Web front-end Security Fundamentals and Defense (sequel)

Web front-end Security Fundamentals and Defense (sequel)

Continue to the previous content, due to the forwarding to some forums, the limit of each post, add the number of image links, and the previous article contains the number of pictures has reached the limit, so open a new post to continue discussion.

Remember that in the previous article there was an attack payload for using IE browser users, as follows:

<script>function XSS () {a = new ActiveXObject (' microsoft.xmlhttp ');        A.open (' Get ', ' http://www.baidu.com ', false);        A.send ();        b = A.responsetext;        document.write (b); } XSS ();</script>

In the above code, the XHR (XMLHttpRequest) object that is implemented using IE accesses the homepage of Baidu and reads the returned data (ResponseText) through JavaScript, and can be written to the current page.

This is because the same- origin policy of IE does not very well constrain xmlhttprequest, for example, the above code may be in one of the local hard disk HTML text (C:\Users\shayi\Desktop\ Xsspayloadtest.html)

As we have seen in the previous Article blog post, IE by default allows XHR to load and read and write resources across domains ; for other browsers (FireFox and Chrome), the local file system path is different from the "Baidu Home" Therefore, they restrict the JavaScript in the source of the current HTML text to read and write the data returned from the Baidu home page, in other words, the same origin policy of the two browsers only allows XHR to load, read and write data from the same source. The cross-domain resource sharing (CORS) introduced in the HTML5 specification is enabled unless the Web server for the browser and the target site is configured to enable.

The following example code attempts to load a resource across a domain and write to a node in the current page DOM by using a XHR object that is not supported by IE browser:

(quoted from the White Hat Talk web security book, slightly modified)

<! Doctype html>

The JavaScript introduced in the header (head Element) of the HTML document defines two functions: Loadxmldoc () initiates an HTTP GET request across domains and loads resources through a browser-supported XHR type;
State_change () checks the HTTP response status code returned by the other Web server and then decides to read the contents of the response data and write to the current page (the status code is 200) or the error message returned by the server (other than 200).
In the body of the HTML document (inside the BODY element), the cross-domain request is initiated by actually calling Loadxmldoc () to the Snow Forum home page (note that the current source is a test HTML page on the local file system), and then try to return the response text (  ResponseText) writes the internal HTML text of the T1 node of the current page DOM, and adds a button to the body of the document, where the user clicks the Xhr object again, initiating a cross-domain request for my 51cto blog page.
The test results from the above code in Firefox are as follows:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5C/3D/wKiom1Uc73OSImYGABB1Fgm5ODg544.jpg "title=" Web46.png "alt=" Wkiom1uc73osimygabb1fgm5odg544.jpg "/>




This article from the "Freedom, equality, sharing, mutual help" blog, reproduced please contact the author!
Web front-end Security Fundamentals and Defense (sequel)