Iframes和同源策略和反向代理破解 [英] Iframes and Same-Origin-Policy and reverse proxy hack

问题描述

我一直在阅读具有不同域名的iframe，然后是父文件，我有点困惑。

据我所知，如果Iframe来自与其父文档相同的域，则父文档可以访问iframe的文档。我似乎可以通过以下黑客来绕过这个问题：

1. 我在 mydomain.com上设置了一个Web服务器


2. 我从 mydomain.com/index.html


3. 我在我的网络服务器上为 mydomain.com/othersite - >设置代理服务器。 site2.com


4. 将< iframe src =mydomain.com/othersite> 添加到 mydomain.com/index 页面

这似乎会绕过同样的原产地政策和用户不会更聪明。有没有我缺少的东西？

解决方案

是的，有些东西是你错过的。

同源策略保护网站访问的客户端。

如果您设置 mydomain.com/othersite code>代理到 site2.com ，那么浏览器将不会为<$​​ c $ c> site2.com 到您的网站 mydomain.com 。您将获得的是您的网站为该用户设置的 mydomain.com 的Cookie。也就是说，你所要攻击的只是你的 mydomain.com 会话，其中 site2.com ，而不是用户会话 site2.com （因为您的反向代理有效地使 mydomain.com 此连接的客户端）。

如果是绕过同源策略的一种方式，那么为了让浏览器向您的域发送cookie，这必须是客户端。

我知道我在这里专注于cookie，然而cookie是一个易于理解的同源策略保护的客户端对象示例的概念。您的appoach 可以允许您操作 site2.com 的DOM，但它不会处于访问者访问<$ c $的环境中c> site2.com ，它将在您自己访问 site2.com 的上下文中 - 访问者访问的内容可能会更改除非他们信任您的站点足以直接登录代理版本 site2.com 。

I have been reading up on Iframes with different domains then the parent document and I am slightly confused.

I understand that if the Iframe is from the same domain as its parent document, the parent document can access the iframe's document. It seems like I could circumvent this with the following hack:

1. I set up a web server at mydomain.com
2. I serve the original page from mydomain.com/index.html
3. I setup a proxy on my webserver for mydomain.com/othersite -> site2.com
4. Add <iframe src="mydomain.com/othersite"> to the mydomain.com/index page

This seems like it would circumvent the same origin policy and the user would be none the wiser. Is there something I am missing?

解决方案

Yes, there is something you are missing.

The Same Origin Policy secures the client-side of website access.

If you setup mydomain.com/othersite to be proxied to site2.com then the browser would not be sending the user's cookies for site2.com to your site at mydomain.com. All you would get is the cookies your site had set on mydomain.com for that user. That is, all you would be attacking was your mydomain.com session with site2.com, not the user's session with site2.com (as your reverse proxy effectively makes mydomain.com the client of this connection).

If there was a way to circumvent the Same Origin Policy this would have to be something client-side in order to have the browser send cookies to your domain.

I realise I've concentrated on cookies here, however cookies are an easy to grasp concept of an example of client objects that the Same Origin Policy protects. Your appoach would allow you to manipulate the DOM of site2.com but it would not be in the context of your visitor's access to site2.com, it would be in the context of your own access to site2.com - nothing that the visitor accesses could be changed unless they trusted your site enough to log into the proxied version site2.com directly.

这篇关于Iframes和同源策略和反向代理破解的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！