blocks|key|306371|text|是的，当callback像这样|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|306372|(function+xss(x){evil()})|code-block|syntax|javascript|306373|当您从php回显时，将如下所示|306374|(function+xss(x){evil()})(json)|306375|函数xss将会运行，sending+()可以是一些将cookie发送到其他地方的代码。|306376|因此，仅将其清理为有效函数名称，例如，将其限制为字母数字|306377|entityMap^0|4|8|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|U|8|@$9|V|A|W|B|C]]|D|@]|E|$]]|$1|F|3|G|5|H|7|X|8|@]|D|@]|E|$I|J]]|$1|K|3|L|5|6|7|Y|8|@]|D|@]|E|$]]|$1|M|3|N|5|H|7|Z|8|@]|D|@]|E|$I|J]]|$1|O|3|P|5|6|7|10|8|@]|D|@]|E|$]]|$1|Q|3|R|5|6|7|11|8|@]|D|@]|E|$]]|$1|S|3|-4|5|6|7|12|8|@]|D|@]|E|$]]]|T|$]]

Yes, when <code>callback</code> is like 

<pre><code>(function xss(x){evil()})
</code></pre>

When you echo back from php, will looks like

<pre><code>(function xss(x){evil()})(json)
</code></pre>

function xss will run and evil() can be some codes sending cookies to somewhere else.

So, sanitize it to only valid function names, for example, limit it to alphanumeric

blocks|key|309463|text|是的，您需要对回调参数进行清理。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|309464|JSONP基本上是一种自我造成的XSS攻击。当(临时)将带有url的脚本标记插入到不同的主机名并让它调用页面上的全局函数或方法时，重要的是至少要采取一些预防措施，将"+callback“限制为一个回调名称。|309465|从语法上讲，回调名称应该像标识符一样简单。您可以考虑对象属性。我建议不要使用圆括号，因为这可能会启用函数调用等。|309466|下面是一个同时支持JSON和JSONP的基本API示例。它是用PHP编写的(从MediaWiki的API简化而来)，但也可以用其他编程语言创建类似的结构。|309467|<?php

//+Simulate+the+response+data
$responseData+=+[
++++'foo'+=>+'bar',
++++'count'+=>+['one',+'two',+'three'],
++++'total'+=>+3,
];

//+Prepare+to+send+the+response
$prefix+=+'';
$suffix+=+'';
$ctype+=+'application/json';

if+(isset($_GET['callback']))+{
++++$ctype+=+'text/javascript';
++++//+Sanitize+callback
++++$callback+=+preg_replace("/[%5E][.\\'\\\"_A-Za-z0-9]/",+'',+$_GET['callback']);

++++$prefix+=+$callback+.+'(';
++++$suffix+=+')';
}

//+Send+the+response
header("Content-Type:+$ctype;+charset=UTF-8",+true);
print+$prefix+.+json_encode($responseData)+.+$suffix;
exit;|code-block|syntax|javascript|309468|entityMap^0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|O|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|P|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|Q|8|@]|9|@]|A|$]]|$1|F|3|G|5|6|7|R|8|@]|9|@]|A|$]]|$1|H|3|I|5|J|7|S|8|@]|9|@]|A|$K|L]]|$1|M|3|-4|5|6|7|T|8|@]|9|@]|A|$]]]|N|$]]

Yes, you need to sanitize the callback parameter.

JSONP is basically a self-inflicted XSS attack. When (temporarily) inserting of script tag with a url to a different hostname and letting it call a global function or method on your page, it is important to at least take some precautions that you limit "callback" to be nothing more but a callback name.

A callback name should, syntactically, be as simple as an identifier. You could make an allowance for object properties. I would recommend against allowing parentheses, since that might enable function invocations, etc.

Below is an example of a basic API that supports both JSON and JSONP. It is written in PHP (simplified from MediaWiki's API), but similar structures can be created in other programming languages.

