有一个网页有一个<textarea>
.
您可以在其中输入任何文本,<textarea>
如果您点击提交,您输入的任何内容都会呈现在屏幕上。如果您键入<script>alert('hello')</script>
并点击提交,您将收到该警报。
该网页不存储键入的文本,因此您的输入无法在其他客户端(其他用户的浏览器)上呈现。
所描述的行为是否会给网页所有者或其用户带来安全风险?
有一个网页有一个<textarea>
.
您可以在其中输入任何文本,<textarea>
如果您点击提交,您输入的任何内容都会呈现在屏幕上。如果您键入<script>alert('hello')</script>
并点击提交,您将收到该警报。
该网页不存储键入的文本,因此您的输入无法在其他客户端(其他用户的浏览器)上呈现。
所描述的行为是否会给网页所有者或其用户带来安全风险?
既然您已经标记了 this php
,大概是表单被提交到服务器端脚本,然后输入被渲染回来。这使您容易受到反射型 XSS 攻击。
<!-- on a third party site -->
<form action="http://example.com/your_script" method="post">
<input type="hidden" name="your_field" value="attack payload">
</form>
<script>document.forms[0].submit();</script>
如果不是这种情况,并且内容是使用客户端 JavaScript 添加到页面并且从不从 HTTP 请求中读取的,那么它仍然容易受到鼓励人们“将其复制/粘贴到 textarea 中!”的攻击。
攻击者可能会强迫用户意外访问您的网站。例如:
<form action="yourserver.com/insecure_site.php">
...
</form>
这允许攻击者将他想要的任何东西注入你的网站,而毫无戒心的用户正在访问。
即使表单从未提交到服务器,这样做仍然存在风险。我在这里看到的主要风险是输入字段是否可以由外部站点填充。
考虑黑客的站点可以发布到您的表单,并使用任意 javascript 代码预先填写它。
他可以发送他喜欢的任何JS 代码,这样就可以包含加载其他外部资源的代码。任何事物....
It could completely overwrite your page design to mimic that of another site, for a phishing attack. (which means that when it's discovered your site is the one that gets blocked, and not his)
It could use your site as a launch pad for sending spam. (ditto for getting blocked, and you really don't want to end up on a spam blacklist)
It could leave your site apparently unchanged, but embed a malicious library that tracks the user or exploits a vulnerability on the browser. (hackers often go to great lengths to inject a JS include into a site; here you're giving them an open door for it)
The trouble with web security is that it is an extremely broad subject -- there are so many possible ways to get hacked and so many angles you need to cover. Ultimately the only way you can keep safe is by exercising best practices at all times; even when you don't see an immediate way for data to be expolited, you should still secure it because ultimately hackers rely on the exploits that we don't see.