帧onkeydown反馈 [英] Frame onkeydown feedback
问题描述
我正在尝试对跨框架脚本攻击进行PoC( https://www .owasp.org/index.php/Cross_Frame_Scripting ),以显示在我的工作中此攻击对于任何版本的IE浏览器有多危险.
通过在IE8或更高版本上使用X-FRAME-OPTIONS: deny标头可以轻松地防止此攻击.但是,如果每个开发人员在所有Web服务器响应中都包含这样的标头,那就太好了.
使用下面的代码,我可以看到带有键码的警报窗口,但是如果目标页面上有表单,则看不到表单内按下的键的字母.
I'm trying to do a PoC for a Cross Frame Scripting attack (https://www.owasp.org/index.php/Cross_Frame_Scripting) to show in my job how dangerous can be this attack for any version of IE browser.
This attack can be easily prevent by using X-FRAME-OPTIONS: deny header on IE8 or newer versions. But it would be nice if every develop include such header on all web server responses.
Using the code below I can see the alert window with the keycode but in case of forms on the target page I can not see the letter of the key pressed inside the form.
<script>
window.onkeydown = function() {
alert(window.event.keyCode);
}
</script>
<frameset onload="this.focus()" onblur="this.focus()">
<frame src="http://www.uol.com.br">
</frameset>
使用下面的简单代码,我可以按键并同时查看(警告窗口和表单中的字母).
Using the simple code below I can press the key and see both (alert window and the letter inside the form).
<script>
window.onkeydown = function() {
alert(window.event.keyCode);
}
</script>
<input>
第一个代码块上是否缺少某些内容? 谢谢!
Is there something missing on the first code block? Thanks!
推荐答案
您的代码可能没有任何问题.跨框架脚本并不是一个真正的漏洞-只是Internet Explorer的旧版本中的一个漏洞,其中包含一个错误,其中onkeypress事件是在父框架内部触发的,尽管域不匹配,通常该域也将受到保护. 相同起源政策.
There's probably nothing wrong with your code. Cross Frame Scripting is not a real vulnerability - it is only a vulnerability in old versions of Internet Explorer that contains a bug where the onkeypress event is triggered inside the parent frame, despite the domains not matching where this would usually be protected by the Same Origin Policy.
其他跨框架脚本攻击仅仅是跨站点脚本攻击使用不同的名称,因为它们涉及框架.
Other Cross Frame Scripting attacks are merely Cross Site Scripting attacks with a different name because they involve frames.
这篇关于帧onkeydown反馈的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
