{"id":21210,"date":"2026-05-19T10:10:28","date_gmt":"2026-05-19T07:10:28","guid":{"rendered":"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/"},"modified":"2026-05-19T10:10:47","modified_gmt":"2026-05-19T07:10:47","slug":"xss-acigi-nedir","status":"publish","type":"post","link":"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/","title":{"rendered":"XSS A\u00e7\u0131\u011f\u0131 Nedir?"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 ez-toc-wrap-center counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/#XSS_Acigi_ve_Calisma_Prensibi\" >XSS A\u00e7\u0131\u011f\u0131 ve \u00c7al\u0131\u015fma Prensibi<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/#XSS_Saldiri_Turleri\" >XSS Sald\u0131r\u0131 T\u00fcrleri<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/#Depolanmis_Stored_XSS\" >Depolanm\u0131\u015f (Stored) XSS<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/#Yansitilmis_Reflected_XSS\" >Yans\u0131t\u0131lm\u0131\u015f (Reflected) XSS<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/#DOM_Tabanli_DOM-based_XSS\" >DOM Tabanl\u0131 (DOM-based) XSS<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/#Bir_XSS_Saldirisinin_Potansiyel_Sonuclari\" >Bir XSS Sald\u0131r\u0131s\u0131n\u0131n Potansiyel Sonu\u00e7lar\u0131<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/#XSS_Aciklarini_Onleme_Yontemleri\" >XSS A\u00e7\u0131klar\u0131n\u0131 \u00d6nleme Y\u00f6ntemleri<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/#Giris_Dogrulama_Input_Validation\" >Giri\u015f Do\u011frulama (Input Validation)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/#Cikti_Kodlama_Output_EncodingEscaping\" >\u00c7\u0131kt\u0131 Kodlama (Output Encoding\/Escaping)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/#Icerik_Guvenlik_Politikasi_Content_Security_Policy_%E2%80%93_CSP\" >\u0130\u00e7erik G\u00fcvenlik Politikas\u0131 (Content Security Policy &#8211; CSP)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/#HTTPOnly_ve_Secure_Bayraklari\" >HTTPOnly ve Secure Bayraklar\u0131<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/#Web_Uygulama_Guvenlik_Duvari_WAF\" >Web Uygulama G\u00fcvenlik Duvar\u0131 (WAF)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/#Guvenli_Yazilim_Gelistirme_Yasam_Dongusu_SDLC\" >G\u00fcvenli Yaz\u0131l\u0131m Geli\u015ftirme Ya\u015fam D\u00f6ng\u00fcs\u00fc (SDLC)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/sunucun.com.tr\/blog\/xss-acigi-nedir\/#Gelistiriciler_Icin_En_Iyi_Uygulamalar\" >Geli\u015ftiriciler \u0130\u00e7in En \u0130yi Uygulamalar<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<p><strong>XSS A\u00e7\u0131\u011f\u0131<\/strong>, genellikle g\u00fcvenilir bir web sitesi ba\u011flam\u0131nda, istemci taraf\u0131 betiklerinin (genellikle JavaScript) web sayfas\u0131na enjekte edilmesiyle ger\u00e7ekle\u015fen bir t\u00fcr enjeksiyon sald\u0131r\u0131s\u0131d\u0131r. Temel prensip, sald\u0131rgan\u0131n k\u00f6t\u00fc niyetli betik kodunu, hedeflenen web uygulamas\u0131n\u0131n g\u00fcvenlik mekanizmalar\u0131n\u0131 atlatarak me\u015fru i\u00e7eri\u011fin bir par\u00e7as\u0131ym\u0131\u015f gibi g\u00f6stermesidir. Kullan\u0131c\u0131 bu sayfay\u0131 ziyaret etti\u011finde, taray\u0131c\u0131 enjekte edilen beti\u011fi \u00e7al\u0131\u015ft\u0131r\u0131r. Bu betikler, kullan\u0131c\u0131n\u0131n taray\u0131c\u0131s\u0131nda \u00e7al\u0131\u015ft\u0131r\u0131ld\u0131\u011f\u0131 i\u00e7in, kullan\u0131c\u0131n\u0131n o siteyle olan oturum \u00e7erezlerine, kimlik do\u011frulama bilgilerine ve di\u011fer hassas verilerine eri\u015febilir.