直接使用window.location.href是否安全,无需验证 [英] Is it secure to use window.location.href directly without validation
问题描述
在没有任何验证的情况下使用window.location.href是否安全?
Is it secure to use window.location.href without any validation?
例如:
<script>
var value = window.location.href;
alert(value);
</script>
从上面的例子中,它是否容易受到跨站点脚本(XSS)攻击?
如果是,那怎么样?攻击者如何将window.location.href的值修改为恶意内容?
From the above example, is it vulnerable to Cross-site scripting (XSS) attack? If it is, then how? How the attacker can modify the value of window.location.href to the malicious content?
编辑(第二种情况)
这是网址:www.example.com?url = www.attack.com
This is the url : www.example.com?url=www.attack.com
假设我有一个getQueryString ()函数将在没有验证的情况下返回值。
Just assume taht I have a getQueryString() function that will return value without validation.
<script>
var value = getQueryString('url');
window.location.href = value;
</script>
同样的问题,它是否容易受到跨站点脚本(XSS)攻击?
如果是,那怎么样?攻击者如何才能使用window.location.href = value来执行XSS?
Same question, is it vulnerable to Cross-site scripting (XSS) attack? If it is, then how? How can an attacker just make use of "window.location.href = value" to perform XSS?
推荐答案
使用 location.href 可以理解为包含两件事:
Using location.href can be understood to include two things:
- 使用<$ c的值$ c> location.href 通过在代码中传递它,操纵它并使用它来指导代码中的逻辑。
- 将某些内容分配给
location.href,导致浏览器导航到不同的网址。
- Using the value of
location.hrefby passing it around in your code, manipulating it and using it to guide the logic in your code. - Assigning someting to
location.href, causing the browser to navigate to different URLs.
第一个使用该值,可以认为是安全的。 location.href 的值只不过是一个字符串。当然它是用户输入的一部分,因此您不希望将其传递给 eval 语句,但对于所有其他形式的用户输入也是如此。实际上, location.href 的值始终是有效的URL,因此可以对其内容进行某些假设。从这个意义上说,你可以认为它比大多数形式的用户输入更安全 。只要你没有做出任何错误的假设。
The first one, using the value, can be considered safe. The value of location.href is nothing more than a string. Of course it's part of user input, so you don't want to pass it to an eval statement, but that's true for all other forms of user input as well. In fact, the value of location.href is always a valid URL, so certain assumptions can be made of its content. In that sense you could argue it's more safe than most forms of user input. As long as you don't make any wrong assumptions.
第二个是你应该小心的。为其分配未经验证的值可能导致可用于网络钓鱼的开放重定向,以及使用 javascript:和 vbscript引起的XSS问题: URI。
The second one is something you should be careful with. Assigning unvalidated values to it can lead to open redirects that can be used for phishing and what's more, XSS issues arising from the use of javascript: and vbscript: URIs.
编辑:根据要求,这是一个更深入地解释分配给 location.href 的问题:
As requested, here's a more in-depth explanation of the problems with assiging to location.href:
假设你有一个攻击者控制的变量 FOO 。它的来源可以是任何东西,但查询字符串参数是一个很好的例子。当您将 foo 的值分配给 location.href 时,会发生什么?好吧,浏览器尽力将该值解释为URI,然后将用户重定向到结果地址。在大多数情况下,这将触发页面加载;例如如果值是https://www.google.com/,则会加载Google的首页。允许在没有用户交互的情况下发生这种情况称为打开重定向,并被视为安全漏洞!
Say you have an attacker controlled variable foo. The source of it can be anything really, but a query string parameter is a good example. When you assign the value of foo to location.href, what happens? Well, the browser does its best to interpret the value as a URI and then redirects the user to the resulting address. In most cases, this will trigger a page load; e.g. if value is "https://www.google.com/", Google's front page will be loaded. Allowing that to happen without user interaction is known as an open redirect and is considered a security vulnerability!
但是,有些类型的URI不会触发页面加载。这种URI的一个常见例子是只包含片段标识符的URI,例如, #quux 。将其分配给 location.href 会导致页面滚动到ID为quux的元素,而不执行任何其他操作。片段URI是安全的,只要你不对片段本身的值做任何愚蠢的事情。
There are, however, types of URIs that won't trigger a page load. A common example of such a URI would be one that contains nothing but a fragment identifier, e.g. #quux. Assigning that to location.href would cause the page to scroll to the element with the ID "quux" and do nothing else. Fragment URIs are safe as long as you don't do anything stupid with the values of the fragments themselves.
然后到有趣的部分: javascript :和 vbscript: URI。这些都会咬你。 JavaScript和VBScript URI方案是非标准URI方案,可用于在当前打开的网页的上下文中执行代码。听起来很糟糕,不是吗?好吧,它应该。考虑一下我们的攻击者控制的变量 foo :攻击者必须做的就是向用户发起攻击,将脚本URI注入变量。当您将其分配给 location.href 时,它与在脚本上调用 eval 基本相同。
Then to the interesting part: javascript: and vbscript: URIs. These are the ones that will bite you. The JavaScript and VBScript URI schemes are non-standard URI schemes that can be used to execute code in the context of the currently open web page. Sounds bad, doesn't it? Well, it should. Consider our attacker-controlled variable foo: all an attacker has to do to launch an attack against your users is inject a script URI into the variable. When you assign it to location.href, it's basically the same as calling eval on the script.
JavaScript URI适用于所有现代浏览器,而VBScript仅限IE,并且要求页面以怪癖模式呈现。
JavaScript URIs work in all modern browsers, while VBScript is IE-only, and requires the page to be rendered in quirks mode.
最后,还有一个有趣的URI方案需要考虑:数据URI。数据URI是文件文字:整个文件编码为URI。它们可用于编码任何文件,包括HTML文档。与其他文档一样,这些文档可以包含脚本。
Finally, there's one more interesting URI scheme to consider: the data URI. Data URIs are file literals: entire files encoded as URIs. They can be used to encode any files, including HTML documents. And those documents, like any others, can contain scripts.
大多数浏览器将每个数据URI视为自己唯一的 origin 。这意味着包含在数据URI中的HTML文档中的脚本无法访问其他页面上的任何数据。除了在Firefox中。
Most browsers treat each data URI as its own unique origin. That means the scripts in an HTML document wrapped in a data URI can not access any data on other pages. Except in Firefox.
Firefox对数据URI的处理方式与所有其他浏览器略有不同。其中,数据URI 继承打开它的任何文档的来源。这意味着任何脚本都可以访问引用文档中包含的数据。那是你的XSS。
Firefox treats data URIs a bit differently from all other browsers. In it, data URIs inherit the origin of whatever document is opening it. That means any scripts can access the data contained in the referring document. And that's XSS for you.
这篇关于直接使用window.location.href是否安全,无需验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
