这不是一个应用程序(*) 漏洞吗? (Javascript 和 HTTP)
只是想知道。这难道不被视为威胁吗? 假设 192.168.0.1 是一个网络路由器,在端口 80 上有一个管理面板。如果您让用户执行类似的代码片段,您是否能够“暴力破解”密码?考虑到网络路由器等网络设备通常具有默认用户名和密码。
<script>
function imgerror(data)
{
alert('The following '+data.src+ ' failed due to wrong password/username.');
}
</script>
<img src="user:[email protected]/menu_button.gif" onerror="imgerror(this)">
在本例中,menu_button.gif 是管理面板中使用的按钮 - 并受 http 基本身份验证保护。
just wondering. Isn't this considered a threat?
Let's say that 192.168.0.1 is a networkrouter with a administrationpanel on port 80. If you get a user to execute a similar snippet, wouldn't you be able to "bruteforce" the password? Considering network devices like networkrouters often feature default usernames and passwords.
<script>
function imgerror(data)
{
alert('The following '+data.src+ ' failed due to wrong password/username.');
}
</script>
<img src="user:[email protected]/menu_button.gif" onerror="imgerror(this)">
menu_button.gif is in this case a button used in the administrationpanel - and protected by http basic authentication.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果开发人员/网络管理员不关心其网络的安全性,那么这只会是一个漏洞。
It would only be a vulnerability if the developer/network administrator didn't care about security on their network.
这是非常古老的想法 http://web .archive.org/web/20070315010517/www.spidynamics.com/spilabs/js-port-scan/
尝试一下这个,并在下面的 iframe 中找到跨网络警告*。
技术各不相同,本质是相同的 - 在防火墙的可信端执行脚本
It is VERY old idea http://web.archive.org/web/20070315010517/www.spidynamics.com/spilabs/js-port-scan/
Try this one, and find crossnetwork warning in the iframe below*.
Techniques varies, the essence is the same - to execute script at the trusted side of firewall
这是可能的,甚至可以通过更多的 JS/Ajax 行变得更加复杂(参见 XXS) 。
这意味着你不能信任任何人,即使是在你自己的网络中。如果你不能信任任何人并且你有一个基本的安全模式(如基本的http身份验证),你必须使用难以破解的密码,或者如果安全是一个问题(大多数私人用户根本不知道安全意味着什么),你必须应用安全协议。
如果您使用标准或空白密码,就可以打开门。
This is possible, even more sofisticated with some more lines of JS/Ajax (see XXS).
What that means is you cannot trust NOBODY, even in your own network. If you cannot trust nobody and you have a basic security schema (as basic http authentification) you must use hard breakable passwords or if security is an issue (most private users do not know what security means at all) you MUST apply secure protocols.
If you use standard or blank passwords is leting the door open.