<\/p>\n<p><\/p>\n<figure class=\"wp-block-image aligncenter size-medium is-resized\">\n  <img src=\"https:\/\/sunucun.com.tr\/blog\/wp-content\/uploads\/2026\/05\/text-xss-acigi-nedir.png\" class=\"size-medium aligncenter\" style=\"width:100%;\" alt=\"XSS A\u00e7\u0131\u011f\u0131, web uygulamalar\u0131na k\u00f6t\u00fc ama\u00e7l\u0131 betik enjekte edilerek kullan\u0131c\u0131lar\u0131n etkilenmesini g\u00f6steren kavramsal g\u00f6rsel.\" title=\"XSS Betik Enjeksiyonu \u00c7al\u0131\u015fma Prensibi\" loading=\"lazy\" decoding=\"async\"><figcaption>\n    XSS A\u00e7\u0131\u011f\u0131, web uygulamalar\u0131na k\u00f6t\u00fc ama\u00e7l\u0131 betik enjekte edilerek kullan\u0131c\u0131lar\u0131n etkilenmesini g\u00f6steren kavramsal g\u00f6rsel.<br \/>\n  <\/figcaption><\/figure>\n<p>\nXSS A\u00e7\u0131\u011f\u0131 Nedir?<\/p>\n<p>Web uygulamalar\u0131n\u0131n g\u00fcvenlik a\u00e7\u0131klar\u0131 aras\u0131nda en yayg\u0131n ve tehlikeli olanlardan biri olan Siteler Aras\u0131 Betik \u00c7al\u0131\u015ft\u0131rma (Cross-Site Scripting &#8211; XSS) a\u00e7\u0131\u011f\u0131, k\u00f6t\u00fc niyetli sald\u0131rganlar\u0131n kullan\u0131c\u0131lar\u0131n taray\u0131c\u0131lar\u0131nda k\u00f6t\u00fc ama\u00e7l\u0131 betikler \u00e7al\u0131\u015ft\u0131rmas\u0131na olanak tan\u0131r. Bu t\u00fcr bir sald\u0131r\u0131, web uygulamalar\u0131n\u0131n kullan\u0131c\u0131 girdilerini yeterince do\u011frulamamas\u0131 veya kodlamamas\u0131 durumunda ortaya \u00e7\u0131kar. Bir XSS a\u00e7\u0131\u011f\u0131, basit bir web sitesi yorum alan\u0131ndan karma\u015f\u0131k bir arama motoruna kadar her t\u00fcrl\u00fc etkile\u015fimli platformda bulunabilir ve potansiyel olarak ciddi g\u00fcvenlik ihlallerine yol a\u00e7abilir. Bu makalede, XSS a\u00e7\u0131\u011f\u0131n\u0131n ne oldu\u011funu, farkl\u0131 t\u00fcrlerini, nas\u0131l \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131, potansiyel sonu\u00e7lar\u0131n\u0131 ve bu t\u00fcr sald\u0131r\u0131lardan nas\u0131l korunulaca\u011f\u0131n\u0131 detayl\u0131 bir \u015fekilde inceleyece\u011fiz.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"XSS_Acigi_ve_Calisma_Prensibi\"><\/span>XSS A\u00e7\u0131\u011f\u0131 ve \u00c7al\u0131\u015fma Prensibi<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Bir XSS sald\u0131r\u0131s\u0131 genellikle a\u015fa\u011f\u0131daki ad\u0131mlar\u0131 i\u00e7erir:<\/p>\n<ol>\n<li>Sald\u0131rgan, web uygulamas\u0131nda bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 tespit eder. Bu genellikle bir giri\u015f alan\u0131, arama \u00e7ubu\u011fu, yorum b\u00f6l\u00fcm\u00fc veya URL parametresi gibi kullan\u0131c\u0131 girdilerini kabul eden bir yerdir.