[英]is this possible as an XSS exploit in Javascript
I'm working through some legacy apps and curious whether this would be a viable XSS exploit?我正在研究一些遗留应用程序,并很好奇这是否是一个可行的 XSS 漏洞?
code:代码:
<div id="demo"></div>
<script>
document.getElementById("demo").innerHTML = '<script src="/me.js"></script>';
</script>
I don't think so but there's smarter people out there than me.我不这么认为,但那里有比我更聪明的人。 Is there a variation of this?这有变化吗?
This in itself is harmless:这本身是无害的:
document.getElementById("demo").innerHTML = '<script src="/me.js"></script>';
HTML5 specifies that a tag inserted with innerHTML should not execute. HTML5 指定不应执行插入了innerHTML 的标签。 1 1
However (and since you're asking), there may be a remote chance (admittedly) that this could still be exploited:但是(并且既然你在问),可能(不可否认)这仍然可以被利用的可能性很小:
// This is the backdoor that an attacker has to inject somehow Object.defineProperty(Element.prototype, 'innerHTML', { set: function (value) { const script = document.createElement('script'); script.textContent = `alert('gotcha! ${value}')`; document.body.appendChild(script); } }); // This is what you're doing in your app document.getElementById("demo").innerHTML = '<script src="/me.js"><\\/script>';
<div id="demo"></div>
As you can see it'd be easy to parse and extract the url and re-inject the script into the page.如您所见,解析和提取 url 并将脚本重新注入页面很容易。
Nowadays, using innerHTML
is most likely going to be discouraged.如今,很可能不鼓励使用innerHTML
。 Example:例子:
Warning: If your project is one that will undergo any form of security review, using innerHTML most likely will result in your code being rejected.警告:如果您的项目将接受任何形式的安全审查,则使用 innerHTML 很可能会导致您的代码被拒绝。 For example, if you use innerHTML in a browser extension and submit the extension to addons.mozilla.org, it will not pass the automated review process.例如,如果您在浏览器扩展程序中使用了 innerHTML 并将扩展程序提交到 addons.mozilla.org,它将不会通过自动审核过程。 1 1
React has an interesting way (IMHO) to discourage you from using it: React 有一种有趣的方式(恕我直言)阻止你使用它:
dangerouslySetInnerHTML is React's replacement for using innerHTML in the browser DOM. risklySetInnerHTML 是 React 在浏览器 DOM 中使用 innerHTML 的替代品。 In general, setting HTML from code is risky because it's easy to inadvertently expose your users to a cross-site scripting (XSS) attack.一般来说,从代码中设置 HTML 是有风险的,因为很容易在不经意间将用户暴露给跨站点脚本 (XSS) 攻击。 So, you can set HTML directly from React, but you have to type out dangerouslySetInnerHTML and pass an object with a __html key, to remind yourself that it's dangerous.所以,你可以直接从 React 设置 HTML,但你必须输入危险的 SetInnerHTML 并传递一个带有 __html 键的对象,以提醒自己这是危险的。 2 2
Finally, I think it's worth mentioning that both epascarello and E. Sundin have a valid point.最后,我认为值得一提的是 epascarello 和 E. Sundin 都有一个有效的观点。 We know that <script>
won't load and/or execute when injected via innerHTML
but it doesn't mean that you're safe:我们知道<script>
在通过innerHTML
注入时不会加载和/或执行,但这并不意味着您是安全的:
<div id="demo"></div> <script> document.querySelector('#demo').innerHTML = '<img src="x.gif" onerror="alert(42)">'; </script>
References参考
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.