问题描述

好的，所以我正在开发一个开始变得更加混乱的网络应用程序。然后我读了一篇博客，谈论了，我是当它实际上是一个问题时，有点困惑。我想澄清一下

Ok, so I'm developing a web app that has begun to be more ajaxified. I then read a blog that talked about javascript hijacking, and I'm a little confused about when it's actually a problem. I want some clarification

问题1：
这是问题/漏洞吗？

Question 1:Is this the problem/vulnerability?

我使用ASP.NET MVC，返回JSON的方法要求您明确允许json获取请求。我猜他们正试图挽救那些不熟悉这个安全漏洞的人。

I use ASP.NET MVC and the method that returns JSON requires you to explicitly allow json get requests. I'm guessing that they are trying to save the uninitiated from this security vulnerability.

问题2：
是否发生了劫持事件通过嗅探/阅读通过互联网发送的回复？ SSL会减轻这种攻击吗？

Question 2:Does the hijacking occur by sniffing/reading the response as it's being sent through the internet? Does SSL mitigate that attack?

问题3：
这让我自己提出这个问题。如果我将页面状态存储在页面的本地javascript对象中，有人可以劫持该数据（登录用户除外）吗？

Question 3:This led me to ask this question to myself. If I'm storing page state in local javascript object(s) of the page, can someone hijack that data(other than the logged in user)?

问题4：
我是否可以通过仅返回带有POST请求的JSON来安全地缓解 THIS 漏洞？

推荐答案

您链接的帖子是关于CSRF& XSS（参见我对这个问题的评论），所以在这个背景下：

The post you linked to is talking about CSRF & XSS (see my comment on the question), so in that context:

否。

否。

这取决于。这取决于您是将数据存储在cookie中还是没有设置正确的域或路径。这取决于客户端浏览器上是否存在安全漏洞，该漏洞允许脚本访问通常受限制的数据。还有许多其他的攻击媒介，并且一直在发现新的攻击。它的长短是：不要信任浏览器 任何 机密或安全数据。

It depends. It depends on whether you're storing the data in cookies and haven't set the right domain, or path. It depends on whether there's a security vulnerability on the client browser that would allow a script to gain access to data that typically is restricted. There are numerous other vectors of attack, and new ones are discovered all the time. The long and the short of it is: don't trust the browser with any confidential or secure data.

否（这不是一个漏洞，它是一组漏洞）。

No (it's not a single vulnerability, it's a set of classes of vulnerabilities).

这篇关于Javascript劫持，何时以及我应该担心多少？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！