检测 JavaScript 文件欺骗
假设我正在开发一堆 JS 小部件,这些小部件旨在嵌入到任何网页上(类似于 iGoogle、Pageflakes 小部件)。
客户端可以通过包含脚本标签来嵌入小部件:
<div id="widgetHost">
<script src="http://fantasticwidgets.net/awesomeWidget.js"></script>
<script src="http://fantasticwidgets.net/awesomeWidgetAgain.js"></script>
</div>
现在这些小部件依赖于公共库(让我们使用 jQuery、underscore 和我自己的一些库 - 例如 myCommon.js)。
理想情况下,应该发生这样的情况:
- 首先下载 Widget 的 bootstraper js
- Widget 的 bootstraper js 检查这些库文件及其所需版本是否存在(例如 jQuery v1.6.2 是否加载到页面上,myCommon v1.1 等)
- 如果其中任何一个都已加载,不请求这些文件,而仅下载缺少的脚本。
- 然后,这些脚本调用一些 Web 服务,执行一些操作并在页面上呈现 HTML。
关注:检查已加载的文件会引入脚本欺骗漏洞。恶意用户会欺骗加载后的库,并用它来窃取敏感信息或做其他坏事。
解决方案:不要检查加载的库,总是再次发送所有库。这仍然不是万无一失的,但至少让事情变得更加困难,因为他必须再次进行恶搞。 然而,这会导致带宽浪费和加载时间增加。
问题:是否可以检测加载的文件是否被篡改,最好是在客户端?或者它是否必须包含服务器端解决方案?如果重要的话,我在服务器端运行 ASP.Net。
Let's say I'm developing bunch of JS widgets that are intended to be embedded on any webpage (sort of iGoogle, Pageflakes widgets).
The client can embed the widgets by including a script tag:
<div id="widgetHost">
<script src="http://fantasticwidgets.net/awesomeWidget.js"></script>
<script src="http://fantasticwidgets.net/awesomeWidgetAgain.js"></script>
</div>
Now these widgets rely on common libraries (let's jQuery, underscore, and some of my own - e.g. myCommon.js).
Ideally, this is what should happen:
- Widget's bootstraper js is downloaded first
- Widget's bootstraper js checks for presence of these library files with their required version (say whether jQuery v1.6.2 is loaded on the page or not, myCommon v1.1 etc)
- If any of those is loaded, don't request those files, but download missing scripts only.
- These scripts then call some webservice, do some magic and render HTML on page
Concern: Checking for files already loaded introduces a vulnerability of script spoofing. A malicious user spoofs the libraries once loaded which he uses to steal sensitive info or do other bad things.
Solution: Do not check for loaded libs, send all of them again always. This is still not bulletproof but at least makes it a little harder as he has to spoof again.
However, this causes wasted bandwidth and increased loading time.
Question: Is it possible to detect if the loaded files are tampered with, preferably on the client side? Or does it have to include a server side solution? I've ASP.Net running on the server side if that matters.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这里唯一真正的解决方案是“使用 HTTPS 传送脚本”。如果坏人甚至可以使用来自另一个域的 HTTPS 内容来毒害用户的浏览器缓存,那么您的游戏就已经结束了,因为他还有权更改您提供给用户的页面。
The only real solution here is "use HTTPS to deliver the scripts." If the bad guy can go so far as to poison the user's browser cache with HTTPS content from another domain, it's already game over for you, because he would also have power to change the page you deliver to the user.