Javascript 劫持,我应该担心什么时候以及担心多少?
[英]Javascript hijacking, when and how much should I worry?
问题描述
Ok, so I'm developing a web app that has begun to be more ajaxified.
好的,所以我正在开发一个 web 应用程序,它已经开始变得更加 ajaxified。 I then read a blog that talked about javascript hijacking , and I'm a little confused about when it's actually a problem.然后我阅读了一篇关于javascript 劫持的博客,我对它何时真正成为问题感到有点困惑。 I want some clarification我想澄清一下
Question 1: Is this the problem/vulnerability?问题 1:这是问题/漏洞吗?
If my site returns json data with a 'GET' request that has sensitive information then that information can get into the wrong hands.
I use ASP.NET MVC and the method that returns JSON requires you to explicitly allow json get requests.我使用 ASP.NET MVC 和返回 JSON 的方法要求您明确允许 json 获取请求。 I'm guessing that they are trying to save the uninitiated from this security vulnerability.我猜他们正试图从这个安全漏洞中拯救没有经验的人。
Question 2: Does the hijacking occur by sniffing/reading the response as it's being sent through the internet?问题 2:劫持是通过嗅探/读取通过 Internet 发送的响应而发生的吗? Does SSL mitigate that attack? SSL 是否缓解了该攻击?
Question 3: This led me to ask this question to myself.问题3:这导致我问自己这个问题。 If I'm storing page state in local javascript object(s) of the page, can someone hijack that data(other than the logged in user)?如果我将页面 state 存储在页面的本地 javascript 对象中,有人可以劫持该数据(登录用户除外)吗?
Question 4: Can I safely mitigate against THIS vulnerability by only returning JSON with a 'POST' request?问题 4:我可以通过仅返回带有“POST”请求的 JSON 来安全地缓解此漏洞吗?
3 个解决方案
解决方案1
1 已采纳 2011-07-21 13:57:12
The post you linked to is talking about CSRF & XSS (see my comment on the question), so in that context:您链接到的帖子正在谈论 CSRF 和 XSS(请参阅我对问题的评论),因此在这种情况下:
Is this the problem/vulnerabiliy ("If my site returns json data with a 'GET' request that has sensitive information then that information can get into the wrong hands.")?
No.不。
Does the hijacking occur by sniffing/reading the response as it's being sent through the internet?
No.不。
If I'm storing page state in local javascript object(s) of the page, can someone hijack that data(other than the logged in user)?
It depends.这取决于。 It depends on whether you're storing the data in cookies and haven't set the right domain, or path.这取决于您是否将数据存储在 cookies 中并且没有设置正确的域或路径。 It depends on whether there's a security vulnerability on the client browser that would allow a script to gain access to data that typically is restricted.这取决于客户端浏览器上是否存在允许脚本访问通常受限制的数据的安全漏洞。 There are numerous other vectors of attack, and new ones are discovered all the time.还有许多其他的攻击媒介,并且一直在发现新的攻击媒介。 The long and the short of it is: don't trust the browser with any confidential or secure data.总而言之:不要相信浏览器有任何机密或安全数据。
Can I safely mitigate against THIS vulnerability by only returning JSON with a 'POST' request?
No (it's not a single vulnerability, it's a set of classes of vulnerabilities).不(这不是一个漏洞,它是一组漏洞类别)。
解决方案2
0 2011-07-21 13:48:51
Well you can check if there was a get and if the get was from a correct referrer.好吧,您可以检查是否有获取以及获取是否来自正确的推荐人。
You are not really much safer getting it from a POST because that is just as easy to simulate.从 POST 中获取它并不会更安全,因为它很容易模拟。
In general there are a lot of things you can do to prevent cross site forgery and manipulation.一般来说,您可以做很多事情来防止跨站点伪造和操纵。
解决方案3
0 2011-07-21 13:52:49
The actually vulnerability is being able to overwrite Array .真正的漏洞是能够覆盖Array 。
If one overwrites the native Array then one get's access to the JSON data that's constructed as an Array.如果一个人覆盖了本机数组,那么一个人就可以访问构造为一个数组的 JSON 数据。
This vulnerability has been patched in all major browsers.此漏洞已在所有主要浏览器中修复。
You should only worry about this if your clients are using insecure browsers.只有当您的客户使用不安全的浏览器时,您才应该担心这一点。
Example:例子:
window.Array = function() {
console.log(arguments);
// send to secret server
}
...
$.get(url, function(data) { ... });
When the data is constructed if there are any arrays in the returned JSON the browser will call window.Array and then that data in that array gets send to the secret server.构造data时,如果返回的 JSON 中有任何 arrays,浏览器将调用window.Array ,然后该数组中的数据将发送到秘密服务器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.