir Stored XSS<\/strong> zafiyetidir.<\/p>\n\n\n\n
    XSS A\u00e7\u0131\u011f\u0131 Nas\u0131l Tespit Edilir?<\/strong><\/h3>\n\n\n\n
    1. Basit Payload Denemeleri<\/strong><\/h4>\n\n\n\n
    <script>alert(1)<\/script>\n<img src=x onerror=alert(2)>\n\"><script>alert(3)<\/script><\/code><\/pre>\n\n\n\n
    Yukar\u0131daki payload\u2019lar form alanlar\u0131na yaz\u0131larak veya URL parametrelerine eklenerek test edilebilir.<\/p>\n\n\n\n
    Otomatik Ara\u00e7larla Tespit<\/strong><\/h4>\n\n\n\n