开发者

Is this a security vulerability, XSS or CSRF?

Lets say my javascript makes an ajax-request and in the callback-function it does eval(response_text) without checking the response_text for anything.

Something tells me this is not good, but why and how could开发者_StackOverflow it be epxloited? Wont it be always my server which will send it good data?


That would be vulnerable to an XSS if it comes from an untrusted source. The attacker can call a function on your site.

Think of a situation where the attacker appends a script tag to the document that loads a script from his site.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