是jQuery的$。获得()安全不受信任的URL打电话? [英] Is jQuery's $.get() safe to call on an untrusted URL?
问题描述
我最近才知道,jQuery的 $。的getJSON()是很不安全呼吁不受信任的网址。那么 $。获得()?是jQuery的 $。获得()安全的,当URL参数来自不受信任的来源,或者是这个不安全的称呼?
这想出了一个安全code审查我正在做,检查XSS漏洞。例如code模式:
$。获得(URL,函数(...){...})
这是否code模式创建一个XSS漏洞,如果攻击者选择网址恶意?
请假定该函数将处理来自AJAX请求的响应安全,以及网址来自不受信任来源(例如,其他一些用户),并且可以完全由对手控制。
我关心的:如果网址选择攻击者,可以攻击者选择的恶意URL(例如,含有回调= ,并指向自己的网站,或一些聪明的那样),导致jQuery来猜测数据类型应该是JSONP,启用JSONP,插入脚本标签到文档中,并引入XSS漏洞的in相同的方式,的getJSON()并的? (因为我没有传递一个明确的的dataType 参数 $。获得(),jQuery将猜测的数据类型作为在文档中描述的。我不知道那是什么安全问题的。)
我跑过在code送审本code图案,和我想要了解它是否是一个潜在的漏洞。我不是在寻找替代方法此code可以写;相反,我想知道这种code模式是否是安全的,因为是。
由于威胁模型是有点棘手,让我举一个例子,以帮助更好的理解。假设Bob是该服务的用户,他可以提供与他个人资料相关联的URL。假设当Alice访问Bob的个人资料页在她的浏览器,页面上的Javascript的code采用鲍勃提供的URL,并将其作为参数传递给 $。获得()。现在的问题是,这是安全的?难道鲍勃用这个来攻击爱丽丝?鲍勃能引发Alice的浏览器中执行任意JavaScript code,所有Alice的权力?作为链接的问题解释说, $的getJSON()是不安全的在这种情况下 - 但对于 $得到()?是不是太不安全,或者是安全的呢?
因为我得到了澄清一些请求,让我尝试解释/问这个问题的不同方式。假如我做了code审查,以检查一些JavaScript code是否包含任何XSS漏洞,我看到了code以下行:
$得到(网址功能(RESP){/ *做什么* /});
假如我知道,网址可完全由攻击者控制。这是一个自动XSS漏洞?还是这始终是安全的?或者,如果答案是看情况,这是什么依赖?
或者,另一种方式来思考这个问题。假如我做了code检讨,我看到下面一行code:
$得到(URL,F)。
假如我知道,网址可完全由攻击者控制。我需要做什么检查,以验证这是否是安全的(免费的XSS漏洞)?我知道,我需要检查的code 2 F 来查看它是否处理响应安全,因为如果 F 是粗心它可以引入一个跨站脚本漏洞。我的问题是:是我唯一需要检查?或者,这是code总是图案的XSS漏洞,不管如何 F 是codeD?
这是否code模式创建一个XSS漏洞,如果攻击者选择的URL恶意?
编辑:是的,但不是在你的问题的原因
怪异的自动JSONP功能是通过在内部应用AJAX请求阿贾克斯prefilter(JSON JSONP)。所以它适用于 JSON prefilter列表而不是其他类型或默认的 * 。然而,prefilters应用响应出现之前,所以这不可能发生,只是因为服务器的JSON样型回复。
(当前为1.11.2-的文档的的getJSON 没有描述的情况下,这个潜在的危险行为,火灾完全吻合。而文档的下 GET 和 AJAX 没有提及自动JSONP都没有。所以,也许它应该被认为是一个错误。当然,给如何不良的规定是这样的,我不会依赖于它保持相同的jQuery的未来版本。)
实际的原因,它是脆弱的(具体表现为FRAMP和牙刷)是,如果没有一个的dataType 参数jQuery将猜一从响应。如果攻击者的URL访问一个资源充当了JS-如内容类型,jQuery的会猜测这是JavaScript和评估它。注:为AJAX请求来获取远远不够这个工作,为第三方服务器上的资源,它必须包括CORS头文件
$得到(URL,函数(...){...},JSON);
这个版本是不容易的响应类型的猜测。然而,它的是的易受自动JSONP过滤
为了安全起见,你必须都设置了的dataType 选项的和的,如果该选项是 JSON ,还有 JSONP:假选项。不幸的是,你不能设置在的get()方法 JSONP 选项。您应该能够通过传递一个选项字典,而不是参数来做到这一点,但你不能因为这个API目前完全无功能,由于jQuery的被打破执行 - 什么-I-平均API的悲伤乱,其行为它是(越来越)难以predict。
所以,唯一安全的方式从一个不受信任的URL获取JSON是通过基本 AJAX :
$阿贾克斯(URL,{数据类型:JSON,JSONP:假})。
I recently learned that jQuery's $.getJSON() is not safe to call on an untrusted URL. What about $.get()? Is jQuery's $.get() safe to call when the URL parameter comes from an untrusted source, or is this insecure?
