[英]XSS with data coming from client but not saving in DB
Maybe it's simple question but I would like to discuss it with other specialists. 也许这是一个简单的问题,但我想与其他专家讨论。
The problem. 问题。
User submits some form (for example post new thread at forum). 用户提交某种形式(例如,在论坛上发布新主题)。 His browser send data to web application, web application purifies data from js code and saves it to DB.
他的浏览器将数据发送到Web应用程序,Web应用程序从js代码中净化数据并将其保存到DB。 That's ok.
没关系。
Another case - user submits data to web application but he makes some error in data and the web application returns its data (without saving it to DB), put them in form (in order user not to fulfill all again) and displayes message error. 另一种情况-用户向Web应用程序提交数据,但是他在数据中犯了一些错误,Web应用程序返回了它的数据(没有将其保存到DB),将它们放入表格中(以使用户不再履行全部任务)并显示消息错误。
The question. 问题。
I've read somewhere that the following attack can be done - user follow some link (foreign link) that redirects to our site and sends with it data with js. 我读过某处可以进行以下攻击的用户-用户遵循一些链接(外部链接),该链接重定向到我们的网站并使用js发送数据。 So the question - should we purify data in second case?
那么问题来了-我们应该在第二种情况下净化数据吗?
All you have to do is to submit the form by AJAX. 您要做的就是通过AJAX提交表单。
$("#myForm").ajaxForm({url: 'server.php', type: 'post'})
or 要么
$("#myForm").ajaxSubmit({url: 'server.php', type: 'post'})
If the data was: 如果数据是:
No need for additional functionality like "purify data". 无需其他功能,例如“净化数据”。
Do you mean a CSRF attack (Cross Site Request Forgery)? 您是指CSRF攻击(跨站请求伪造)吗?
This is where if your site has a form, say it is example.com
: 如果您的网站具有表单,则在这里说是
example.com
:
<form method="post" action="/postThread.php">
an attacker could include a similar form on their website: 攻击者可能会在其网站上包含类似的表格:
<form method="post" action="https://example.com/postThread.php">
and entice the victim to visit their site whilst they are also logged into example.com
. 并诱使受害者访问他们的网站,同时他们也登录了
example.com
。
They could include some JavaScript to submit their form (either by submitting the HTML form, possibly loaded in an IFrame or by AJAX). 它们可能包含一些JavaScript以提交表单(通过提交HTML表单(可能已加载到IFrame中或通过AJAX提交))。 The end result is that the thread would be started on your site by the attacker, under the identity of the victim, as the victim's cookies would be submitted with the POST.
最终结果是,攻击者将以受害者的身份在您的站点上启动线程,因为受害者的cookie将与POST一起提交。
A quick way to defend against this is to set and check the X-Requested-With
header if all your POSTs are done via AJAX. 一种防止这种情况的快速方法是,如果所有POST都是通过AJAX完成的,则设置并检查
X-Requested-With
标头。 If not, you may want to look into the OWASP recommended Synchronizer Token Pattern . 如果没有,您可能需要查看OWASP建议的Synchronizer Token Pattern 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.