使用 FORM GET 和 IFRAME 进行 CSRF 攻击
CSRF attack with FORM GET and IFRAME
我尝试使用以下代码查看网站是否易受 CSRF 攻击
<html>
<body>
<div>
<iframe width="0" height="0" border="0" name="dummyframe" id="dummyframe"></iframe>
<form action="TARGET_SITE" method="GET" id="get_site" target="dummyframe"></form>
<script>
document.getElementById("get_site").submit();
var e = document.getElementById("dummyframe");
if(e != null) {
alert(e.contentWindow.document.body.innerHTML);
}
</script>
</div>
</body>
</html>
这里添加iframe标签是为了避免从java脚本提交表单时页面重定向。提交表单时,我确实看到 HTML 响应,其中包含一些我想要访问的有趣信息。
但是我如何从 iframe 或表单标记访问 HTML 响应,示例中的警报 window 会弹出,但它不会打印任何内容。
谢谢
如果你只想获取外部页面的HTML并将其添加到<iframe>,那么你需要使用服务器端语言(NodeJS,PHP, Python), 因为这个原因(感谢@Hannes):
All common Browsers do not allows Javasript Calls to access any Pages with another (sub)Domain because of the Same Origin Policy. The only way to work around that is to set up some kind of "proxy" on your own server (for example an php Script) that runs under the same Domain, gets the Information you want from a third source and prints them out.
摘自 here.
我尝试使用以下代码查看网站是否易受 CSRF 攻击
<html>
<body>
<div>
<iframe width="0" height="0" border="0" name="dummyframe" id="dummyframe"></iframe>
<form action="TARGET_SITE" method="GET" id="get_site" target="dummyframe"></form>
<script>
document.getElementById("get_site").submit();
var e = document.getElementById("dummyframe");
if(e != null) {
alert(e.contentWindow.document.body.innerHTML);
}
</script>
</div>
</body>
</html>
这里添加iframe标签是为了避免从java脚本提交表单时页面重定向。提交表单时,我确实看到 HTML 响应,其中包含一些我想要访问的有趣信息。
但是我如何从 iframe 或表单标记访问 HTML 响应,示例中的警报 window 会弹出,但它不会打印任何内容。
谢谢
如果你只想获取外部页面的HTML并将其添加到<iframe>,那么你需要使用服务器端语言(NodeJS,PHP, Python), 因为这个原因(感谢@Hannes):
All common Browsers do not allows Javasript Calls to access any Pages with another (sub)Domain because of the Same Origin Policy. The only way to work around that is to set up some kind of "proxy" on your own server (for example an php Script) that runs under the same Domain, gets the Information you want from a third source and prints them out.
摘自 here.