什么是跨站脚本包含 (XSSI)? [英] What is Cross Site Script Inclusion (XSSI)?
问题描述
我最近在多个页面上看到了 XSSI,例如网络应用程序漏洞利用和防御:
I've recently seen XSSI mentioned on multiple pages, e.g. Web Application Exploits and Defenses:
浏览器阻止一个域的页面阅读其他域中的页面.但是它们不会阻止域的页面引用其他域中的资源.特别是,它们允许从其他域渲染图像和从其他域执行脚本.包含的脚本没有自己的安全上下文.它在包含它的页面的安全上下文中运行.例如,如果 www.evil.example.com 包含托管在 www.google.com 上的脚本,那么该脚本将在邪恶的上下文中而不是在 google 上下文中运行.因此,该脚本中的任何用户数据都会泄漏".
Browsers prevent pages of one domain from reading pages in other domains. But they do not prevent pages of a domain from referencing resources in other domains. In particular, they allow images to be rendered from other domains and scripts to be executed from other domains. An included script doesn't have its own security context. It runs in the security context of the page that included it. For example, if www.evil.example.com includes a script hosted on www.google.com then that script runs in the evil context not in the google context. So any user data in that script will "leak."
我看不出这在实践中会产生什么样的安全问题.我了解 XSS 和 XSRF,但 XSSI 对我来说有点神秘.
I fail to see what kind of security problems this creates in practice. I understand XSS and XSRF but XSSI is a little mysterious to me.
有人可以绘制基于 XSSI 的漏洞利用程序吗?
Can anybody sketch an exploit based on XSSI?
谢谢
推荐答案
如果您使用 JSONP 传输数据,这通常是一个问题.考虑一个包含从域 B 加载数据的域 A 的网站.用户必须通过站点 A 和 B 的身份验证,并且因为同源策略阻止旧浏览器直接与不同于当前页面的域 (B) 通信(A)、开发者决定使用JSONP.所以站点 A 包含一个指向 http://B/userdata.js 的脚本,类似于:>
This is typically a problem if you are using JSONP to transfer data. Consider a website consisting of a domain A that loads data from domain B. The user has to be authenticated to site A and B, and because the Same Origin Policy prevents older browsers from communicating directly with a different domain (B) than the current page (A), the developers decided to use JSONP. So site A includes a script pointing to http://B/userdata.js which is something like:
displayMySecretData({"secret":"this is very secret", ...})
所以 A 定义了一个名为 displayMySecretData 的函数,当服务器 B 中包含的脚本运行时,它会调用该函数并向用户显示机密数据.
So A defines a function called displayMySecretData, and when the included script from server B runs, it calls that function and displays the secret data to the user.
现在邪恶的服务器 E 出现了.它看到 A 正在使用 JSONP 包含来自 B 的数据.所以服务器 E 包含相同的脚本,但定义了自己的 displayMySecretData 来窃取数据.然后攻击者诱骗用户访问他的网站.当用户去那里并登录到 B 时,浏览器会自动发送 B 的身份验证 cookie 以及从 B 获取脚本的请求.B 看到经过身份验证的用户,因此按预期返回脚本.E 获取数据,并快速...
Now evil server E comes along. It sees that A is including data from B using JSONP. So server E includes the same script, but defines its own displayMySecretData which instead steals the data.
The attacker then tricks the user into visiting his site. When the user goes there and he is logged in to B, the browser automatically sends the authentication cookies for B along with the request to fetch the script from B. B sees an authenticated user, and thus returns the script as expected. E gets the data, and presto...
因此,使用 JSONP 以这种方式从不同域加载机密数据确实不安全,但人们仍在使用它.坏主意!
Using JSONP to load confidential data from a different domain this way is thus really insecure, but people are still using it. Bad idea!
这篇关于什么是跨站脚本包含 (XSSI)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
