当网页和ajax调用来自同一台服务器时,JSON.parse()是否比eval()更安全?
[英]Is JSON.parse() really safer than eval() when web page and ajax call come from same server?
问题描述
I get that JSON.parse() prevents an attacker from injecting javascript into the response since a JSON parser is just a text parser, not a script parser so please don't close this is a dup of all the other questions that talk about that. 
我知道JSON.parse()可以防止攻击者将javascript注入到响应中,因为JSON解析器只是一个文本解析器,而不是脚本解析器所以请不要关闭这个是关于这个问题的所有其他问题的重复。 This is a different question. 这是一个不同的问题。
If an attacker can hijaack your Ajax call and put javascript into the Ajax call aren't they just as likely to be able to hijack your actual webpage and put arbitrary javascript into your page from which they could accomplish the exact same attack? 如果攻击者可以劫持你的Ajax调用并将javascript放入Ajax调用,那么他们是否有可能劫持你的实际网页并将任意javascript放入你的页面中,他们可以完成同样的攻击?
Sure, you have nothing to lose by using JSON.parse() instead of eval() (unless you don't have a JSON parser yet in your environment and have to add more code to get one), but what situations does it really add safety if your web page is being served by the same host as your ajax call? 当然,通过使用JSON.parse()而不是eval(),你没有什么可失去的(除非你的环境中还没有JSON解析器,并且必须添加更多代码才能获得),但是它真的是什么情况呢如果您的网页由与ajax呼叫相同的主机提供服务,请增加安全性吗?
4 个解决方案
解决方案1
12 已采纳 2011-07-20 16:22:43
Yes, it is really safer. 是的,这真的更安全。 Every precaution you do not take is a set of potential exploits you don't prevent. 您不采取的每项预防措施都是一组您无法阻止的潜在攻击。
An attacker might be able to have some control over your server's output without being able to change it entirely. 攻击者可能无法控制服务器的输出而无法完全更改它。 Nobody's suggesting it's a magic bullet, but it's potentially faster and you're not creating a potential vulnerability that could come back and hurt you. 没有人认为这是一个神奇的子弹,但它可能更快,你不会创造一个潜在的漏洞,可能会回来并伤害你。
Maybe someone running your server is having a bad day, and does something silly like constructing JSON by concatenating unsanitized user input: 也许运行你的服务器的人有一个糟糕的一天,并通过连接未经过验证的用户输入来做一些愚蠢的事情来构建JSON:
<?php
print '{"foo": ' . $_GET['bar'] . '}';
?>
If you're using JSON.parse , the worst they can do is shove a large object into your memory. 如果你正在使用JSON.parse ,他们能做的最糟糕的事情就是将一个大对象推入你的记忆中。 If you're using eval they can hijack everything. 如果你使用eval他们可以劫持一切。
解决方案2
2 2011-07-20 16:21:48
Well, if they're able to inject into your AJAX responses they've probably already successfully man-in-the-middle'd you in one way or another (ARP, DNS or something else). 好吧,如果他们能够注入你的AJAX响应,他们可能已经成功地以某种方式让你中间(ARP,DNS或其他)。
See http://en.wikipedia.org/wiki/Man-in-the-middle_attack for more details on these types of attack. 有关这些类型的攻击的详细信息,请参见http://en.wikipedia.org/wiki/Man-in-the-middle_attack 。
You are correct in that, if they can inject into your AJAX response, they can inject whole pages as well. 你是正确的,如果他们可以注入你的AJAX响应,他们也可以注入整个页面。 Really, anything you receive OR send via networking is now vulnerable in a MitM unless something like HTTPS\\SSL is being used. 实际上,除非使用HTTPS \\ SSL之类的东西,否则您收到的任何内容或通过网络发送的内容现在都会在MitM中受到攻击。
解决方案3
1 2011-07-20 16:21:54
That is a very good point. 这是一个非常好的观点。 The only thing I can think of is that JSON.parse would have opportunity to be faster than eval . 我唯一能想到的是JSON.parse有机会比eval更快。
A much less likely advantage is if the browser already has the HTML/JavaScript cached and the server uses Cache-Control to say that it does not need to reload. 一个不太可能的优点是,如果浏览器已经缓存了HTML / JavaScript,并且服务器使用Cache-Control来表示它不需要重新加载。 If that happens then of course a person intercepting would not have a chance to modify the page. 如果发生这种情况,那么当然拦截的人将无法修改页面。 But that is a very rare set of circumstances. 但这是一种非常罕见的情况。 Chances are, you are going to require the browser to check for a newer version of the HTML/JavaScript which is the default behavior. 有可能,您将需要浏览器检查HTML / JavaScript的较新版本,这是默认行为。
As for the security difference, I think you are correct. 至于安全性差异,我认为你是对的。
As for myself, I work with HTTPS confirmed systems only. 至于我自己,我只使用HTTPS确认的系统。 But I have a function that uses JSON.parse if available and falls back on eval just for the speed improvement. 但是我有一个使用JSON.parse的函数(如果可用)并且仅仅为了提高速度而退回到eval 。
解决方案4
0 2011-07-20 16:45:04
Well... I'm not advocating the usage of eval , but I don't think it constitutes a security issue in Javascript , because Javascript is client-side language. 嗯...我不是在提倡使用eval ,但我认为它不构成Javascript中的安全问题,因为Javascript是客户端语言。 If you don't use eval in your code, what prevents me from running javascript:my_own_evil_code() in console or address bar? 如果您不在代码中使用eval ,那么是什么阻止我在控制台或地址栏中运行javascript:my_own_evil_code() ? It is Javascript, I can run my own code or modify yours, create my own HTTP requests and do anything with HTTP responses, or even add my own eval to your functions. 它是Javascript,我可以运行自己的代码或修改你的代码,创建我自己的HTTP请求,并对HTTP响应做任何事情,甚至可以将自己的eval添加到你的函数中。
You shouldn't use eval if there is another comparable solution available, but if you, just for simplicity, want to do eval('('+jsonstring+')') to emulate JSON.parse , I don't think it is a big mistake. 如果有另一个类似的解决方案可用,你不应该使用eval ,但如果为了简单起见,你想做eval('('+jsonstring+')')来模拟JSON.parse ,我不认为它是一个大错。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.