This came up in a security code review I was doing, to check for XSS vulnerabilities. Example code pattern:
$.get(url, function (...) { ... })
Does this code pattern create a XSS vulnerability, if an attacker chooses url maliciously?
Please assume that the function will handle the response from the AJAX request safely, and that url comes from an untrusted source (e.g., some other user) and can be completely controlled by the adversary.
My concern: if url is chosen by an attacker, can an attacker choose a malicious URL (e.g., containing callback=? and pointing to their own site, or something clever like that) that causes jQuery to guess that the data type should be JSONP, enable JSONP, insert a script tag into the document, and introduce a XSS vulnerability in the same way that getJSON() does? (Since I'm not passing an explicit dataType argument to $.get(), jQuery will guess the data type, as described in the docs. I'm not sure what the security implications of that are.)
I ran across this code pattern in code review, and I'm trying to understand whether it is a potential vulnerability. I'm not looking for alternative ways this code could be written; instead, I want to know whether this kind of code pattern is secure as is.
Since the threat model is a bit tricky, let me give an example to help understand this better. Suppose Bob is a user of the service and he can provide a URL that's associated with his profile. Suppose that when Alice visits Bob's profile page in her browser, the Javascript code on the page takes the URL that Bob provided and passes it as an argument to $.get(). The question is, is this safe? Could Bob use this to attack Alice? Could Bob trigger Alice's browser to execute arbitrary Javascript code, with all of Alice's power? As the linked question explains, $.getJSON() is unsafe in this scenario -- but what about $.get()? Is it unsafe too, or is it safe?
Since I got some requests for clarification, let me try explaining/asking the question a different way. Suppose I'm doing a code review to check whether some Javascript code contains any XSS vulnerabilities, and I see the following line of code:
$.get(url, function(resp) { /* do nothing */ });
Suppose I know that url can be completely controlled by the attacker. Is this automatically a XSS vulnerability? Or is this always safe? Or if the answer is "it depends", what does it depend on?
Or, yet another way to think about this. Suppose I'm doing a code review and I see the following line of code:
$.get(url, f);
Suppose I know that url can be completely controlled by the attacker. What do I need to check, to verify whether this is safe (free of XSS bugs)? I am aware that I need to check the code of f to see whether it handles the response safely, because if f is careless it could introduce a XSS bug. My question is: is that the only thing I need to check for? Or is this code pattern always an XSS vulnerability, regardless of how f is coded?
Does this code pattern create a XSS vulnerability, if an attacker chooses url maliciously?
Edit: yes, but not for the reason in your question.
The weird auto-JSONP feature is internally applied to AJAX requests using ajaxPrefilter("json jsonp"). So it applies to the json prefilter list but not other types or the default *. However, prefilters apply before the response occurs, so this can't happen just because the server replies with a JSON-like type.
(Currently—as of 1.11.2—the docs for getJSON don't describe the circumstances under which this potentially-dangerous behaviour fires exactly. And the docs for get and ajax don't mention auto-JSONP at all. So maybe it should be considered a bug. Certainly given how poorly-specified this is, I would not rely on it staying the same in future versions of jQuery.)
The actual reason it's vulnerable (as demonstrated by framp and toothbrush) is that without a dataType parameter jQuery will guess one from the response. If the attacker's URL hits a resource served as a JS-like Content-Type, jQuery will guess it is JavaScript and eval it. Note: for the AJAX request to get far enough for this to work, for a resource on a third-party server, it would have to include CORS headers.
$.get(url, function (...) { ... }, 'json');
This version is not vulnerable to the response type guessing. However, it is vulnerable to the auto-JSONP filter.
To be safe, you have to both set the dataType option and, if that option is json, also the jsonp: false option. Unfortunately, you can't set the jsonp option in the get() method. You should be able to do it by passing in an options dictionary instead of parameters, but you can't because this API is currently completely non-functional due to jQuery being a sad mess of broken Do-What-I-Mean APIs whose behaviour it is (increasingly) difficult to predict.
So the only safe way to fetch JSON from an untrusted URL is via basic ajax:
$.ajax(url, {dataType: 'json', jsonp: false});
这篇关于是jQuery的$。获得()安全不受信任的URL打电话?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
