“防XSS保护”通过添加)]}'在ajax响应之前
Google plus 在第一行返回带有 )]}' 的 ajax 请求。我听说这是针对 XSS 的防护。有没有任何例子,如果没有这种保护,任何人可以做什么以及如何处理?
Google plus returns ajax requests with )]}' on first line. I heard it is protection against XSS. Are there any examples what and how could anyone do with this without that protection ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这是我对这里发生的事情的最佳猜测。
首先,google json 格式的其他方面并不是非常有效的 json。因此,除了任何保护目的之外,他们可能会使用此特定字符串来表示文件的其余部分采用 google-json 格式,需要进行相应的解释。
使用此约定还意味着数据馈送不会通过来自脚本标记的调用来执行,也不会通过直接从 eval() 解释 JavaScript 来执行。这确保前端开发人员通过解析器传递内容,这将阻止任何植入的代码执行。
因此,为了回答您的问题,这可以防止两种看似合理的攻击,一种是通过脚本标签进行跨站点攻击,但更有趣的是站点内攻击。这两种攻击都假设:
举一个简单的例子,假设用户弄清楚了如何获取像 example 这样的字符串
,并将其更改为 "];alert('example');
现在,如果当如果数据显示在另一个用户的提要中,攻击者可以在用户的浏览器中执行任意代码,因为它位于站点内,因此 cookie 会被发送到服务器,并且攻击者可以自动执行诸如从用户帐户中共享帖子或向其他人发送消息之类的操作
。谷歌场景,这些攻击不会起作用由于多种原因,前 5 个字符会在攻击代码运行之前导致 JavaScript 错误,此外,由于开发人员被迫解析代码而不是意外地通过 eval 运行代码,因此这种做法无论如何都会阻止代码执行。 。
Here's my best guess as to what's happening here.
First off, there are other aspects of the google json format that aren't quite valid json. So, in addition to any protection purposes, they may be using this specific string to signal that the rest of the file is in google-json format and needs to be interpreted accordingly.
Using this convention also means that the data feed wont execute from a call from a script tag, nor by interpreting the javascript directly from an eval(). This ensures front end developers are passing the content through a parser, which will keep any implanted code from executing.
So to answer your question, there are two plausible attacks that this prevents, one cross-site through a script tag, but the more interesting on is within-site. Both attacks assume that:
As a simple example, lets say a user figured out how to take a string like example
and changed it to "];alert('example');
Now if when that data shows up in another user's feed, the attacker can execute arbitrary code in the user's browser. Since it's within site, cookies are being sent to the server and the attacker could automate things like sharing posts or messaging people from the user's account.
In the Google scenario, these attacks won't work for a number of reasons. The first 5 characters will cause a javascript error before the attack code is run. Plus, since developers are forced to parse the code instead of accidentally running it through an eval, this practice will prevent code from being executed anyway.
正如其他人所说,这是针对跨站脚本包含 (XSSI) 的保护,
我们在 Gruyere 上对此进行了解释作为:
As others said, it's a protection against Cross Site Script Inclusion (XSSI)
We explained this on Gruyere as: