通过地址栏访问Cookie的值 [英] Accessing a cookie's value through the Address Bar
问题描述
假设我的网站上的用户有来自其他网站的Cookie,而且我知道Cookie的名称。基本上我想做的是给用户一个链接到地址栏,并与它一个Javascript代码,将激活该cookie的值(让我们称之为cookieJoe)。例如:
我的网站会给用户这个链接:Examplesite.com/page=(这里是代码,将激活一个特定的cookie值与javascript或某物)
在读取值后,输出必须是这样:Examplesite.com/page=54(假设Cookie的值为54)。
我不能用普通的脚本,因为我无法控制Examplesite.com的Cookie(我不拥有该网站)。所以我想,为什么不给用户一个链接,浏览器会认为用户请求收取这些cookie(这是真的,因为他是粘贴它),而不是一些随机的网站。然后所有的用户将要做的是将其粘贴到地址栏,地址栏将激活它...我不知道这是甚至可能。任何答案将不胜感激。
在Firebug和其他浏览器开发工具之前,网址栏以查看网站Cookie:
javascript:alert(document.cookie)
所以,我刚刚去google.com,然后在我的Mac(OS X 10.8)上使用Firefox 19,Chrome 26和Safari 6。
Chrome让我输入 javascript:alert(document.cookie),但是当我将它粘贴到网址栏,它剥离了 javascript:,只是粘贴了 alert(document.cookie),它运行google搜索。 p>
Safari在粘贴时警告cookie,但Firefox不允许粘贴或输入。
输入,并具有混合结果。使用来自另一个网站的链接,以及所有跨域安全问题,这不会工作。如果您认为,这确实是跨网站指令码(XSS)的另一种形式攻击。
Let's say that a user on my site has a cookie from another site and I know the cookie's name. Basically what I am trying to do is to give users a link to the address bar, and with it a Javascript code which will activate that cookie's value(lets call that cookie "Joe"). For example:
My site will give the user this link: Examplesite.com/page=(here is the code which will activate a specific cookie value with javascript or something)
the output will have to be something like this after reading the value: Examplesite.com/page=54 (lets say that the cookie's value was 54).
I can't do it with normal scripting, since I can't control Examplesite.com cookies (I do not own that website). So I figured, why not give the users a link which the browser will think that the user requested to accsses those cookies(and thats actually true, since he is pasting it), and not some random website. Then all the user will have to do is to paste the it into the address bar, and the address bar will activate it... I am not sure this is even possible. Any answer will be appreciated.
Before the days of Firebug and other browser development tools, I used to type the following into the URL bar to see the sites cookies:
javascript:alert(document.cookie)
So, I just went to google.com, then tried this with Firefox 19, Chrome 26 and Safari 6 on my Mac (OS X 10.8).
Chrome let me type javascript:alert(document.cookie), but when I paste it into the URL bar, it stripped the javascript: and just pasted alert(document.cookie), which ran a google search.
Safari alerted the cookies on paste, but Firefox would not allow pasting, nor typing.
Those results were direct user input, and had mixed results. With a link from another site, and all the "cross domain" security issues, this is not going to work. If you think of it, this is really another form of a Cross-site scripting (XSS) attack.
这篇关于通过地址栏访问Cookie的值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
