stackoom
  简体   繁体   中英

Breach injection through shadow root

 原文  2017-10-09 09:00:14       javascript/ shadow-dom/ javascript-injection/ html-injections

Question

I'm not a JS programmer. I don't have enough skill to test it myself, so asking for help. Is it possible to inject script or HTML tag into shadow_root element to check for holes on web?

For example <script>alert("alert");</script>

Maybe something else like by using <content> ?

Main question: Is it possible or not?

And additional question: How?

1 answers

solution1
 1 ACCPTED  2017-10-09 10:19:59

According to what I could dig up in comments, you want to know if your users can inject code in your website pages. The answer is yes, the user has all the rights to play with the DOM in front of him. The easy way is by simply opening your favorite browser's developers' tools.

Do it yourself... Open your developer's tools window here, reach the console and write 

document.write("<script>alert(\"alert\");</script>");

As you can see, you can change anything even directly on StackOverflow. But that causes absolutely no harm to others, just you. While you can do that on SO does mean that it is insecure at all! It is just that your browser has full control on what it received...

Now, the question should be more how can I detect possible points in my application where such injection can be harmful.

The answer is simple, never trust client input. The server should always validate the inputs, and make sure there is no database injection possible. When displaying user provided content, one should also make sure there is no hidden code tag that would be ran by the browser of the users looking at the webpage.

StackOverflow is not suited for this kind of knowledge sharing. I suggest you read about website security in general and then find more in depth resources related to your technology stack and the usage you have with your users' input.

Also, if you are asking this for a real job task you have been given. The most important thing to do would be to tell your manager you are not fit for the task. Not because you lack the talent, but because you lack the knowledge. This shows that you are smart enough to see the task as very important (security IS very important) and you are not willing to play with the company's reputation.

See workplace.stackexchange.com if you'd like to know how to best explain that to your superiors.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Use :root in Shadow DOM Shadow Root getElementsByClassName Svg is not displaying - shadow-root Create shadow root/dom in firefox? Query element in nested shadow root Bootstrap dropdown not working with shadow root Get shadow root host element Javascript Injection through mailto: Javascript Adding function to custom elements in the shadow root Check if element contains #shadow-root
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM