有关Ajax Hacking的问题 [英] Question regarding Ajax Hacking

问题描述

全部

我有一个用Zend Framework和MVC编写的PHP网站.大多数控制器操作都会检查请求是否是Ajax请求，否则它们会将用户重定向到主页.我正在考虑破坏该网站的各种方法.我正在考虑以下情况:

I have a PHP website written in Zend Framework and MVC. Most of the controller actions check if the request is an Ajax request or not, else they redirect the user to home page. I am thinking about various ways to break that site. I am considering the following scenario:

1. 用户在其本地计算机上创建自己的PHP项目.

2. 用户向我的网站上的一个控制器写入一个JQuery ajax发布请求，并尝试发布恶意信息. 例如:

1. A user creates his own PHP project on his Local machine.

2. User writes a JQuery ajax post request to one of the controllers on my site and tries to post malicious info. Ex:

$.ajax({
    type: 'POST',
    url: "https://marketsite/getinfo/getstuff",
    cache: false,
    dataType: "html",
    success: function(html_response){
        alert(html_response);
    },
    error: function(xhr,ajaxOptions,errorThrown){
        alert(errorThrown);
    }
});

我的问题是上面的ajax请求中的"url"属性是否采用绝对路径?我知道这是相对的.另外，是否可以通过发送此类请求来破坏任何站点?

My Question is does "url" attribute in the ajax request above take absolute path? I know it takes relative path. Also, is it possible to break any site by sending such requests?

谢谢

推荐答案

我的问题是上面的ajax请求中的"url"属性是否采用绝对路径?

My Question is does "url" attribute in the ajax request above take absolute path?

相同来源政策阻止JavaScript发出请求并读取响应，除非它是到相同的主机，端口和协议.

The Same Origin Policy prevents JavaScript from making a request and reading the response unless it is to the same host, port and protocol.

这不会阻止攻击者发出他们喜欢的任何HTTP请求(手动构造一个看起来与通过JS发出的请求相同的HTTP请求是微不足道的)，并且不会阻止攻击者诱骗用户发出任何请求要求攻击者喜欢(尽管它确实阻止了攻击者获得对该请求的响应).

That doesn't stop an attacker from making any HTTP request they like (it is trivial to construct one manually that looks the same as one made via JS) and it doesn't stop an attacker from tricking a user into making any request the attacker likes (it does stop the attacker getting the response to that request though).

攻击者无需使用PHP或任何其他服务器端语言来执行任何上述操作.

There is no need for the attacker to involve PHP or any other server side language to do any of this.

还可以通过发送此类请求来破坏任何站点吗?

Also, is it possible to break any site by sending such requests?

这取决于网站的编写方式.您应该对设计用于通过JavaScript访问的URI进行与设计用于通过浏览器直接请求访问的URI相同的安全检查.

That depends on how the site is written. You should apply the same security checks on URIs designed for access via JavaScript as those designed for access with a direct request from the browser.

这篇关于有关Ajax Hacking的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！