在 Web 浏览器控件中绕过 XSS 过滤器 [英] Getting around the XSS filter in web browser control
问题描述
我正在处理一个宠物项目,需要克服应用程序中的一个主要障碍.我查了无数论坛和文章,只找到了我要找的零零碎碎的东西,所以我希望更直接的方法能帮到我.
I am working on a pet project and need to overcome a major hurdle in an application. I have checked countless forums and articles and have only found bits and pieces of what I am looking for, so I hope a more direct approach will help me.
场景如下:1. 该站点实际上是一个游戏,它在具有多个 IFRAMES 的页面上使用 Javascript/JSON 和 DHTML - 其中两个位于外部页面的更深处和一个单独的域中.
Here's the scenario: 1. The site is actually a game, which uses Javascript/JSON with DHTML on a page that has several IFRAMES - two of which are deeper inside the outside page AND of a separate domain.
我正在尝试做的事情没有安全问题.所有编程和访问仅限于简化和自动化通常的访问功能.所有身份验证和隐私信息都在任何访问之前完成,并且只会使用会话信息,并且仅用于促进用户知道会发生的游戏操作.
There are NO security issues with what I am trying to do. All programming and access is limited to merely simplifying and automating normally access functions only. All authentication and private information is done prior to any access, and only the session information will ever be used, and only to facilitate game operations that the user knows will happen.
这个想法是使用 webbrowser 控件来访问游戏并提供普通访问,而托管浏览器的应用程序获取游戏会话信息并对游戏服务器进行单独的自动调用.这已经通过 Firefox 使用 Greasemonkey 脚本完成,并且运行良好 - 除了 Firefox 有可怕的内存泄漏,最终导致整个操作崩溃.
The idea is to use the webbrowser control to access the game and provide ordinary access, while the app hosting the browser gets the game session information and makes separate automated calls to the game servers. This has already been done via Firefox using Greasemonkey scripting, and it works well - except that Firefox has a horrible memory leak that eventually causes the whole operation to break down.
我遇到的问题很明显.我正在尝试访问技术上位于不同域上的 iframe,而 Web 浏览器 DOM 模型不会让我进入.视情况而定.
The problem I am running into is obvious. I am trying to access the iframe that is technically on a different domain, and the web browser DOM model won't let me in. I have seen enough articles to know there are several workarounds to XSS filter blocks but they are quite vague and vary depending on scenario.
所以,我将准确地概述我需要什么,希望我能得到一个友好的解决方案......
So, I will outline exactly what I need in hopes that I can obtain an amicable solution...
我需要获取不同域的嵌套 IFRAME 的 DOM.如果需要,我可以只使用源代码,但 DOM 和 JS 变量将是最理想的.我的策略是使用会话信息并使 HttpWebRequest 调用与游戏中的 Web 浏览器并行.这样我就可以在玩游戏的同时自动化一些功能.这是可以完成的 - 如果我可以获取会话信息并以相同的方式传递它.这一切都将在用户许可和知情的情况下在同一个客户端上完成,因此没有安全问题.
I need to obtain the DOM of a nested IFRAME of a different domain. If need be I could live with just the source, but the DOM and the JS vars would be the most ideal. My strategy here is to use the session information and make HttpWebRequest calls parallel to the web browser in-game. That way I can automate some functions while still playing. It can be done - if I can get the session information and pass it the same way. It will all be done on the same client with the users permission and knowledge, so no security issues.
如果我可以将信息传递回 IFRAME,我真的很高兴.该项目试图做的主要事情之一是进行一些视觉更改以简化界面的外观和感觉.一切都在 HTML 中,因此更改只会添加一些 JS 代码的内联样式...
I would really like it if I could pass information BACK to that IFRAME. One of the major things this project is trying to do is make some visual changes to simplify the look and feel of the interface. It is all in HTML, so changes would simply be adding some in-line styling of JS code...
无论如何,什么想法和建议最有效?在这一点上,我对所有场景持开放态度,但理想情况下,尽可能简单地获得我需要的东西.这已经是一个庞大的项目了:)
So anyways, what ideas and suggestions would work best? At this point I am open to all scenarios, but ideally something as simple as possible to get what I need. This is already a huge project :).
提前致谢!
推荐答案
可以绕过 XSS 检查并通过 IOleContainer 访问 iframes,如 此处描述.该示例使用 C++,但从 C# 使用 COM 互操作执行相同操作应该没有问题.
It's possible to bypass XSS checks and access iframes through IOleContainer, as described here. The sample is in C++, but it should not be a problem to do the same from C# with COM interop.
这篇关于在 Web 浏览器控件中绕过 XSS 过滤器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
