是否可以对返回JSON对象的URL进行跨站点请求伪造攻击? [英] Is it possible to perform a cross site site request forgery attack on a URL that returns a JSON object?

问题描述

我知道有一种跨站点伪造攻击通过重载Array构造函数对返回数组的请求执行.例如，假设我有一个带有URL的网站:

I'm aware that there is a Cross site forgery attack that can be performed on a request that returns an array by overloading the Array constructor. For example, suppose I have a site with a URL:

foo.com/getJson

返回的

['Puff the Dragon', 'Credit Card #'] 

这通常是XHR请求后由我自己的站点使用Java脚本eval，但是另一个站点可以通过包含以下内容来嗅探该数据:

This would normally be Javascript eval'd by my own site after an XHR request, but another site can sniff this data by including something like:

<script>
function Array() {
  var arr = this;
  var i = 0;
  var next = function(val) {
    arr[i++] setter = next;
    document.write(val);
  };
  this[i++] setter = next;
}
</script>
<script src="http://foo.com/getJson"></script>

我的问题是，当请求返回Javascript对象时，可以做同样的事情吗?即

My question is, can the same thing be done when the request returns a Javascript object? i.e.

{ name: 'Puff the Dragon', cc: 'Credit Card #' }

我不知道该怎么做，但是也许我错过了一些东西.我知道有更好的解决方案来保护我的网站，例如使用

I couldn't figure out a way to do this, but maybe I'm missing something. I know there are better solutions to protect my site, like using the while(1) hack or requiring an auth token in the URL, but I'm trying to figure out if this sort of security hole exists.

推荐答案

我见过的资源，例如 Hackademix ，专门表明根对象是安全的(大概在所有主流浏览器中).这是因为脚本不能以对象文字开头.默认情况下，ASP.NET使用 d前缀，但我认为这只是为了简化客户端库.

The sources I've seen, such as Haacked and Hackademix, specifically indicate that root objects are safe (presumably in all major browsers). This is because a script can not start with an object literal. By default, ASP.NET wraps both objects and arrays with a d prefix, but I think this is just to simplify the client library.

这篇关于是否可以对返回JSON对象的URL进行跨站点请求伪造攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！