使用FORM GET和IFRAME进行CSRF攻击 [英] CSRF attack with FORM GET and IFRAME

问题描述

我正在尝试使用以下代码查看网站是否容易受到CSRF攻击

I'm try to see if a website is vulnerable to CSRF with following code

<html>
<body>
<div>
<iframe width="0" height="0" border="0" name="dummyframe" id="dummyframe"></iframe>
<form action="TARGET_SITE" method="GET" id="get_site" target="dummyframe"></form>
<script>
document.getElementById("get_site").submit();
var e = document.getElementById("dummyframe");
if(e != null) {
   alert(e.contentWindow.document.body.innerHTML);
}
</script>
</div>
</body>
</html>

此处添加了iframe标记，以避免从Java脚本提交表单时页面重定向.提交表单时，我确实看到了HTML响应，其中包含一些我想访问的有趣信息.

The iframe tag is added here to avoid the page redirect when the form is submitted from the java script. When the form is being submitted, i do see a HTML response with some interesting information which i would want access.

但是我如何从iframe或form标记访问该HTML响应，示例中的警报窗口会弹出，但不会显示任何内容.

But how do i access that HTML response, either from the iframe or form tag, the alert window in the example pops up but it doesn't print anything.

谢谢

推荐答案

如果要做的只是获取外部页面的HTML，然后将其添加到< iframe> 由于这个原因，我们需要使用服务器端语言(NodeJS，PHP，Python)(感谢@Hannes):

If all you want to do is obtain the HTML of an external page and add that to an <iframe>, then you need to use a server-side language (NodeJS, PHP, Python), because of this reason (thanks @Hannes):

由于相同的起源策略，所有通用浏览器均不允许Javasript调用访问具有另一个(子)域的任何页面.解决该问题的唯一方法是在自己的服务器上设置某种代理"(例如php脚本)，该服务器在同一域下运行，并从第三个来源获取所需信息并打印出来./p>

All common Browsers do not allows Javasript Calls to access any Pages with another (sub)Domain because of the Same Origin Policy. The only way to work around that is to set up some kind of "proxy" on your own server (for example an php Script) that runs under the same Domain, gets the Information you want from a third source and prints them out.

来自此处.

这篇关于使用FORM GET和IFRAME进行CSRF攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！