问题
Here is my sample.html file located in http://www.aaa.com/sample.html
<html>
<script>
$(document).ready(function(){
$.post('http://www.aaa.com/api/_file.php?act=add', {val : '1234'});
});
</script>
<body>
</body>
</html>
and this is my PHP file that recieve request from sample.html file
<?php
switch($_GET['act']){
case 'add' :
doFunction();
break;
}
function doFunction(){
echo $_POST['val'];
}
?>
if I have another html page like hack.html that located on another website, example http://www.bbb.com/hack.html
<html>
<body>
<a href="http://www.aaa.com/api.php_file.php?act=add">Hack them!!!</a>
</body>
</html>
Can I use bbb.com website to access data in aaa.com by cliking some link? If yes, how do I protect it?
Any idea? or better way?
Reguard. (^^)
回答1:
There are two possible problems here.
- Cross site scripting (XSS)
- Cross site request forgery
Defend against the first by:
- Not allowing HTML to be added to the site (for the user or any other user) by users. Run htmlspecialchars over all data before outputting it to the site. If you are setting attribute values instead of data that appears between tags, then you need to take additional steps (e.g. forbidding
data:orjavascript:scheme URIs). - Parsing all HTML input and running it through a white list before outputting it.
Defend against the second by:
- Starting a session, and storing a random value in the data when the user first visits a non-editing page. (You will probably want to generate a new token periodically).
- Including that value in any form you use that can make changes (or in the query string if you are using a link, but you shouldn't be, GET requests are supposed to be safe)
- Rejecting any request that doesn't have a value in the form data that matches the value in the session. (A third party site can't read it from the session so wouldn't know what value to use).
来源:https://stackoverflow.com/questions/4784187/php-javascript-how-to-protect-web-hacker-for-post-and-get-method