XSS在现代浏览器中仍然可能
[英]XSS still possible in modern browsers
问题描述
I was curious, whether XSS is still possible today. 
我很好奇今天是否仍然可以使用XSS。 I read a lot about browsers preventing it, but I seem I have missed something. 我阅读了很多有关防止浏览器阻止它的信息,但是我似乎错过了一些东西。
I tried a couple approaches myself, including the simplest ways, AJAX calls (luckily blocked by the browser) and viewing the content of an <iframe> and <frameset> , no success either way. 我尝试了几种方法,包括最简单的方法,即AJAX调用(幸运地被浏览器阻止)并查看<iframe>和<frameset> ,但均未成功。
I read about DOM XSS, but that will only work, if the host has a page where it echoes content from the URL parameters. 我读到了有关DOM XSS的信息,但只有在主机具有一个页面并从URL参数中回显内容的情况下,该方法才有效。
Question: 题:
Are modern browsers safe or are there any reasons why I should logout of every service I use before leaving a page? 现代浏览器安全吗?或者有什么原因为什么我应该在离开页面之前注销使用的每项服务?
1 个解决方案
解决方案1
1 已采纳 2014-09-09 19:08:48
whether XSS is still possible today.
Yes, it is. 是的。
will only work, if the host has a page where it echoes content from the URL parameters.
XSS is possible when any user input is output (either immediately (for a reflected attack) or later, possible to a different person (for a stored attack). That is what XSS is. 当输出任何用户输入(立即(针对反射攻击)或稍后向另一个人输出(针对存储的攻击))时,XSS就是可能的。
The Same Origin Policy (and related security features that prevent access to content on a different origin) has nothing to do with XSS. 相同来源策略(以及防止访问不同来源内容的相关安全功能)与XSS没有关系。
Are modern browsers safe
XSS is a vulnerability in code provided by the server that takes user input and does something with it. XSS是服务器提供的代码中的一个漏洞,该漏洞需要用户输入并对其执行操作。 There is no way to tell if user input is an XSS attack or a legitimate submission of data that includes live code. 无法判断用户输入是XSS攻击还是包含实时代码的合法数据提交。 It has to be dealt with by server provided code since the input has to be treated with context sensitivity. 它必须由服务器提供的代码处理,因为必须对上下文敏感地对待输入。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.