xss attack through iframe src

2019-07-07 06:19发布

问题:

I am allowing users to embed a youtube or any other video source by only asking them to submit the src of the embed code they receive. Then I save it into the database and load it through an iframe. However,f there is a source, for instance, src="http://innocent.com/hackingContent.php", then is my website vulenrable to an xss attack?

I am estimating that the user may have a malicious script in that src which will load as soon as the iframe embeds the source into my own html.

EDIT What if the src contains <script type="text/javascript" src="evilScript.js"></script> . Although I am using a preg_match just to make sure that its a url only.

回答1:

Yes, you are vulnerable. What's preventing a bad user from linking to porn? Or a site that looks legit and harvests usernames and passwords.

Why don't you build a white list of video sources you will accept...validate submitted urls are on those domains and verify the url exists.

That way people can't insert completely random urls into your content.

A "white list" is a list of values that you will accept. For example, on your server, when the user submits a url, you would accept anything from

http://www.youtube.com....

right? So you make a list of all the urls you will accept, and then make sure the user's input matches an item from your list. If it doesn't you reject it. (By match we mean 'begins with' or something like that -- obviously not an exact match)

A "Black list" would be the opposite. You would have a list, but its a list of things you won't allow.

White List == List of things you allow
Black List == List of things you don't allow



回答2:

No, if the iframe src is different than the domain that is invoking said iframe, you are protected from XSS attacks. This is per the Same-domain Origin Policy.