使用Iframe跨站点脚本 [英] cross site scripting with Iframe
问题描述
我正在尝试跨站点脚本。我有一个网站,允许用户插入评论并在网站上查看。该网站虽然从评论过滤字符串脚本,但它允许iframe。我知道我可以嵌入一个指向我制作的网站的iframe,我可以运行我想要的任何脚本。我的问题是:我的iframe脚本能否读取原始网站发起的cookie?我已经尝试了alert(document.cookie),但它显示了一个没有任何内容的警报。当客户请求时,原始网站始终设置cookie。知道我缺少什么吗?
I am experimenting with cross site scripting. I have a website which allows users to insert comments and view them on the website. The website filters the string "script" though from the comment but it allows iframes. I understand that I could embed an iframe that points to a website that I craft and I can run whatever script I wish. My question is: will my iframe script be able to read cookies initiated by the original website? I have tried alert(document.cookie) but it shows an alert with nothing in it. The original website always sets a cookie though when a client requests it. Any idea what I am missing?
推荐答案
周围的页面都需要来自同一个域。这受到同源策略的限制,该策略指出一帧中的脚本只能访问另一帧中的数据,因为它们位于同一协议上,具有完全相同的域名并且在同一端口上运行。通过将document.domain设置为两个帧中的顶级域,可以略微放松,从而允许子域中的帧进行通信。
Both the surrounding page need to come from the same domain. This is limited by the Same Origin Policy, which states that a script in one frame may only access data in another frame given they are on the same protocol, have the exact same domain name and are running on the same port. It can be slightly relaxed by setting document.domain to the top level domain in both frames, and thus allowing frames from subdomain to communicate.
您可以尝试输入,虽然这可能会在较新的浏览器中被阻止。
You could though try to input , though that may be blocked in newer browsers.
然而,限制脚本不足以阻止XSS。还有很多其他方法。请参阅 http://html5sec.org 和 http://ha.ckers.org/xss.html
Limiting script is however not enough to stop XSS. There are many many other ways. See http://html5sec.org and http://ha.ckers.org/xss.html
这篇关于使用Iframe跨站点脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
