我的网页上有一张表格,用户可以输入他们的信用卡数据。是否有可能在HTML中标记表单的动作是不变的,以防止恶意JavaScript改变表单的动作属性?我可以想象一种XSS攻击,它会改变表单URL以使用户将他们的秘密数据发布到攻击者的网站。
可能吗?或者,在浏览器中是否有其他功能可以阻止这类攻击的发生? 解决方案
这种攻击是可能的,但这是阻止它的错误方法。如果黑客可以更改表单的详细信息,则可以通过AJAX GET 轻松发送秘密数据,而无需提交表单。防止XSS攻击的正确方法是确保对页面上的所有不可信内容进行编码,以便黑客无法首先执行自己的JavaScript。
StackOverflow上的示例代码是一个很好的编码示例。想象一下,如果每次有人发布一些示例JavaScript,它实际上都会在浏览器中执行,那会是多么的混乱。例如,
< script type =text / javascript> alert('foo');< / script> $ b 如果不是因为SO编码了上面的代码片段,您会看到一个警告框。这当然是一个相当无害的脚本 - 我可以编写一些JavaScript来劫持你的会话cookie并将它发送到evil.com/hacked-sessions。然而,幸运的是,SO并不认为每个人都是善意的,并且实际上对内容进行了编码。例如,如果您要查看源代码,您会看到SO已将我完全有效的HTML和JavaScript编码到此处:
& lt ; script type =text / javascript& gt; alert('foo');& lt; / script& gt;
因此,我并没有在其中嵌入实际的< / code>和> 字符,而是用它们替换了它们HTML编码的等价物(& lt; 和& gt; ),这意味着我的代码不再代表一个脚本标记。
无论如何,这是编码背后的一般想法。有关 的更多信息,您应该如何编码,这取决于您使用服务器端的内容,但大多数Web框架都包含某种开箱即用的HTML编码实用程序。您的责任是确保用户提供的内容(或其他不受信任的内容)在呈现前始终 编码。
I have a form on my page where users enter their credit card data. Is it possible in HTML to mark the form's action being constant to prevent malicious JavaScript from changing the form's action property? I can imagine an XSS attack which changes the form URL to make users posting their secret data to the attacker's site.
Is it possible? Or, is there a different feature in web browsers which prevents these kinds of attacks from happening?
This kind of attack is possible, but this is the wrong way to prevent against it. If a hacker can change the details of the form, they can just as easily send the secret data via an AJAX GET without submitting the form at all. The correct way to prevent an XSS attack is to be sure to encode all untrusted content on the page such that a hacker doesn't have the ability to execute their own JavaScript in the first place.
Sample code on StackOverflow is a great example of encoding. Imagine what a mess it would be if every time someone posted some example JavaScript, it actually got executed in the browser. E.g.,
<script type="text/javascript">alert('foo');</script>
Were it not for the fact that SO encoded the above snippet, you would have just seen an alert box. This is of course a rather innocuous script - I could have coded some JavaScript that hijacked your session cookie and sent it to evil.com/hacked-sessions. Fortunately, however, SO doesn't assume that everyone is well intentioned, and actually encodes the content. If you were to view source, for example, you would see that SO has encoded my perfectly valid HTML and JavaScript into this:
<script type="text/javascript">alert('foo');</script>
So, rather than embedding actual < and > characters where I used them, they have been replaced with their HTML-encoded equivalents (< and >), which means that my code no longer represents a script tag.
Anyway, that's the general idea behind encoding. For more info on how you should be encoding, that depends on what you're using server-side, but most all web frameworks include some sort of "out-of-the-box" HTML Encoding utility. Your responsibility is to ensure that user-provided (or otherwise untrusted) content is ALWAYS encoded before being rendered.
这篇关于防止更改HTML表单操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!