<\/li>\n<li>Sald\u0131rgan, k\u00f6t\u00fc ama\u00e7l\u0131 bir betik (\u00f6rne\u011fin, <code>&lt;script&gt;alert('XSS Sald\u0131r\u0131s\u0131!')&lt;\/script&gt;<\/code> veya daha karma\u015f\u0131k betikler) bu giri\u015f alan\u0131na enjekte eder.<\/li>\n<li>Web uygulamas\u0131, kullan\u0131c\u0131n\u0131n girdisini uygun \u015fekilde do\u011frulamadan veya kodlamadan (escaping) i\u015fler ve bir HTML sayfas\u0131n\u0131n par\u00e7as\u0131 olarak g\u00f6r\u00fcnt\u00fclemeye haz\u0131rlar.<\/li>\n<li>Ma\u011fdur kullan\u0131c\u0131, bu k\u00f6t\u00fc ama\u00e7l\u0131 beti\u011fi i\u00e7eren sayfay\u0131 ziyaret etti\u011finde, taray\u0131c\u0131s\u0131 beti\u011fi me\u015fru sayfa i\u00e7eri\u011fiyle birlikte \u00e7al\u0131\u015ft\u0131r\u0131r.<\/li>\n<li>\u00c7al\u0131\u015fan betik, kullan\u0131c\u0131n\u0131n oturum \u00e7erezlerini \u00e7almak, sayfan\u0131n i\u00e7eri\u011fini de\u011fi\u015ftirmek, kullan\u0131c\u0131y\u0131 farkl\u0131 bir k\u00f6t\u00fc ama\u00e7l\u0131 siteye y\u00f6nlendirmek veya di\u011fer k\u00f6t\u00fc niyetli eylemleri ger\u00e7ekle\u015ftirmek i\u00e7in kullan\u0131labilir.<\/li>\n<\/ol>\n<h3><span class=\"ez-toc-section\" id=\"XSS_Saldiri_Turleri\"><\/span>XSS Sald\u0131r\u0131 T\u00fcrleri<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>XSS sald\u0131r\u0131lar\u0131, betik kodunun web uygulamas\u0131na nas\u0131l enjekte edildi\u011fine ve depoland\u0131\u011f\u0131na ba\u011fl\u0131 olarak \u00fc\u00e7 ana kategoriye ayr\u0131l\u0131r:<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Depolanmis_Stored_XSS\"><\/span>Depolanm\u0131\u015f (Stored) XSS<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Depolanm\u0131\u015f XSS, ayn\u0131 zamanda kal\u0131c\u0131 XSS olarak da bilinir, en tehlikeli XSS t\u00fcrlerinden biridir. Bu senaryoda, k\u00f6t\u00fc ama\u00e7l\u0131 betik, web sunucusu \u00fczerinde kal\u0131c\u0131 olarak depolan\u0131r (\u00f6rne\u011fin, bir veritaban\u0131nda, dosya sisteminde veya forum g\u00f6nderilerinde, yorumlarda). Bir sald\u0131rgan, bu beti\u011fi bir form arac\u0131l\u0131\u011f\u0131yla web uygulamas\u0131na g\u00f6nderdi\u011finde, uygulama bu beti\u011fi saklar. Daha sonra, di\u011fer kullan\u0131c\u0131lar bu beti\u011fin sakland\u0131\u011f\u0131 sayfay\u0131 her ziyaret ettiklerinde, betik otomatik olarak taray\u0131c\u0131lar\u0131nda \u00e7al\u0131\u015f\u0131r. Bu t\u00fcr bir sald\u0131r\u0131, \u00e7ok say\u0131da kullan\u0131c\u0131y\u0131 etkileyebilir ve uzun s\u00fcreli zararlara yol a\u00e7abilir.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Yansitilmis_Reflected_XSS\"><\/span>Yans\u0131t\u0131lm\u0131\u015f (Reflected) XSS<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Yans\u0131t\u0131lm\u0131\u015f XSS, kal\u0131c\u0131 olmayan veya depolanmayan XSS olarak da adland\u0131r\u0131l\u0131r. Bu t\u00fcr bir sald\u0131r\u0131da, k\u00f6t\u00fc ama\u00e7l\u0131 betik, web sunucusunda depolanmaz. Bunun yerine, betik do\u011frudan kullan\u0131c\u0131n\u0131n iste\u011finden al\u0131n\u0131r ve hi\u00e7bir do\u011frulama veya kodlama yap\u0131lmadan hemen taray\u0131c\u0131ya