让用户上传和运行Javascript有什么风险 [英] What are the risks of letting users upload and run Javascript

问题描述

如果你有一个HTML5的游戏街机，那么允许用户上传一个运行HTML5和Javascript游戏的脚本，假设你的输入没有过滤器（除了只允许JS和HTML），那么潜能是什么安全风险和陷阱？

一个不太可能的情况是，如果游戏很受欢迎，他们可能会有一个休眠的ddos脚本，可以发动ddos攻击，如果游戏是窃取cookies是另一回事，但如果任何人有一个全面的列表，或任何其他的想法，它会是有趣的听到他们。$ /

解决方案允许javascript上传一个运行打开了相当多的攻击者的选择。

>请参阅跨站点脚本（wikipeda）和 OWASP 。

如果你允许的话，那么攻击者就可以发布任何代码，重定向用户，利用浏览器，安装病毒等等。

If you have say an HTML5 games arcade, that allows users to upload a script that runs a game with HTML5 and Javascript, assuming you have no filters on their input (apart from only allowing JS and HTML), what are the potential security risks and pitfalls?

One unlikely possibility is that if the games are popular, they could have a dormant ddos script inside them that can launch a ddos attack if the games are popular enough.

Stealing cookies is another, but if anyone has a comprehensive list, or any other ideas it would be interesting to hear them.

解决方案

Allowing javascript to be uploaded an run opens up quite a lot of options for an attacker.

See Cross Site Scripting (wikipeda) and on OWASP.

In general - if you allow this, then an attacker can post any code, redirect users, exploit their browsers, install viruses and more.

这篇关于让用户上传和运行Javascript有什么风险的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！