当前位置:首页 > javascript > 正文

【转】深入理解JavaScript Hijacking原理

最近在整理关于JavaScript代码安全方面的资料,在查关于JavaScript Hijacking的资料时,发现关于它的中文资料很少,故特意整理一下。

一.JavaScript Hijacking原理

其实JavaScript Hijacking和CSRF攻击的思想很类似,关于CSRF攻击可以参考我之前写的《浅谈CSRF攻击方式》,关于JavaScript Hijacking的攻击模型,可以参考CSRF攻击,流程如下:

(1).你正常访问信任站点(http://www.Bank.com),然后登陆信任站点。

(2).信任站点通过你的验证,并返回Cookie。

(3).这时,在你还没有登出信任站点之前,你再打开了一个浏览器的tab页,并访问了一个恶意站点(www.BadGuy.com)。

(4).恶意站点向请求用户访问http://www.Bank.com的一个资源。

(5).浏览器带着之前的Cookie信息,向信任站点http://www.Bank.com发出了一个GET请求。

(6).信任站点验证的Cookie信息通过,根据请求返回一个JSON数组(如果不清楚JSON,可以参考《JSON入门指南》)。

(7).你的浏览器收到来自http://www.Bank.com的响应后,转发响应中的JSON信息给恶意站点。

至此,恶意站点拿到你关于http://www.Bank.com的信息。

到这里,你应该有对JavaScript Hijacking有一个大概的概念,它确实和CSRF很相像,唯一不同的是,CSRF是模拟你的身份去发送请求,JavaScript Hijacking是模拟你的身份,窃取你在服务器上的私隐信息。

二.JavaScript Hijacking攻击示范代码:

演示代码之前,首先明确几点:

(1).恶意站点的攻击目标是明确的(这里目标就是http://www.Bank.com)。

(2).恶意站点是通过用户给它返回信任网站的JSON数组(为什么是JSON数组?普通的JSON对象不行么?这个下面会提到!),从而获取用户私隐信息的。也就是说所谓的隐私数据,也就是这些JSON数组里面的数据,所以信任站点返回的不是JSON数组的数据或者JSON里面的信息是垃圾信息,那么这个恶意站点是徒劳的。

(3).恶意站点必须实先知道用户返回的JSON的结构。

(4).恶意站点能且只能发送GET请求……

(5).这种攻击是需要浏览器支持的,至于为什么看下面吧。

恩,下面看一下攻击代码吧:>

这个恶意站点www.BadGuy.com针对www.Bank.com的攻击代码:

在用户访问恶意网站时:


(1).这段JS代码会要求浏览器发送一个GET请求到http://www.Bank.com/UserInfo,于是浏览器按照指示,带上本地的Cookie信息,发送一个http的GET请求。

(2).www.Bank.Com接受到请求后,确认身份后,响应请求返回了一个JSON数组/JavaScript代码段。

(3).客户端接受到这段JS脚本后,如果返回的是一个JSON数组,比如:

[{“Id”:3,”Name”:hyddd,”Money”:10000}]
JSON数组被认为是一段可执行的JavaScript脚本,于是浏览器会解析执行。

如果返回的是一个JSON对象呢?

{“Id”:3,”Name”:hyddd,”Money”:10000}
呵呵,这个是不会被浏览器执行的,因为浏览器认为:它不是一个JavaScript脚本。

如果它返回的是一个JavaScript脚本的话,恩,这得具体问题具体分析了,不一定能拿到什么数据。

(4).看下面这段JavaScript脚本:

它的作用就是发送受害者的私隐信息到恶意站点的。

这里可能有人不理解,我大概说一下:

Object.prototype.__defineSetter__,可以看做是JavaScript中的Hook(有人把这个称为JavaScript函数劫持,注意JavaScript的函数劫持和JavaScript Hijacking不是同一个概念,JavaScript Hijacking的核心思想和CSRF攻击的核心思想应该是一致的),这里是对Object的Money属性设置了一个Hook,在JavaScript中,由于其他的对象都是派生自Object的,所以这段代码就对所有对象的Money属性都做了一个Hook,当有对象设置它的Money属性时,都会触发上面这段代码的运行。注意的是:__defineSetter__这个在IE系列的浏览器好像是不受支持的(在IE6下试了不行),但FireFox系列的浏览器是肯定支持的。

后面的var objString=””…这就是发送受害者信息到恶意站点了,这里不说了。

当浏览器解析(3)中的JSON数组时,会新建一个对象并赋值,这时候就出发了上面这段代码,结果私隐信息就发送到恶意站点了。

原文地址:

24 条评论

  1. 21楼2014-05-14 上午4:21
    wear golf clothing

    Wonderful post! We are linking to this particularly great article on our website.
    Keep up the great writing.