yans\u0131t\u0131l\u0131r. \u00d6rne\u011fin, bir sald\u0131rgan, k\u00f6t\u00fc ama\u00e7l\u0131 beti\u011fi i\u00e7eren \u00f6zel olarak haz\u0131rlanm\u0131\u015f bir URL olu\u015fturur ve bu URL&#8217;yi bir e-posta veya mesaj yoluyla kurban\u0131na g\u00f6nderir. Kurban bu ba\u011flant\u0131ya t\u0131klad\u0131\u011f\u0131nda, betik do\u011frudan taray\u0131c\u0131s\u0131nda \u00e7al\u0131\u015f\u0131r. Yans\u0131t\u0131lm\u0131\u015f XSS&#8217;nin ger\u00e7ekle\u015fmesi i\u00e7in sald\u0131rgan\u0131n kurban\u0131 bir \u015fekilde ikna etmesi gerekir.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"DOM_Tabanli_DOM-based_XSS\"><\/span>DOM Tabanl\u0131 (DOM-based) XSS<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>DOM tabanl\u0131 XSS, yans\u0131t\u0131lm\u0131\u015f XSS&#8217;ye benzer ancak beti\u011fin i\u015flenmesi ve y\u00fcr\u00fct\u00fclmesi sunucu taraf\u0131nda de\u011fil, istemci taraf\u0131nda, yani kullan\u0131c\u0131n\u0131n taray\u0131c\u0131s\u0131nda ger\u00e7ekle\u015fir. Belge Nesne Modeli (Document Object Model &#8211; DOM) \u00fczerinde manip\u00fclasyonlar yaparak tetiklenir. Bu senaryoda, k\u00f6t\u00fc ama\u00e7l\u0131 betik do\u011frudan sunucuya g\u00f6nderilmez veya sunucudan yans\u0131t\u0131lmaz. Bunun yerine, taray\u0131c\u0131da \u00e7al\u0131\u015fan JavaScript kodu, URL par\u00e7as\u0131ndan veya di\u011fer istemci taraf\u0131 verilerinden al\u0131nan k\u00f6t\u00fc ama\u00e7l\u0131 verileri, DOM&#8217;a g\u00fcvensiz bir \u015fekilde yazar. Bu, taray\u0131c\u0131n\u0131n k\u00f6t\u00fc ama\u00e7l\u0131 kodu \u00e7al\u0131\u015ft\u0131rmas\u0131na neden olur. \u00d6rne\u011fin, bir web sayfas\u0131 JavaScript kullanarak URL&#8217;deki bir parametreyi al\u0131r ve i\u00e7eri\u011fi do\u011frudan sayfaya eklerse, DOM tabanl\u0131 XSS meydana gelebilir.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Bir_XSS_Saldirisinin_Potansiyel_Sonuclari\"><\/span>Bir XSS Sald\u0131r\u0131s\u0131n\u0131n Potansiyel Sonu\u00e7lar\u0131<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Bir XSS sald\u0131r\u0131s\u0131 ba\u015far\u0131l\u0131 oldu\u011funda, sald\u0131rganlar \u00e7e\u015fitli k\u00f6t\u00fc niyetli eylemler ger\u00e7ekle\u015ftirebilir. Bu eylemlerin kapsam\u0131, enjekte edilen beti\u011fin yeteneklerine ve web uygulamas\u0131n\u0131n g\u00fcvenlik ba\u011flam\u0131na ba\u011fl\u0131d\u0131r. En yayg\u0131n potansiyel sonu\u00e7lar \u015funlard\u0131r:<\/p>\n<ul>\n<li><strong>Oturum \u00c7erezlerinin \u00c7al\u0131nmas\u0131 (Session Hijacking):<\/strong> Sald\u0131rganlar, kullan\u0131c\u0131n\u0131n oturum \u00e7erezlerine eri\u015febilir. Bu \u00e7erezler genellikle kullan\u0131c\u0131n\u0131n kimli\u011fini do\u011frulamak i\u00e7in kullan\u0131l\u0131r. \u00c7al\u0131nan \u00e7erezler ile sald\u0131rgan, kullan\u0131c\u0131n\u0131n oturumunu ele ge\u00e7irerek, kullan\u0131c\u0131 gibi sisteme giri\u015f yapabilir ve kullan\u0131c\u0131n\u0131n t\u00fcm yetkilerine sahip olabilir.