通过阴影根突破注入
[英]Breach injection through shadow root
问题描述
I'm not a JS programmer. 
我不是JS程序员。 I don't have enough skill to test it myself, so asking for help. 我没有足够的技能自己进行测试,因此寻求帮助。 Is it possible to inject script or HTML tag into shadow_root element to check for holes on web? 是否可以将script或HTML标记注入shadow_root元素以检查Web上的孔?
For example <script>alert("alert");</script> 例如<script>alert("alert");</script>
Maybe something else like by using <content> ? 也许还可以通过<content> ?
Main question: Is it possible or not? 主要问题:有可能吗?
And additional question: How? 还有一个问题:如何?
1 个解决方案
解决方案1
1 已采纳 2017-10-09 10:19:59
According to what I could dig up in comments, you want to know if your users can inject code in your website pages. 根据我在评论中可以得到的信息,您想知道您的用户是否可以在您的网站页面中注入代码。 The answer is yes, the user has all the rights to play with the DOM in front of him. 答案是肯定的,用户拥有与他面前的DOM一起玩耍的所有权利。 The easy way is by simply opening your favorite browser's developers' tools. 简单的方法是简单地打开您喜欢的浏览器的开发人员工具。
Do it yourself... Open your developer's tools window here, reach the console and write 自己动手...在此处打开开发人员的工具窗口,访问控制台并编写
document.write("<script>alert(\"alert\");</script>");
As you can see, you can change anything even directly on StackOverflow. 如您所见,您甚至可以直接在StackOverflow上进行任何更改。 But that causes absolutely no harm to others, just you. 但这绝对不会对他人造成伤害,仅对您造成伤害。 While you can do that on SO does mean that it is insecure at all! 尽管您可以在SO上做到这一点确实意味着它根本不安全! It is just that your browser has full control on what it received... 只是您的浏览器可以完全控制收到的内容...
Now, the question should be more how can I detect possible points in my application where such injection can be harmful. 现在,问题应该更多地在于如何在应用程序中检测可能有害的注入点。
The answer is simple, never trust client input. 答案很简单,永远不要相信客户的输入。 The server should always validate the inputs, and make sure there is no database injection possible. 服务器应始终验证输入,并确保不可能进行数据库注入。 When displaying user provided content, one should also make sure there is no hidden code tag that would be ran by the browser of the users looking at the webpage. 在显示用户提供的内容时,还应确保没有隐藏的代码标签,这些标签将由查看网页的用户的浏览器运行。
StackOverflow is not suited for this kind of knowledge sharing. StackOverflow不适合这种知识共享。 I suggest you read about website security in general and then find more in depth resources related to your technology stack and the usage you have with your users' input. 我建议您阅读一般的网站安全性,然后再找到与您的技术堆栈以及用户输入的用法有关的更多深入资源。
Also, if you are asking this for a real job task you have been given. 同样,如果您要此项是一项真正的工作任务,则会得到您的帮助。 The most important thing to do would be to tell your manager you are not fit for the task. 最重要的事情是告诉经理您不适合该任务。 Not because you lack the talent, but because you lack the knowledge. 不是因为您缺乏才华,而是因为您缺乏知识。 This shows that you are smart enough to see the task as very important (security IS very important) and you are not willing to play with the company's reputation. 这表明您足够聪明,可以将任务视为非常重要(安全性非常重要),并且您不愿意扮演公司的声誉。
See workplace.stackexchange.com if you'd like to know how to best explain that to your superiors. 见workplace.stackexchange.com如果你想知道如何最好地解释给你的上司。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.