<pre class="lang-php prettyprint-override"><code>&lt;?php

// Simulate the response data
$responseData = [
 'foo' =&gt; 'bar',
 'count' =&gt; ['one', 'two', 'three'],
 'total' =&gt; 3,
];

// Prepare to send the response
$prefix = '';
$suffix = '';
$ctype = 'application/json';

if (isset($_GET['callback'])) {
 $ctype = 'text/javascript';
 // Sanitize callback
 $callback = preg_replace("/[^][.\\'\\\"_A-Za-z0-9]/", '', $_GET['callback']);

 $prefix = $callback . '(';
 $suffix = ')';
}

// Send the response
header("Content-Type: $ctype; charset=UTF-8", true);
print $prefix . json_encode($responseData) . $suffix;
exit;
</code></pre>

blocks|key|3259659|text|您希望确保回调是有效的标识符，可以是字母数字、下划线或$。它也不能是保留字(为了彻底起见，我要确保它不是undefined、NaN或Infinity)。这是我使用的测试：|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|3259660|function+valid_js_identifier(+$callback+){
++++return+!preg_match(+'/[%5E0-9a-zA-Z\$_]%7C%5E(abstract%7Cboolean%7Cbreak%7Cbyte%7Ccase%7Ccatch%7Cchar%7Cclass%7Cconst%7Ccontinue%7Cdebugger%7Cdefault%7Cdelete%7Cdo%7Cdouble%7Celse%7Cenum%7Cexport%7Cextends%7Cfalse%7Cfinal%7Cfinally%7Cfloat%7Cfor%7Cfunction%7Cgoto%7Cif%7Cimplements%7Cimport%7Cin%7Cinstanceof%7Cint%7Cinterface%7Clong%7Cnative%7Cnew%7Cnull%7Cpackage%7Cprivate%7Cprotected%7Cpublic%7Creturn%7Cshort%7Cstatic%7Csuper%7Cswitch%7Csynchronized%7Cthis%7Cthrow%7Cthrows%7Ctransient%7Ctrue%7Ctry%7Ctypeof%7Cvar%7Cvolatile%7Cvoid%7Cwhile%7Cwith%7CNaN%7CInfinity%7Cundefined)$/',+$callback);
}|code-block|syntax|javascript|3259661|许多保留字是没有意义的，但其中一些可能会导致错误或无限循环。|3259662|要点：不仅仅是通过替换字符来清理输入；修改后的回调可能运行时没有错误，并且返回的数据将不会得到正确处理(或者甚至可能被错误的函数处理)。您希望测试输入是否有效，如果不是，则抛出错误。这将避免意外行为，并通知开发人员需要不同的回调。|BOLD|3259663|注意:这是一个更安全但有限的JSONP版本，不允许表达式或细化。我发现它对大多数应用程序都很有效，特别是当您使用jQuery和$.getJSON时|3259664|entityMap^0|1G|9|1Q|3|1U|8|0|0|0|0|3|0|1R|9|0^^$0|@$1|2|3|4|5|6|7|T|8|@$9|U|A|V|B|C]|$9|W|A|X|B|C]|$9|Y|A|Z|B|C]]|D|@]|E|$]]|$1|F|3|G|5|H|7|10|8|@]|D|@]|E|$I|J]]|$1|K|3|L|5|6|7|11|8|@]|D|@]|E|$]]|$1|M|3|N|5|6|7|12|8|@$9|13|A|14|B|O]]|D|@]|E|$]]|$1|P|3|Q|5|6|7|15|8|@$9|16|A|17|B|C]]|D|@]|E|$]]|$1|R|3|-4|5|6|7|18|8|@]|D|@]|E|$]]]|S|$]]

You want to ensure the callback is a valid identifier, which can be alphanumeric, underscore, or $. It also cannot be a reserved word (and just to be thorough I would make sure it is not <code>undefined</code>, <code>NaN</code>, or <code>Infinity</code>). This is the test I use: 

<pre><code>function valid_js_identifier( $callback ){
 return !preg_match( '/[^0-9a-zA-Z\$_]|^(abstract|boolean|break|byte|case|catch|char|class|const|continue|debugger|default|delete|do|double|else|enum|export|extends|false|final|finally|float|for|function|goto|if|implements|import|in|instanceof|int|interface|long|native|new|null|package|private|protected|public|return|short|static|super|switch|synchronized|this|throw|throws|transient|true|try|typeof|var|volatile|void|while|with|NaN|Infinity|undefined)$/', $callback);
}
</code></pre>

Many of the reserved words are pointless, but some of them could cause errors or infinite loops.