<\/li>\n<li><strong>Kimlik Av\u0131 (Phishing) ve Sahte \u0130\u00e7erik Enjeksiyonu:<\/strong> Sald\u0131rganlar, sayfan\u0131n i\u00e7eri\u011fini de\u011fi\u015ftirerek sahte giri\u015f formlar\u0131 veya mesajlar g\u00f6sterebilir. Bu, kullan\u0131c\u0131lar\u0131 hassas bilgilerini (kullan\u0131c\u0131 adlar\u0131, \u015fifreler, kredi kart\u0131 numaralar\u0131) girmeleri i\u00e7in kand\u0131rmak amac\u0131yla kullan\u0131labilir.<\/li>\n<li><strong>Y\u00f6nlendirme (Redirection):<\/strong> Kurbanlar, fark\u0131nda olmadan k\u00f6t\u00fc ama\u00e7l\u0131 ba\u015fka bir web sitesine y\u00f6nlendirilebilir. Bu site, k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m indirmeleri veya daha fazla kimlik av\u0131 sald\u0131r\u0131s\u0131 i\u00e7erebilir.<\/li>\n<li><strong>K\u00f6t\u00fc Ama\u00e7l\u0131 Yaz\u0131l\u0131m Da\u011f\u0131t\u0131m\u0131:<\/strong> XSS a\u00e7\u0131\u011f\u0131, kullan\u0131c\u0131n\u0131n taray\u0131c\u0131s\u0131na k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m indirmelerini tetikleyebilir.<\/li>\n<li><strong>Kullan\u0131c\u0131n\u0131n Verilerine Eri\u015fme:<\/strong> Enjekte edilen betikler, taray\u0131c\u0131da eri\u015filebilir olan t\u00fcm verileri (\u00f6rne\u011fin, taray\u0131c\u0131 depolamas\u0131, yerel depolama, IndexedDB) okuyabilir ve bunlar\u0131 sald\u0131rgan\u0131n kontrol\u00fcndeki bir sunucuya g\u00f6nderebilir.<\/li>\n<li><strong>Web Sitesinin \u0130tibar\u0131n\u0131n Zedelenmesi:<\/strong> XSS sald\u0131r\u0131lar\u0131, bir web sitesinin veya markan\u0131n itibar\u0131n\u0131 ciddi \u015fekilde zedeleyebilir. Kullan\u0131c\u0131lar, g\u00fcvenli\u011fi ihlal edilmi\u015f bir platformu kullanmaktan \u00e7ekinebilir.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"XSS_Aciklarini_Onleme_Yontemleri\"><\/span>XSS A\u00e7\u0131klar\u0131n\u0131 \u00d6nleme Y\u00f6ntemleri<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>XSS sald\u0131r\u0131lar\u0131ndan korunmak, web uygulamas\u0131 geli\u015ftirme s\u00fcrecinin her a\u015famas\u0131nda g\u00fcvenlik odakl\u0131 yakla\u015f\u0131mlar\u0131 benimsemeyi gerektirir. \u0130\u015fte XSS a\u00e7\u0131klar\u0131n\u0131 \u00f6nlemek i\u00e7in uygulanabilecek ba\u015fl\u0131ca y\u00f6ntemler:<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Giris_Dogrulama_Input_Validation\"><\/span>Giri\u015f Do\u011frulama (Input Validation)<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Kullan\u0131c\u0131lardan gelen t\u00fcm girdiler, sunucu taraf\u0131nda kapsaml\u0131 bir \u015fekilde do\u011frulanmal\u0131d\u0131r. Bu, yaln\u0131zca beklenen veri t\u00fcrlerini, formatlar\u0131n\u0131 ve uzunluklar\u0131n\u0131 kabul etmek anlam\u0131na gelir. \u00d6rne\u011fin, bir e-posta alan\u0131na betik kodu girilmeye \u00e7al\u0131\u015f\u0131l\u0131rsa, bu giri\u015f reddedilmelidir. Regex (d\u00fczenli ifadeler) ve beyaz liste tabanl\u0131 do\u011frulamalar, g\u00fcvenli giri\u015f do\u011frulama i\u00e7in etkili y\u00f6ntemlerdir.