前言:
postMessage是HTML5衍生出来的,用来规范跨域的问题。但由于使用者不注意一些安全性,可能会产生一些漏洞,这篇文章介绍可能产生的问题。
目录:
0x01:如何工作
0x02:可能的三个漏洞
0x03:正确代码
如何工作
为了跨域去发送一些数据,应用会用如下的语句去发送
targetWindow.postMessage(data, "*"); data为数据,"*"为接收端
为了去接受一些数据,接收端会添加一个事件监听器用来接受跨域传输过来的数据
window.addEventListener("message", function(message){console.log(message.data)});
可能的三个问题
Issue One:
targetWindow.postMessage(data, "*");
如上代码,第一个问题就产生在这里,当postMessage的第二个参数为"*"时,也就意味着数据可以被跨域传送到任何地方,如果这个数据为个人数据或者其他隐私呢?结果显而易见。
Issue Two:
//Listener on
window.addEventListener("message", function(message){
if(/^http://www.bywalks.com$/.test(message.origin)){
console.log(message.data);
}});
如上代码,这是产生在接收端的问题。上面的代码通过正则来规范传输端,这里我们要着重关注".",你看出问题了么?origin可以是http://www.bywalks.com,同时也可以是http://wwwabywalks.com,因为在正则里面,"."匹配\r之外的任意单字符。
Issue Three:
//Listener on
window.addEventListener("message", function(message){
if(/^http://www\.bywalks\.com$/.test(message.origin)){
document.getElementById("message").innerHTML = message.data;
}});
这是一个基于DOM的XSS,如上代码,id=message的事件文本内容为跨域传送来的data,这里规范了origin为http://www.bywalks.com
那么是否我们在http://www.bywalks.com(传输端)上面找到一个XSS漏洞,也就意味着在接收端找到一个XSS漏洞呢?要知道,在网站上载入第三方JS是一个很常见的事。
正确代码
var data = JSON.parse(decodeURIComponent(document.getElementById('data').value));
// cross browser origin determination
var origin = (window.location.protocol + '//' + window.location.hostname
+ (window.location.port ? ':' + window.location.port : ''));
if (window.opener) {
window.opener.postMessage(data, origin);
} else {
// attempt to redirect back to the origin
window.location = origin;
}
如上代码,这里就规范了origin,避免产生把data发送到其他网站的信息泄露事件、
沙发,想和您合作视频课程,有兴趣吗?
考研中..
Project page moved:
http://japanesejav.xblog.in
Just wanna remark on couple of general issues, The web site style is perfect, the subject matter is rattling excellent cbefedgdekbe
Как привлечь статусного и богатого мужчину. Как понравиться богатому мужчину? От Ирины Павловой
Milf anal interracial
Culo grande, redondo y aceitado
Beautiful Curvy Latina Webcam Oil Teaser
https://porno-canal.com/ver/asiatica-empalada-por-un-megapollon/ AsiГЎtica empalada por un MegaPollГіn - Canalporno.com
HГєmeda y pringosa Shyla Stylez
Colegiala asiГЎtica come el rabo de una transexual
Masturbation Spielzeug Closeup Video
Добрый день.РекомендуюВсемобратить вниманиеСайтanti-spazm.ru . Тут Вы увидетеконтент о спазмах сосудов в рунете.
спазм кишечника симптомы
Yep, f*kin sp*am. Yes, yes, yes, AGAIN. And - yes, IT F*KIN WORKS BECAUSE YOU READ IT! :)
Because XEvil 4.0 WAS RELEASED! It's bypass ANY captcha included ReCaptcha-2 and ReCaptcha-3.
Neeed more info (just to...maybe kill this Evil? ;))
Just Google or YouTube for it.
You'll be impressed.
Peace to you, bro! :)
Stared new concoct:
http://young.anal.backend-stack.top
Hi there! buy propecia lloyds pharmacy good internet site.
Sexy blog pictures from internet
erotic obsession erotic madonna erotic french films greek erotic hardcore sex
http://pornstars.erolove.in/?janessa
erotic asphyxiation erotic writing erotic paint por xxx videos erotic cakes
Hello! buy propecia in australia very good site.
