我们正在进行安全评估.
We are doing a security evaluation.
尽管我们不确定是否可以真正利用它,但是恶意用户仍有可能将任意CSS注入到另一个用户的网页中.
There is a chance that a malicious user can inject arbitrary CSS into another user's web pages, although we are not sure it can actually be exploited.
我了解他可以完全改变页面外观,甚至根本不显示任何内容.这就是全部?可能发生的最坏情况是什么?JavaScript可以嵌入CSS吗?他可以窃取"另一位用户的Cookie吗?并发起另一个会话?
I understand he could totally change the page look, even causing nothing to be displayed at all. Is that all? What is the worst that could happen? Can JavaScript be embedded in CSS? Can he "steal" the other user's cookies? And initiate another session?
推荐答案对上述所有内容均是.注入任意CSS可能会导致javascript执行.看:
Yes to all of the above. Injection of arbitrary CSS can lead to javascript execution. Look at:
- XSS速查表
可能发生的最糟糕的情况取决于环境.在某些情况下,窃取会话Cookie并访问用户会话可能是最糟糕的事情(例如银行,在线股票交易),您的情况可能并非如此.其他攻击示例包括获得对浏览器的控制,获得对客户端计算机的访问权限等.
The worst thing that could happen is dependent on the environment. In some cases stealing a session cookie and accessing the users session maybe the worst thing to happen (e.g., banks, online stock trading) this may not be the case for your situation. Other examples of attacks would be gaining control of the browser, gaining access to the client's machine, etc.
更多推荐
CSS注入:可能发生的最坏情况是什么?
发布评论