在javascript中显示Facebook用户访问令牌的安全隐患是什么？ [英] What are the security risks in exposing facebook user access token in javascript?

问题描述

假设我的应用程序有一个访问令牌给一些Facebook用户。
将JS代码中的访问令牌暴露给访问我的站点的其他用户有安全风险吗？如果是这样，他们可以做什么？

解决方案

你有风险

1. 困惑的副手 - 您的代码授予权限代码可能会故意滥用这些权限，或代表更恶意的代码行事。


2. 通过代码注入（XSS） - 通过XSS漏洞注入到页面中的代码可能会被盗用凭据，然后用于代表用户采取行动，可能会生成日志将您作为罪魁祸首。


3. 通过窃听窃取窃贼 - 如果浏览器和服务器之间的连接存在非HTTPS内容，则具有读取数据包能力的窃听者可以窃取凭据。


4. 恶意软件窃取 - 如果用户的c上运行恶意软件omputer，然后将这些凭据发送到浏览器将它们暴露给该恶意软件。恶意软件可能必须读取浏览器进程所拥有的内存或浏览器写入的缓存文件。

Suppose that my application has an access token to some facebook user. Is there a security risk in exposing this access token in JS Code to some other users which visit my site? If so, what can they do with it?

解决方案

You are at risk of

1. Confused deputy -- your code is granting privileges to code that might abuse those privileges either intentionally or by acting on behalf of yet more code that is malicious.
2. Theft via code injection (XSS) -- the credentials could be stolen by code injected into your page via an XSS vulnerability and then used to act on the user's behalf, possibly generating logs which indict you as the culprit.
3. Theft via eavesdropping -- if there is non-HTTPS content going across the connection between the browser and your server, then an eavesdropper with the ability to read packets could steal the credentials.
4. Theft by malware -- if there is malware running on the user's computer, then sending those credentials to the browser exposes them to that malware. The malware would probably have to read memory owned by the browser process or cache files written by the browser.

这篇关于在javascript中显示Facebook用户访问令牌的安全隐患是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！