Important: do not just sanitize the input by replacing characters; the modified callback could run without error and the data returned will not be handled properly (or could even be handled by the wrong function). You want to test if the input is valid, and throw an error if it's not. This will avoid unexpected behavior and notify the developer that a different callback is needed.

note: This is a safer, but limited, version of JSONP that does not allow expressions or refinement. I've found it works great for most applications, especially if you are using jQuery and <code>$.getJSON</code>

blocks|key|3259698|text|是。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3259699|正如@YOU所描述的，攻击者可以手工创建一个回调参数，其计算结果为恶意javascript，或者更糟糕的是，malicious+Flash。|offset|length|3259700|根据@Brett-Wejrowski的描述，验证回调不是保留字并且是字母数字，这是一个很好的开始。|3259701|谷歌、Facebook和Github正在通过在jsonp回调中预先添加一个空注释(如/**/+)来缓解Rosetta+Flash漏洞。|3259702|另一种方法是返回一个更安全的javascript表达式，就像ExpressJS做的那样：|3259703|typeof+callbackstring+===+'function'+&&+callbackstring(.....);|code-block|syntax|javascript|3259704|entityMap|0|LINK|mutability|MUTABLE|url|http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/^0|0|1I|F|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|Y|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|Z|8|@]|9|@$D|10|E|11|1|12]]|A|$]]|$1|F|3|G|5|6|7|13|8|@]|9|@]|A|$]]|$1|H|3|I|5|6|7|14|8|@]|9|@]|A|$]]|$1|J|3|K|5|6|7|15|8|@]|9|@]|A|$]]|$1|L|3|M|5|N|7|16|8|@]|9|@]|A|$O|P]]|$1|Q|3|-4|5|6|7|17|8|@]|9|@]|A|$]]]|R|$S|$5|T|U|V|A|$W|X]]]]

Yes.

As described by @YOU an attacker could craft a callback parameter that evaluates to malicious javascript, or worse, <a href="http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/" rel="nofollow">malicious Flash</a>.

Validating that the callback isn't a reserved word and is alpha-numeric as described by @Brett-Wejrowski is a good start.

Google, Facebook and Github are mitigating the Rosetta Flash vulnerability by pre-pending an empty comment, like /**/, to the jsonp callback.

Another approach would be to return a safer javascript expression like ExpressJS does:

<pre><code>typeof callbackstring === 'function' &amp;&amp; callbackstring(.....);
</code></pre>

I would like to offer a webservice via JSONP and was wondering, if I need to sanitize the value from the callback parameter.

My current server side script looks like this currently (More or less. Code is in PHP, but could be anything really.):

<pre><code>header("Content-type: application/json; charset=utf-8");
echo $_GET['callback'] . '(' . json_encode($data) . ')';
</code></pre>

This is a classic XSS-vulnerability.

If I need to sanitize it, then how? I was unable to find enough information about what might be allowed callback strings. I quote from <a href="http://en.wikipedia.org/wiki/JSON#JSONP" rel="noreferrer">Wikipedia</a>:

<blockquote>
 While the padding (prefix) is typically the name of a callback function that is defined within the execution context of the browser, it may also be a variable assignment, an if statement, or any other Javascript statement prefix.
</blockquote>

Do I need to sanitize the callback parameter from a JSONP call?

我想通过JSONP提供一个was服务，我想知道我是否需要清理回调参数的值。我目前的服务器端脚本看起来像这样(或多或少。代码是用PHP编写的，但实际上可以是任何东西。)：header("Content-type: application/json; charset=utf-8");echo $_GET['callback...

问我需要清理JSONP调用中的回调参数吗？
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问我需要清理JSONP调用中的回调参数吗？EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问我需要清理JSONP调用中的回调参数吗？
EN