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Cikti_Kodlama_Output_EncodingEscaping\"><\/span>\u00c7\u0131kt\u0131 Kodlama (Output Encoding\/Escaping)<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Kullan\u0131c\u0131 taraf\u0131ndan sa\u011flanan veriler bir HTML sayfas\u0131na yazd\u0131r\u0131lmadan \u00f6nce her zaman uygun \u015fekilde kodlanmal\u0131d\u0131r. Bu, \u00f6zel karakterlerin (\u00f6rne\u011fin, <code>&lt;<\/code>, <code>&gt;<\/code>, <code>&amp;<\/code>, <code>\"<\/code>, <code>'<\/code>) HTML varl\u0131klar\u0131na d\u00f6n\u00fc\u015ft\u00fcr\u00fclmesi anlam\u0131na gelir (\u00f6rne\u011fin, <code>&lt;<\/code> yerine <code>&amp;lt;<\/code>). Bu i\u015flem, taray\u0131c\u0131n\u0131n enjekte edilen betik kodunu HTML olarak de\u011fil, sadece metin olarak yorumlamas\u0131n\u0131 sa\u011flar. Her ba\u011flam i\u00e7in (HTML, HTML \u00f6zniteli\u011fi, JavaScript, URL, CSS) farkl\u0131 kodlama mekanizmalar\u0131 mevcuttur ve do\u011fru kodlama ba\u011flam\u0131n g\u00fcvenli\u011fi i\u00e7in kritik \u00f6neme sahiptir.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Icerik_Guvenlik_Politikasi_Content_Security_Policy_%E2%80%93_CSP\"><\/span>\u0130\u00e7erik G\u00fcvenlik Politikas\u0131 (Content Security Policy &#8211; CSP)<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>CSP, modern taray\u0131c\u0131lar taraf\u0131ndan desteklenen bir g\u00fcvenlik mekanizmas\u0131d\u0131r. Web sunucusundan g\u00f6nderilen bir HTTP ba\u015fl\u0131\u011f\u0131 arac\u0131l\u0131\u011f\u0131yla, taray\u0131c\u0131n\u0131n hangi kaynaklardan betik, stil, g\u00f6r\u00fcnt\u00fc ve di\u011fer i\u00e7erikleri y\u00fckleyebilece\u011fini belirler. Bu, XSS sald\u0131r\u0131lar\u0131yla enjekte edilen k\u00f6t\u00fc ama\u00e7l\u0131 betiklerin \u00e7al\u0131\u015fmas\u0131n\u0131 engelleyebilir veya en az\u0131ndan s\u0131n\u0131rland\u0131rabilir, \u00e7\u00fcnk\u00fc betik politikada izin verilmeyen bir kaynaktan y\u00fcklenecektir.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"HTTPOnly_ve_Secure_Bayraklari\"><\/span>HTTPOnly ve Secure Bayraklar\u0131<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Hassas \u00e7erezler i\u00e7in <code>HTTPOnly<\/code> bayra\u011f\u0131n\u0131n kullan\u0131lmas\u0131, istemci taraf\u0131 betiklerinin bu \u00e7erezlere JavaScript arac\u0131l\u0131\u011f\u0131yla eri\u015fmesini engeller. Bu, bir XSS sald\u0131r\u0131s\u0131 ba\u015far\u0131l\u0131 olsa bile, sald\u0131rgan\u0131n oturum \u00e7erezlerini do\u011frudan \u00e7alamayaca\u011f\u0131 anlam\u0131na gelir. Ayr\u0131ca, \u00e7erezlerin yaln\u0131zca \u015fifreli (HTTPS) ba\u011flant\u0131lar \u00fczerinden g\u00f6nderilmesini sa\u011flamak i\u00e7in <code>Secure<\/code> bayra\u011f\u0131 kullan\u0131lmal\u0131d\u0131r.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Web_Uygulama_Guvenlik_Duvari_WAF\"><\/span>Web Uygulama G\u00fcvenlik Duvar\u0131 (WAF)<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>WAF&#8217;lar, web uygulamalar\u0131na gelen ve giden trafi\u011fi analiz ederek bilinen sald\u0131r\u0131 kal\u0131plar\u0131n\u0131 (XSS gibi) alg\u0131layabilir ve engelleyebilir. Bir WAF, uygulaman\u0131n \u00f6n\u00fcnde bir g\u00fcvenlik katman\u0131 olu\u015fturur ve potansiyel olarak k\u00f6t\u00fc ama\u00e7l\u0131 isteklerin uygulamaya ula\u015fmas\u0131n\u0131 durdurabilir.