如何打破内容安全政策?
[英]How To Break Content Security Policy?
问题描述
Content Security Policy seems really robust, but I don't think it's perfect (and I've seen sources that refer to it as a "partial" prevention for XSS). 
内容安全策略似乎确实很健壮,但我认为它并不完美(而且我已经看到有资料称其为XSS的“部分”预防措施)。 My question is: what sorts of XSS attacks does it not prevent? 我的问题是:它不能阻止什么样的XSS攻击?
1 个解决方案
解决方案1
2 2016-03-04 20:50:29
No all browsers have implemented it, so users using non-supported browsers it offers no protection. 并非所有浏览器都实现了它,因此使用不受支持的浏览器的用户无法提供保护。
http://caniuse.com/#search=csp http://caniuse.com/#search=csp
Even on supported browsers, unless the Content Security Policy is to disable all JavaScript (in-line, internal/external domain) then it still leaves areas open to where JavaScript can be run. 即使在受支持的浏览器上,除非内容安全策略要禁用所有JavaScript(串联,内部/外部域),否则它仍然会向可以运行JavaScript的区域开放。 Which means, if any malicious JavaScript can make its way into those zones, then Content Security Policy will not stop the XSS from happening. 这意味着,如果任何恶意JavaScript都可以进入这些区域,则内容安全策略将不会阻止XSS的发生。
Some examples of of where CSP will not stop XSS: CSP不会停止XSS的一些示例:
- If an application is using inline (on the page) JavaScript and the CSP policy allows it. 如果应用程序使用内联(在页面上)JavaScript,则CSP策略允许它。 If unencoded/unvalidated/malicious values are put into the page then the browser will run the malicious JavaScript just like it will run the intented JavaScript. 如果将未编码/未验证/恶意值放入页面,则浏览器将运行恶意JavaScript,就像运行意图JavaScript一样。 (Currently ASP.Net Web Form apps need JavaScript to run on the page, so any malicious input that is displayed will be executed by the browser. (当前,ASP.Net Web窗体应用程序需要JavaScript才能在页面上运行,因此显示的任何恶意输入都将由浏览器执行。
- If you are dynamically creating your JS files for your app and unencoded/unvalidated/malicious values are inserted into that file, that will cause a XSS vulnerability. 如果您为应用程序动态创建JS文件,并且未编码/未验证/恶意值插入该文件,则将导致XSS漏洞。
- If you are sending pages and/or JavaScript files over http and not https an a MITM attack can modify the values over the wire. 如果您通过http而不是通过https发送页面和/或JavaScript文件,则MITM攻击可以通过网络修改值。
- If you are loading JavaScript files from a third party domain and their security gets compromised, malicious scripts could be sent to your app instead of the originally intended scripts (think CDNs). 如果您要从第三方域加载JavaScript文件,并且其安全性受到损害,则可能会将恶意脚本而不是最初打算的脚本发送到您的应用程序(请考虑CDN)。
These are just some of the examples I could think of off the top of my head. 这些只是我想到的一些例子。
Some of these concerns look like they can be mitigated through use of the CSP Level 2 directives, but there is limited support for them. 其中一些问题看起来可以通过使用CSP 2级指令来缓解,但对此的支持有限。
In short, CSP is a very nice layer of defense, but it should not be your only line of defense. 简而言之,CSP是很好的防御层,但它不应该是您唯一的防御线。 Even though it will not cover everything and not all browsers currently supported it, it is an additional layer of security I can use to keep my application and users safe. 即使它不能涵盖所有内容,也不是当前所有的浏览器都支持它,它还是我可以用来保护我的应用程序和用户安全的附加安全层。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.