Json使用Ajax Jquery劫持帖子请求 [英] Json Hijacking with Ajax Jquery post request

问题描述

昨天，我读了一些不错的文章，介绍如何防止 Json与Asp.Net MVC .规则是:永远不要通过get请求以json格式发送明智的数据.通过google上的简单搜索，您可以轻松地学习如何定义一个脚本，该脚本将借助其auth cookie来从另一个用途中提取数据.

Yesterday, I read some nice articles about how to prevent Json Hijacking with Asp.Net MVC. The rule is: never send sensible data in json format over a get request. With a simple search on google, you can easily learn how to define a script that will be use to extract data from another use with the help of his auth cookie.

但是在阅读了所有这些文章之后，我不知道为什么无法使用Ajax Jquery发布请求来进行Json Hijacking.我读到Ajax请求受相同的原始策略约束，但是JQuery具有能够执行跨域请求的属性.

But after reading all these articles, I don't know why it's not possible to do Json Hijacking with Ajax Jquery post request. I read that Ajax requests are subject to the same origin policy but JQuery have a property to be able to do cross-domain request.

在这种情况下，是否可以在文档就绪事件中使用$ .postJSON使用脚本进行Json Hijacking?如果是或否，您能解释我的确切原因吗?

In this case, is it possible to do Json Hijacking with a script using $.postJSON on the document ready event? If yes or no, could you explain my exactly why?

下面是一堆简单的代码，可以完成我的想法:

Here is a simple bunch of code to do what I'm thinking:

$.postJSON = function (url, data, callback) {
   $.post(url, data, callback, "json");
};

<script>
    $(function(){
       $.postJSON("/VulnerableSite/ControllerName/ActionName", 
         { some data parameters }, function() {
         // Code here to send to the bad guy the data of the hacked user. 
         }
    });
</script>

非常感谢您.

推荐答案

但是JQuery具有能够执行跨域请求的属性.

but JQuery have a property to be able to do cross-domain request.

是的，但是它仅适用于GET请求.您不能通过POST请求进行跨域AJAX调用.同样，大多数现代浏览器已经修复了覆盖__defineSetter__方法的可能性.这种攻击的思想依赖于包含一个<script>标记，该标记从恶意网站指向您的网站.但是浏览器发送GET请求以检索此脚本，而不是POST.这就是为什么使用POST通过JSON传输敏感信息更安全的原因.

Yeah, but it works only with GET requests. You cannot do cross domain AJAX calls with POST requests. Also most modern browsers have already fixed the possibility to override the __defineSetter__ method. The idea of this attack relies on including a <script> tag pointing to your website from a malicious site. But the browser sends a GET request in order to retrieve this script and not POST. That's why it is safer to use POST to transmit sensitive information with JSON.

这篇关于Json使用Ajax Jquery劫持帖子请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！