JSONP存在的JSON Hijacking漏洞以及与csrf/xss漏洞的关系
性深入学习了下JSONP(JSON with Padding)。
下面一段话截取自:http://stackoverflow.com/questions/2067472/what-is-jsonp-all-about 仔细看看就比较清晰了。
Say you're on domain abc.com,and you want to make a request to domain xyz.com. To do so,you need to cross domain boundaries,a no-no in most of browserland. The one item that bypasses this limitation is <script> tags. When you use a script tag,the domain limitation is ignored,but under normal circumstances,you can't really DO anything with the results,the script just gets evaluated. Enter JSONP. When you make your request to a server that is JSONP enabled,you pass a special parameter that tells the server a little bit about your page. That way,the server is able to nicely wrap up its response in a way that your page can handle. For example,say the server expects a parameter called "callback" to enable its JSONP capabilities. Then your request would look like: http://www.xyz.com/sample.aspx?callback=mycallback Without JSONP,this might return some basic JavaScript object,like so: { foo: 'bar' } However,with JSONP,when the server receives the "callback" parameter,it wraps up the result a little differently,returning something like this:mycallback({ foo: 'bar' });As you can see,it will now invoke the method you specified. So,in your page,you define the callback function:mycallback = function(data){ alert(data.foo); };And now,when the script is loaded,it'll be evaluated,and your function will be executed. Voila,cross-domain requests! |