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Guvenli_Yazilim_Gelistirme_Yasam_Dongusu_SDLC\"><\/span>G\u00fcvenli Yaz\u0131l\u0131m Geli\u015ftirme Ya\u015fam D\u00f6ng\u00fcs\u00fc (SDLC)<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>G\u00fcvenli bir SDLC benimsemek, g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n geli\u015ftirme s\u00fcrecinin ba\u015flar\u0131nda tespit edilmesine ve d\u00fczeltilmesine yard\u0131mc\u0131 olur. Bu, g\u00fcvenlik gereksinimlerinin belirlenmesinden ba\u015flayarak, g\u00fcvenli kodlama uygulamalar\u0131, g\u00fcvenlik testleri (statik ve dinamik analiz) ve g\u00fcvenlik denetimlerini i\u00e7erir.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Gelistiriciler_Icin_En_Iyi_Uygulamalar\"><\/span>Geli\u015ftiriciler \u0130\u00e7in En \u0130yi Uygulamalar<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Geli\u015ftiricilerin XSS a\u00e7\u0131klar\u0131n\u0131 \u00f6nlemede proaktif olmalar\u0131 gerekir:<\/p>\n<ul>\n<li><strong>G\u00fcvenlik Fark\u0131ndal\u0131\u011f\u0131:<\/strong> T\u00fcm geli\u015ftiriciler, XSS ve di\u011fer yayg\u0131n g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n riskleri ve \u00f6nleme y\u00f6ntemleri konusunda e\u011fitimli olmal\u0131d\u0131r.<\/li>\n<li><strong>G\u00fcncel K\u00fct\u00fcphaneler ve \u00c7er\u00e7eveler:<\/strong> Her zaman g\u00fcvenlik d\u00fczeltmeleri i\u00e7eren en son ve g\u00fcncel k\u00fct\u00fcphane ve \u00e7er\u00e7eve s\u00fcr\u00fcmlerini kullan\u0131n. Modern frameworkler (React, Angular, Vue.js gibi) genellikle XSS korumas\u0131 i\u00e7in yerle\u015fik mekanizmalara sahiptir, ancak do\u011fru kullan\u0131m hala geli\u015ftiricinin sorumlulu\u011fundad\u0131r.<\/li>\n<li><strong>G\u00fcvenlik Testleri:<\/strong>\n<ul>\n<li><strong>Statik Uygulama G\u00fcvenlik Testi (SAST):<\/strong> Kaynak kodunu analiz ederek g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 otomatik olarak tespit eder.<\/li>\n<li><strong>Dinamik Uygulama G\u00fcvenlik Testi (DAST):<\/strong> \u00c7al\u0131\u015fan uygulamay\u0131 test ederek potansiyel a\u00e7\u0131klar\u0131 bulur.<\/li>\n<li><strong>S\u0131zma Testleri (Penetration Testing):<\/strong> Etik hacker&#8217;lar taraf\u0131ndan ger\u00e7ekle\u015ftirilen manuel testler, otomatik ara\u00e7lar\u0131n ka\u00e7\u0131rabilece\u011fi karma\u015f\u0131k a\u00e7\u0131klar\u0131 ortaya \u00e7\u0131karabilir.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Ba\u011flama Duyarl\u0131 Kodlama:<\/strong> Kullan\u0131c\u0131 girdilerini her zaman do\u011fru ba\u011flama (HTML i\u00e7eri\u011fi, \u00f6znitelik de\u011feri, JavaScript dize de\u011fi\u015fmezi, URL) g\u00f6re kodlay\u0131n. Yanl\u0131\u015f ba\u011flamda yap\u0131lan kodlama, g\u00fcvenlik a\u00e7\u0131\u011f\u0131na yol a\u00e7abilir.