  2. A motivating discussion is worth comment. I think that you need to write more on this
    topic, it might not be a taboo subject but usually people do not speak about these subjects.
    To the next! All the best!!

  3. 19楼2014-06-06 上午12:23
    vintage women's clothing

    I go to see each day a few web pages and sites to read articles or reviews, but this
    blog provides feature based posts.

  4. 18楼2014-06-06 上午2:20
    Hiper kupony

    I every time used to read paragraph in news papers but now as I am a user
    of web therefore from now I am using net for articles or reviews,
    thanks to web.

  5. 17楼2014-06-06 上午6:21
    womens clothing

    It’s amazing designed for me to have a web site, which is beneficial for
    my know-how. thanks admin

  6. 16楼2014-06-06 下午2:44
    women's trousers

    For most up-to-date news you have to go to see web and on the web
    I found this web site as a finest web site for hottest updates.

  7. 15楼2014-06-09 上午4:47
    high fashion clothing

    Thanks on your marvelous posting! I truly enjoyed reading it, you could
    be a great author. I will always bookmark your blog and will eventually come back someday.
    I want to encourage you to ultimately continue your great writing, have a
    nice morning!

  8. 14楼2014-06-09 下午6:33
    women's trousers

    I do not even know how I ended up here, but I thought
    this post was great. I don’t know who you are but definitely
    you’re going to a famous blogger if you aren’t
    already 😉 Cheers!

  9. 13楼2014-06-10 上午3:37
    clothing and accessories

    I go to see everyday a few web sites and blogs
    to read articles, but this blog gives feature based writing.

  10. 12楼2014-06-11 下午7:29
    BarryD

    I must tell you that it’s hard to find your articles in google, i found this one on 17 spot, you should build some quality backlinks, i know how to help you to rank, just search in google for – Arshumaker SEO tips

  11. This is a topic that’s near to my heart… Cheers! Exactly where are your contact details though?

  12. 10楼2014-06-17 下午5:37
    garcinia cambogia

    garcinia cambogia extract Just want to say your article is as amazing.
    The clarity in your post is just excellent and i can assume you are an expert on this subject.

    Fine with your permission allow me to grab your
    RSS feed to keep updated with forthcoming post. Thanks a million and please continue the
    enjoyable work. garcinia cambogia extract

  13. Write more, thats all I have to say. Literally, it seems as though you relied on the video
    to make your point. You obviously know what youre talking about, why waste your intelligence on just posting videos to your blog when you could
    be giving us something informative to read?

  14. Not all Virginia voters approved it.

  15. 7楼2014-06-28 下午8:43
    ジュニアバスケット

    I just wanted to type a small message to express gratitude to you for all the superb points you are writing at this website. My extensive internet lookup has now been paid with reasonable ideas to share with my contacts. I ‘d assert that most of us visitors actually are very much endowed to live in a very good website with so many marvellous professionals with useful things. I feel pretty privileged to have discovered your entire site and look forward to some more awesome minutes reading here. Thanks a lot once again for everything.

  16. I simply could not depart your site prior to suggesting that I actually loved the usual information a person provide for your guests? Is gonna be back continuously to check up on new posts

  17. Hi, I log on to your blog on a regular basis. Your story-telling style is witty, keep doing what you’re doing!

  18. I was wondering if you ever considered replacing the layout of your blog? Its well written; I really like what youve got to state. But maybe you can create a a bit more in the way of written content so people might connect to it better. Youve got an awful lot of text for only having one or two images. Maybe you could space it out better?

  19. Incredible all kinds of superb tips!

  20. 板凳2014-07-06 上午12:24
    ジョーダン ワイン

    I simply could not go away your web site prior to suggesting that I extremely loved the standard info a person provide for your guests? Is going to be back steadily in order to check up on new posts.

  21. I have recently started a site, the info you provide on this website has helped me greatly. Thanks for all of your time & work.

发表评论

您必须 [ 登录 ] 才能发表留言!