简体繁体 English

绕过Web浏览器控件中的XSS过滤器

[英]Getting around the XSS filter in web browser control

原文 2013-09-15 08:31:36 6 2 c#/ .net/ webbrowser-control/ xss

I am working on a pet project and need to overcome a major hurdle in an application. 我正在做一个宠物项目，需要克服应用程序中的主要障碍。 I have checked countless forums and articles and have only found bits and pieces of what I am looking for, so I hope a more direct approach will help me. 我检查了无数的论坛和文章，只发现了我所寻找的零碎的东西，所以我希望采用更直接的方法会有所帮助。

Here's the scenario: 1. The site is actually a game, which uses Javascript/JSON with DHTML on a page that has several IFRAMES - two of which are deeper inside the outside page AND of a separate domain. 场景如下：1.该站点实际上是一个游戏，它在具有多个IFRAMES的页面上使用Javascript / JSON和DHTML，其中两个在外部页面的深处以及一个单独的域。

There are NO security issues with what I am trying to do. 我尝试执行的操作没有任何安全问题。 All programming and access is limited to merely simplifying and automating normally access functions only. 所有编程和访问都仅限于简化和自动化通常的访问功能。 All authentication and private information is done prior to any access, and only the session information will ever be used, and only to facilitate game operations that the user knows will happen. 所有身份验证和私人信息都在任何访问之前完成，并且仅将使用会话信息，并且仅用于促进用户知道将要发生的游戏操作。
The idea is to use the webbrowser control to access the game and provide ordinary access, while the app hosting the browser gets the game session information and makes separate automated calls to the game servers. 想法是使用Web浏览器控件来访问游戏并提供普通访问，而托管浏览器的应用程序将获取游戏会话信息并分别对游戏服务器进行自动调用。 This has already been done via Firefox using Greasemonkey scripting, and it works well - except that Firefox has a horrible memory leak that eventually causes the whole operation to break down. 这已经通过Firefox使用Greasemonkey脚本完成了，并且效果很好-除了Firefox内存泄漏严重，最终导致整个操作崩溃外，其他情况也是如此。

The problem I am running into is obvious. 我遇到的问题很明显。 I am trying to access the iframe that is technically on a different domain, and the web browser DOM model won't let me in. I have seen enough articles to know there are several workarounds to XSS filter blocks but they are quite vague and vary depending on scenario. 我正在尝试访问技术上在不同域上的iframe，并且Web浏览器DOM模型不允许我进入。我已经看到足够多的文章来知道XSS过滤器块有几种解决方法，但是它们非常模糊且变化视情况而定。

So, I will outline exactly what I need in hopes that I can obtain an amicable solution... 因此，我将准确概述我所需要的，以期能获得友善的解决方案...

I need to obtain the DOM of a nested IFRAME of a different domain. 我需要获取其他域的嵌套IFRAME的DOM。 If need be I could live with just the source, but the DOM and the JS vars would be the most ideal. 如果需要，我可以只使用源代码，但是DOM和JS vars是最理想的。 My strategy here is to use the session information and make HttpWebRequest calls parallel to the web browser in-game. 我在这里的策略是使用会话信息，并在游戏中与Web浏览器并行进行HttpWebRequest调用。 That way I can automate some functions while still playing. 这样，我可以在仍然播放的同时自动执行某些功能。 It can be done - if I can get the session information and pass it the same way. 可以完成-如果我可以获取会话信息并以相同的方式传递它。 It will all be done on the same client with the users permission and knowledge, so no security issues. 所有这些都将在具有用户许可和知识的同一个客户端上完成，因此不会出现安全问题。
I would really like it if I could pass information BACK to that IFRAME. 如果我可以将信息传递回该IFRAME，我真的很喜欢。 One of the major things this project is trying to do is make some visual changes to simplify the look and feel of the interface. 该项目试图做的主要事情之一是进行一些视觉上的更改以简化界面的外观。 It is all in HTML, so changes would simply be adding some in-line styling of JS code... 全部都是HTML格式，因此更改只需添加一些JS代码的内联样式即可。

So anyways, what ideas and suggestions would work best? 那么，无论如何，什么想法和建议最有效？ At this point I am open to all scenarios, but ideally something as simple as possible to get what I need. 在这一点上，我对所有情况都开放，但理想情况下，尽可能简单地获取我所需的东西。 This is already a huge project :). 这已经是一个巨大的项目:)。

Thanks in advance! 提前致谢！

2 个解决方案

If you are in control of all sites in question, you could use postMessage to communicate. 如果您控制所有有问题的站点，则可以使用postMessage进行通信。 Also there is easyXDM which provides a set of transports that also work in older browsers (and automatically picks the best one). 还有easyXDM，它提供了一组传输方式，这些传输方式也可以在较旧的浏览器中运行（并自动选择最佳的传输方式）。

https://developer.mozilla.org/en-US/docs/Web/API/window.postMessage https://developer.mozilla.org/zh-CN/docs/Web/API/window.postMessage

It's possible to bypass XSS checks and access iframes through IOleContainer , as described here . 这可能绕过XSS检查和访问iframes通过IOleContainer ，如这里所描述。 The sample is in C++, but it should not be a problem to do the same from C# with COM interop. 该示例使用C ++，但使用COM互操作从C＃执行相同操作应该不是问题。