<\/li>\n<\/ul>\n<p><\/p>\n<figure class=\"wp-block-image aligncenter size-medium is-resized\">\n  <img src=\"https:\/\/sunucun.com.tr\/blog\/wp-content\/uploads\/2026\/05\/text2-xss-acigi-nedir.png\" class=\"size-medium aligncenter\" style=\"width:100%;\" alt=\"XSS A\u00e7\u0131\u011f\u0131, web uygulamalar\u0131nda betik enjeksiyonu yoluyla kullan\u0131c\u0131 verilerine s\u0131zma s\u00fcrecini g\u00f6sterir\" title=\"XSS a\u00e7\u0131\u011f\u0131 dijital sald\u0131r\u0131 s\u00fcreci g\u00f6rseli\" loading=\"lazy\" decoding=\"async\"><figcaption>\n    XSS A\u00e7\u0131\u011f\u0131, web uygulamalar\u0131nda betik enjeksiyonu yoluyla kullan\u0131c\u0131 verilerine s\u0131zma s\u00fcrecini g\u00f6sterir<br \/>\n  <\/figcaption><\/figure>\n<p><\/p>\n<p>XSS a\u00e7\u0131klar\u0131, web uygulamalar\u0131n\u0131n en eski ve en inat\u00e7\u0131 g\u00fcvenlik sorunlar\u0131ndan biridir. Ancak, yukar\u0131da belirtilen \u00f6nleme y\u00f6ntemlerinin titizlikle uygulanmas\u0131, bu t\u00fcr sald\u0131r\u0131lar\u0131n riskini \u00f6nemli \u00f6l\u00e7\u00fcde azaltabilir. Web g\u00fcvenli\u011fi, s\u00fcrekli bir \u00e7aba ve dikkat gerektiren dinamik bir aland\u0131r. Geli\u015ftiricilerin ve sistem y\u00f6neticilerinin, g\u00fcncel g\u00fcvenlik tehditleri ve en iyi uygulamalar hakk\u0131nda bilgi sahibi olmalar\u0131 kritik \u00f6neme sahiptir. Bu konularda daha fazla bilgi edinmek i\u00e7in <a href=\"https:\/\/sunucun.com.tr\/blog\/siber-guvenlik\/\">siber g\u00fcvenlik<\/a> kategorimizi ziyaret edebilir veya <a href=\"https:\/\/tr.wikipedia.org\/wiki\/Siteler_aras%C4%B1_betik_%C3%A7al%C4%B1%C5%9Ft%C4%B1rma\" target=\"_blank\" rel=\"noopener\">Wikipedia&#8217;dan<\/a> XSS hakk\u0131nda ek bilgilere ula\u015fabilirsiniz.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>XSS A\u00e7\u0131\u011f\u0131, genellikle g\u00fcvenilir bir web sitesi ba\u011flam\u0131nda, istemci taraf\u0131 betiklerinin (genellikle JavaScript) web sayfas\u0131na enjekte edilmesiyle ger\u00e7ekle\u015fen bir t\u00fcr enjeksiyon sald\u0131r\u0131s\u0131d\u0131r. Temel prensip, sald\u0131rgan\u0131n k\u00f6t\u00fc niyetli betik kodunu, hedeflenen web uygulamas\u0131n\u0131n g\u00fcvenlik mekanizmalar\u0131n\u0131 atlatarak me\u015fru i\u00e7eri\u011fin bir par\u00e7as\u0131ym\u0131\u015f gibi g\u00f6stermesidir. Kullan\u0131c\u0131 bu sayfay\u0131 ziyaret etti\u011finde, taray\u0131c\u0131 enjekte edilen beti\u011fi \u00e7al\u0131\u015ft\u0131r\u0131r. Bu betikler, kullan\u0131c\u0131n\u0131n taray\u0131c\u0131s\u0131nda&hellip;<\/p>\n","protected":false},"author":1,"featured_media":21207,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[1525],"tags":[],"class_list":["post-21210","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-siber-guvenlik"],"_links":{"self":[{"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/posts\/21210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=21210"}],"version-history":[{"count":1,"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/posts\/21210\/revisions"}],"predecessor-version":[{"id":21211,"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/posts\/21210\/revisions\/21211"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/media\/21207"}],"wp:attachment":[{"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=21210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=21210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sunucun.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=21210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}