CSS注入:什么是最糟糕的可能发生? [英] CSS injection: what's the worst that can happen?
本文介绍了CSS注入:什么是最糟糕的可能发生?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我们正在进行安全性评估。
We are doing a security evaluation.
恶意用户可能会将任意CSS注入其他用户的网页,尽管我们不确定实际上被利用。
There is a chance that a malicious user can inject arbitrary CSS into another user's web pages, although we are not sure it can actually be exploited.
我明白他可以完全改变页面外观,甚至不会显示任何东西。这就是全部?
最糟糕的情况是什么?可以在CSS中嵌入JavaScript吗?他可以窃取其他用户的Cookie吗?
I understand he could totally change the page look, even causing nothing to be displayed at all. Is that all? What is the worst that could happen? Can JavaScript be embedded in CSS? Can he "steal" the other user's cookies? And initiate another session?
推荐答案
- Ultimate XSS CSS injection
- HTML/CSS Injections - Primitive Malicious Code (or, What’s the worst that could happen?)
- XSS Prevention Cheat Sheet on OWASP
这篇关于CSS注入:什么是最糟糕的可能发生?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
