为什么跨域Ajax是一个安全问题？ [英] Why the cross-domain Ajax is a security concern?

问题描述

为什么它决定使用的 XMLHTT prequest 做XML调用不应该做横跨域边界电话？您可以检索JavaScript，图片，CSS，内部框架，以及几乎任何其他内容我能想到的其他领域。为什么Ajax的HTTP请求不准穿越域边界？这似乎是一个奇怪的限制放，考虑到我可以看到它被滥用，将是如果有人要注入的Javascript到页面的唯一途径。然而，在这种情况下，可以简单地增加一个img，脚本或iframe元素到文档得到它请求第三方URL，并将其发送到服务器。

有些答案指出以下几点原因，我们指出了原因，他们不创造一个主要理由禁止这些。

XSRF（跨站点请求伪造，也被称为CSRF，XSRF）

您可以做XSRF攻击，而无需使用这在所有。作为一般规则，XMLHTT prequest没有用了，只是因为它是如此难以作出XMLHTT prequest的方式，就是与所有主要的浏览器兼容。它更容易只是一个img标签添加到URL如果你想让他们来加载您的网址。

发布至第三方网站

 ＆LT;脚本类型=文/ JavaScript的＆GT;
  $。员额（http://some-bank.com/transfer-money.php
         {量：10000，to_​​account：XXXX}）
＆LT; / SCRIPT＆GT;
 

可以完成与

 ＆LT;身体的onload =。的document.getElementById（'InvisbleForm）提交（）
    ＆LT; D​​IV的风格=显示：无＆GT;
        ＆LT;形式ID =InvisbleForm行动=htt​​p://some-bank.com/transfer-money.php方法=POST＆GT;
            ＆LT;输入类型=隐藏名称=数量值=10000＆GT;
            ＆LT;输入类型=隐藏名称=to_account值=XXXXX＆GT;
        ＆LT; /形式GT;
    ＆LT; / DIV＆GT;
＆LT; /身体GT;
 

JPunyon：为什么你会离开该漏洞在一个新的功能

您没有创建任何更多的不安全感。你只是打扰谁想要使用它的方式为优秀的开发人员。如果谁想要使用此功能邪恶（又名真棒）可以只使用做了一些其他的方法。

结论

我标志着从答案的 bobince 作为正确的，因为他指出，关键的问题。由于XMLHTT prequest允许您张贴，凭据（饼干）到目标网站，并阅读从网站发回的数据，以及发送者的凭据，可以编排一些JavaScript，将提交一系列形式，包括保兑的形式，完成与所产生的任何随机密钥放在适当的位置，要尽量prevent一个XSRF。通过这种方式，你可以浏览目标网站，像银行，和银行的网络服务器将无法告诉大家，它不只是一个普通的用户提交所有这些形式。

解决方案

  

为什么Ajax的HTTP请求不准穿越域边界。

由于AJAX请求（一）提交的用户凭据，以及（b）允许呼叫者读取返回的数据。

有这些因素，可能导致一个漏洞的组合。有建议要添加的跨域AJAX，它省略了用户凭据的形式。

  

您可以简单地添加一个img，脚本或iframe元素的文档

没有这些方法允许调用者读取返回的数据。

（除无论是它的故意设置为允许脚本，用于允许跨域脚本 - 或者谁家做了一个可怕的公鸡了）

  

您可以做的XSS攻击，而无需使用这在所有。发布到第三方网站

这不是一个XSS攻击。这是一个跨站点请求伪造攻击（XSRF）。存在已知的方法来解决XSRF攻击，如包括一次性或加密令牌以验证提交来故意从用户和没有被攻击者从code推出

如果您允许跨域AJAX你会失去这个保障。攻击code可以从银行网站请求一个网页，读取任何授权令牌就可以了，并提交在第二AJAX请求进行传输。这的将会的是一个跨站点脚本攻击。

Why was it decided that using XMLHTTPRequest for doing XML calls should not do calls across the domain boundary? You can retrieve JavaScript, images, CSS, iframes, and just about any other content I can think of from other domains. Why are the Ajax HTTP requests not allowed to cross the domain boundaries? It seems like an odd limitation to put, considering the only way I could see it being abused, would be if someone were to inject Javascript into the page. However, in this case, you could simply add an img, script, or iframe element to the document to get it to request the third party URL and send it to the server.

[Edit]

Some of the answers point out the following reasons, let's point out the reasons they don't create a major reason to disallow this.

XSRF (Cross Site Request Forgery, also known as CSRF, XSRF)

Your can do XSRF attacks without using this at all. As a general rule, XMLHTTPRequest isn't used at all, simply because it's so hard to make an XMLHTTPRequest in a way that's compatible with all major browsers. It's much easier to just add an img tag to the URL if you want them to load your URL.

Posting to third party site

<script type="text/javascript">
  $.post("http://some-bank.com/transfer-money.php", 
         { amount: "10000", to_account: "xxxx" })
</script>

Could be accomplished with

<body onload="document.getElementById('InvisbleForm').submit()"
    <div style="display:none">
        <form id="InvisbleForm" action="http://some-bank.com/transfer-money.php" method="POST">
            <input type="hidden" name="amount" value="10000">
            <input type="hidden" name="to_account" value="xxxxx">
        </form>
    </div>
</body>

JPunyon: why would you leave the vulnerability in a new feature

You aren't creating any more insecurities. You are just inconveniencing developers who want to use it in a way for good. Anybody who wants to use this feature for evil (aka awesome) could just use some other method of doing it.

Conclusion

I'm marking the answer from bobince as correct because he pointed out the critical problem. Because XMLHTTPRequest allows you to post, with credentials (cookies) to the destination site, and read the data sent back from the site, along with sending the persons credentials, you could orchestrate some javascript that would submit a series of forms, including confirmation forms, complete with any random keys generated that were put in place to try to prevent a XSRF. In this way, you could browse through the target site, like a bank, and the bank's webserver would be unable to tell that it wasn't just a regular user submitting all these forms.

解决方案

Why are Ajax HTTP Requests not allowed to cross domain boundaries.

Because AJAX requests are (a) submitted with user credentials, and (b) allow the caller to read the returned data.

It is a combination of these factors that can result in a vulnerability. There are proposals to add a form of cross-domain AJAX that omits user credentials.

you could simply add an img, script, or iframe element to the document

None of those methods allow the caller to read the returned data.

(Except scripts where either it's deliberately set up to allow that, for permitted cross-domain scripting - or where someone's made a terrible cock-up.)

Your can do XSS attacks without using this at all. Posting to third party site

That's not an XSS attack. That's a cross-site request forgery attack (XSRF). There are known ways to solve XSRF attacks, such as including one-time or cryptographic tokens to verify that the submission came deliberately from the user and was not launched from attacker code.

If you allowed cross-domain AJAX you would lose this safeguard. The attacking code could request a page from the banking site, read any authorisation tokens on it, and submit them in a second AJAX request to perform the transfer. And that would be a cross-site scripting attack.

这篇关于为什么跨域Ajax是一个安全问题？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！