Chit my recent project
app droid free download sono app free messaging apps for android online sex games best androids phone
http://erotic.googleplay.twiclub.in/?leaf.arianna
android application tutorial sexy photo wallpapers free download games for phones htc mobile latest best android app to download
canadian pharmacy viagra brand
canadian discount pharmacies
Hi there! buy propecia defense very good web site.
canada drugs online
online pharmacies canada
Hello there! finasteride cheaper than propecia very good web page.
no prescription pharmacy canada
best canadian mail order pharmacies
canadian pharmacies
online drugstore
Hi there! buy propecia online in india great site.
canada online pharmacies
New adult blog website
find a woman quotes waist cinchers and corsets motorcycle seat bags
http://sissy.adultnet.in/?view.kelsey
cheap clubbing holidays making a bra chastity fetish video white women pay for sex with black men stretch jeans for women slang online hair salon shops maЕ‚e bikini
top rated online canadian pharmacies
canada pharmacy
canada pharmacies online prescriptions
prescription without a doctor's prescription
"When you get into a habit [url=http://www.wholesalejerseysinsist.us.com/]Wholesale NBA Jerseys[/url] of going against the same person, you pick up on little keys and tendencies that they have, and you can sometimes play out of [url=http://www.cheapchinawholesalejerseys.us.com/]China NFL Jerseys[/url] your technique," Colts tight end Dwayne Allen said. "But going against someone new forces you to get back to [url=http://www.wholesalejerseys2018.us.com/]Wholesale Hockey Jerseys 2018[/url] the basics."
Cheap China Jerseys http://www.cheapchinawholesalejerseys.us.com/
mexican pharmacies shipping to usa
Hi! best online pharmacy for cialis beneficial web site.
Fresh home page after throw:
http://effie.posts.telrock.net
Howdy! levitra online pharmacy beneficial web site.
Latin ladyboys
http://futanari.replyme.pw/?private.berenice
seamale sex shemla.com shaemle video shemaler semales video
Hi there! buy propecia uk cheap good internet site.
legitimate canadian mail order pharmacies
Hello! buy propecia with prescription excellent web page.
canadian pharcharmy online
canada pharmacies online
Hello! on line drugs no prescription good web site.
legitimate online pharmacies
Модные пальто весна 2018 для женщин 40+
Безоперационная подтяжка и моделирование овала лица нерассасывающиеся нити Spring Thread часть 1
Hello there! no precription online pharmacy vote great web site.
viagra without a doctor prescription usa viagra without a doctor prescription uk viagra without a doctor prescription india
Howdy! Online Pharmacy great web page.
Howdy! cialis online pharmacy excellent web page.
Hello! pharmacy tech classes online very good web page.
Предлагаю Интернет Рекламу от 10 usd за Месяц https://clck.ru/EZqnP. ОПЫТ 25 лет 1. Это размещение Вашего Объявления ( типа этого) на 10 000 Досках Объявлений, формах, гостевых и т.д. и более за 10 usd за месяц. 2. Обучение интернет рекламе = 50 usd за месяц, 2. Консультации. Ответы на почти все вопросы по программам, видам заработка, проверка проектов на обман, соц.сетям, компьютеру, YouTube, продвижению и раскрутке сайта и продукта, услуг, товара = 20 usd на месяц. 3. Pinterest Профессионально. Практически все виды работ по пинтересту = 30 usd за месяц. 4. Помощь в продажах - комплекс рекламы = от 50 usd Большой рекламной работы за Месяц. И Заработок Без вложений на AminoBoosters ( aminopure, aminoserene ) от д-ра Эскеланд дешевле Ламинина (Laminine LPGN) в 3-6 раз. Спасает, когда врачи бессильны. Sкyре evg7773 Viber +380976131437 Серьезный проект для серьезных людей
Hello there! online pharmacy adderall excellent web site.
Prom Electric Ремонт частотного преобразователя Delta VFD004EL11A ID:yRWWENarqazicNofd2M2Q6sCtHGfCJ7lzmcLYf5Q49TdCyhuB9VDYr9gasMzDJquF
Blog with daily sexy pics updates
http://hotpic.erolove.in/?post.deasia
free intercourse movies of mature women tiny teen porn toddler cold hands and feet sweaty head neolamplogus cichlid pictures sex slaves indian videos
Срочный ремонт домофонов в Москве
kocom kvm 604 Ремонт домофонов Москва.......
Первые морщины или Мой крем от первых морщин! Смотрите в этом видео
Our services are the simplest system of Low priced Unique Writings. Accordingly, finding the product doesn't depart without the need of consideration our freelance writers. You will possess the ideally suited provider when you finally essay order on the web from us. Excellent company at competitively cheap unique articles reviews customwritings.
Our system offers you the terrific essay which won't be compared to all other works out your friends. Our creating professional services are considered the best option. Our cheap crafting products are merely matchless.
cheap essay service
Fractora 1