堆栈内存溢出
  简体   繁体   English

这是否可能作为 Javascript 中的 XSS 漏洞利用

[英]is this possible as an XSS exploit in Javascript

 原文  2019-01-23 21:53:09       javascript/ xss

问题描述

I'm working through some legacy apps and curious whether this would be a viable XSS exploit?我正在研究一些遗留应用程序,并很好奇这是否是一个可行的 XSS 漏洞?

code:代码:

<div id="demo"></div>

<script>

document.getElementById("demo").innerHTML = '<script src="/me.js"></script>';
</script>

I don't think so but there's smarter people out there than me.我不这么认为,但那里有比我更聪明的人。 Is there a variation of this?这有变化吗?

1 个解决方案

解决方案1
 0  2019-02-17 01:45:20

This in itself is harmless:这本身是无害的:

document.getElementById("demo").innerHTML = '<script src="/me.js"></script>';

HTML5 specifies that a tag inserted with innerHTML should not execute. HTML5 指定不应执行插入了innerHTML 的标签。 1 1

However (and since you're asking), there may be a remote chance (admittedly) that this could still be exploited:但是(并且既然你在问),可能(不可否认)这仍然可以被利用的可能性很小: 

 // This is the backdoor that an attacker has to inject somehow Object.defineProperty(Element.prototype, 'innerHTML', { set: function (value) { const script = document.createElement('script'); script.textContent = `alert('gotcha! ${value}')`; document.body.appendChild(script); } }); // This is what you're doing in your app document.getElementById("demo").innerHTML = '<script src="/me.js"><\\/script>';
 <div id="demo"></div>

As you can see it'd be easy to parse and extract the url and re-inject the script into the page.如您所见,解析和提取 url 并将脚本重新注入页面很容易。

Nowadays, using innerHTML is most likely going to be discouraged.如今,很可能不鼓励使用innerHTML Example:例子:

Warning: If your project is one that will undergo any form of security review, using innerHTML most likely will result in your code being rejected.警告:如果您的项目将接受任何形式的安全审查,则使用 innerHTML 很可能会导致您的代码被拒绝。 For example, if you use innerHTML in a browser extension and submit the extension to addons.mozilla.org, it will not pass the automated review process.例如,如果您在浏览器扩展程序中使用了 innerHTML 并将扩展程序提交到 addons.mozilla.org,它将不会通过自动审核过程。 1 1

React has an interesting way (IMHO) to discourage you from using it: React 有一种有趣的方式(恕我直言)阻止你使用它:

dangerouslySetInnerHTML is React's replacement for using innerHTML in the browser DOM. risklySetInnerHTML 是 React 在浏览器 DOM 中使用 innerHTML 的替代品。 In general, setting HTML from code is risky because it's easy to inadvertently expose your users to a cross-site scripting (XSS) attack.一般来说,从代码中设置 HTML 是有风险的,因为很容易在不经意间将用户暴露给跨站点脚本 (XSS) 攻击。 So, you can set HTML directly from React, but you have to type out dangerouslySetInnerHTML and pass an object with a __html key, to remind yourself that it's dangerous.所以,你可以直接从 React 设置 HTML,但你必须输入危险的 SetInnerHTML 并传递一个带有 __html 键的对象,以提醒自己这是危险的。 2 2

Finally, I think it's worth mentioning that both epascarello and E. Sundin have a valid point.最后,我认为值得一提的是 epascarello 和 E. Sundin 都有一个有效的观点。 We know that <script> won't load and/or execute when injected via innerHTML but it doesn't mean that you're safe:我们知道<script>在通过innerHTML注入时不会加载和/或执行,但这并不意味着您是安全的: 

 <div id="demo"></div> <script> document.querySelector('#demo').innerHTML = '<img src="x.gif" onerror="alert(42)">'; </script>

References参考

  1. https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML#Security_considerations https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML#Security_thinkations
  2. https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 XSS javascript,漏洞利用检查 - XSS javascript, exploit check 是否有可能XSS利用适当的JavaScript字符串转义来利用JSON响应 - Is it possible to XSS exploit JSON responses with proper JavaScript string escaping 注入时利用 XSS Javascript 代码返回大写 - Exploit an XSS when injected Javascript code is returned capitalized 是否有可能利用允许PEMDAS的JavaScript数学功能? - Is it possible to exploit a javascript math function that allows PEMDAS? XSS-是否只能使用JavaScript? - XSS - is it only possible by using JavaScript? 当注入的代码在带引号的html属性中输出时,是否可能进行XSS攻击 - Is an XSS exploit possible when injected code is output inside quoted html attributes 是否有可能从浏览器JavaScript降级XSS? - Is it possible to degrade xss from browser javascript? 如何在禁用$ sceProvider的情况下利用Angular中的XSS - How to exploit XSS in Angular with $sceProvider being disabled Blackhole Exploit / Javascript - Blackhole Exploit / Javascript Javascript 清理:插入可能的 XSS html 字符串的最安全方法 - Javascript sanitization: The most safe way to insert possible XSS html string
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM