这是安全性,XSS还是CSRF?

时间:2022-03-13 05:04:51

Lets say my javascript makes an ajax-request and in the callback-function it does eval(response_text) without checking the response_text for anything.

让我们说我的javascript发出一个ajax请求,并且在回调函数中它执行eval(response_text)而不检查response_text的任何内容。

Something tells me this is not good, but why and how could it be epxloited? Wont it be always my server which will send it good data?

有些东西告诉我这不好,但是为什么以及它怎么可能是epxloited?不总是我的服务器会发送好的数据吗?

1 个解决方案

#1


1  

That would be vulnerable to an XSS if it comes from an untrusted source. The attacker can call a function on your site.

如果它来自不受信任的来源,那将很容易受到XSS的攻击。攻击者可以调用您站点上的某个功能。

Think of a situation where the attacker appends a script tag to the document that loads a script from his site.

考虑一下攻击者将脚本标记附加到从其站点加载脚本的文档的情况。

#1


1  

That would be vulnerable to an XSS if it comes from an untrusted source. The attacker can call a function on your site.

如果它来自不受信任的来源,那将很容易受到XSS的攻击。攻击者可以调用您站点上的某个功能。

Think of a situation where the attacker appends a script tag to the document that loads a script from his site.

考虑一下攻击者将脚本标记附加到从其站点加载脚本的文档的情况。