有人可以离线编辑JavaScript文件来运行恶意代码吗？ [英] Can someone edit javascript file offline to run malicious code?

问题描述

当有人访问某个网站时，将会下载Js文件。

我很担心与我的网站的javascript文件相关的内容，我不确定这是否可行。 ，如果某人编辑了下载的js脚本并插入了他自己的代码，然后刷新了网站。在新的刷新中，网站将读取已编辑的Js文件并运行恶意代码。恶意代码可能用于以正常方式在服务器上运行一些代码。

示例：

只允许用户在他的信息页中发布文章： b
$ b

HTML

文章格式只会显示在用户的网页中。

 <？php 
 if（$ user-> id == $ page-> userID）
 {
？> 
< form> 
< h1>新增新文章：< / h1>< br /> 
< textarea name =articleTextcols =65rows =3>< / textarea> 
< input class =SubmitArticleid =<？php echo $ userPage-> id;？> name =SubmitArticletype =buttonvalue =提交文章/> 
< / form> 
<？php 
} 
？> 
  

Javascript

  $（。SubmitArticle）。click（function（e）{
 var targetPage = $（this）.attr（'id'）; 
 var thisForm = $（this）.parent（）; 
 var postData = thisForm.serialize（）+& targetPage =+ targetPage; 
 
 $ .post（document.location，postData ，函数（data）{
 $（'＃mainDiv'）。html（data）; 
}）; 
}）; 
  

PHP
< pre $ if（isset（$ _ POST [SubmitArticle]））
{
$ pageID = $ _POST [targetPage];
$ text = $ _POST [articleText];

PublishArticle（$ pageID，$ text）;
}


恶意程式码：

在JS文件中插入代码以在其他用户页面上撰写文章（这是不允许的），攻击者使用视图页面源代码（可以说page_id = 12）从html元素中读取页面ID： p>

  postData =SubmitArticle = 1& targetPage = 12& articleText ='Muwhahahah'; 
 $ .post（document.location，postData，function（data）{
}）; 
  

有什么解决方法？

解决方案

你很担心，不信任客户。

在您的示例中，您应该在发布文章之前验证用户，例如：

  if（isset（$ _ POST [SubmitArticle]））{
 $ pageID = $ _POST [targetPage]; 
 $ text = $ _POST [articleText]; 
 $ b $ if（$ user-> id == $ page-> userID）{
 PublishArticle（$ pageID，$ text）; 
} 
} 
  

不要停在那里

另外，您不应该相信客户会向您发送有效的文章文本和页面ID。它可能是一个SQL注入，恶意的JavaScript，页面打破HTML等，你也需要清理你的输入。

I am worried about something related to javascript files of my website, I am not sure if this is doable.

Js files will be downloaded when someone visits a website, what if someone edited the downloaded js script and inserted his own code, then refreshed the website. In the new refresh the website will read the edited Js file and will run the malicious code. The malicious code might be used to run some code at the server in normal ways.

Example:

A user is only allowed to post an article in his page:

HTML

Article form will only show for the user in his page.

<?php
if( $user->id == $page->userID )
{
?>    
<form>
<h1>Add new article:</h1><br />
<textarea name="articleText" cols="65" rows="3"></textarea>
<input class="SubmitArticle" id="<?php echo $userPage->id; ?>" name="SubmitArticle" type="button" value="Submit article" />
</form>
<?php
}
?>

Javascript

$(".SubmitArticle").click( function(e){
    var targetPage = $(this).attr('id');
    var thisForm = $(this).parent();
    var postData = thisForm.serialize() + "&targetPage=" + targetPage;

    $.post(document.location, postData, function(data) {
        $('#mainDiv').html(data);
    });
});

PHP

if( isset($_POST["SubmitArticle"]) )
{
    $pageID = $_POST["targetPage"];
    $text = $_POST["articleText"];

    PublishArticle( $pageID , $text );
}

Malicious Code:

Code inserted in JS file to write article on other users pages (which is not allowed), the attacker reads page id from html element using view page source (lets say page_id=12):

postData = "SubmitArticle=1&targetPage=12&articleText='Muwhahahah'";
$.post(document.location, postData, function(data) {
});

What is the solution if this is possible?

解决方案

You are right to be worried, don't trust the client. Ever.

In your example you should validate the user prior to publishing the article, something like:

if( isset($_POST["SubmitArticle"]) ){
    $pageID = $_POST["targetPage"];
    $text = $_POST["articleText"];

    if( $user->id == $page->userID ){
      PublishArticle( $pageID , $text );
    }
}

Don't stop there

In addition, you should not trust that the client will send you valid article text and page id. It could be a SQL Injection, malicious javascript, page breaking html, etc. You need to sanitize your inputs as well.

这篇关于有人可以离线编辑JavaScript文件来运行恶意代码吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！