我可以通过简单地禁用 XSS 过滤器在 IE 中为任何/所有网站启用跨站点脚本吗? [英] Can I enable cross site scripting in IE for any/all websites by simply disabling XSS filter- or is something more required?

问题描述

我想为某些站点启用跨站点脚本.具体来说，我想向第 3 方站点提交一个 web 表单，我已经为 web 表单对子 iframe 的响应设置了目标 iframe，现在我希望主窗口中的代码检索响应网页的内容.

我认为我可以通过简单地禁用 Internet Explorer 中的 XSS 过滤器来完成上述操作是否正确?还是还需要其他东西?另外我如何在 Firefox 中启用跨站点脚本(对于相同的场景?)

解决方案

IE 的 XSS 过滤器不能防止 基于DOM的XSS.因此，为了跨域执行 javascript 负载，您可以简单地运行 eval() 请求变量或使用 document.write().

更常见的方法是使用跨域代理".主要是因为这种方法通常不会引入可用于攻击您的用户的巨大漏洞.

I want to enable cross site scripting for some sites. Specifically, I want to submit a web form to a 3rd party site, I have set the target iframe for the web form's response to a child iframe, now I want my code in main window to retrieve content of the response web page.

Am I correct in assuming that I can do the above by simply disabling the XSS Filter in Internet Explorer? Or is something else also required? Also how do I enable cross site scripting in Firefox (for the same scenario?)

解决方案

IE's XSS filter does not protect against DOM Based XSS. So in order to execute a javascript payload across domains you can simply run eval() the request variable or use document.write().

A more common approach is to use a "cross-domain proxy". Mainly because this approach usually doesn't introduce a gaping vulnerability which could be used to attack your users.

这篇关于我可以通过简单地禁用 XSS 过滤器在 IE 中为任何/所有网站启用跨站点脚本吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！