// Нельзя:
node.innerHTML = userData;
// Можно
node.textContent = userData;
// или так:
node.innerHTML = sanitize(userData)
<form name="attack"
enctype="multipart/form-data"
action="http://orvis-1.kontur:7090/invoice/211529"
method="POST">
<input type="hidden" name='managerId' value='32' />
<input type="hidden" name='InvoiceUpdateInfo.InvoiceActionTypeId' value='1' />
<! -- OTHER PARAMETERS -->
</form>
<script>document.attack.submit();</script>
Подвержены атаке:
Решение:
X-FRAME-OPTIONS: DENY|SAME-ORIGIN
POST api/images
{
"imageInfoList": [
{
"filePath": "wKTI6b/myphoto.jpg",
"contentType": "image/jpeg",
"resolution": {
"width": 1024,
"height": 768
}
}
]
}
GET api/images/wKTI6b/myphoto.jpg?size=L
Content-Disposition: filename="myphoto.jpg"
Content-Type: image/jpeg
<BLOB>
Content-Type: image/jpeg
POST api/images
{
"imageInfoList": [
{
"filePath": "wKTI6b/myphoto.jpg",
"contentType": "text/html",
"resolution": {
"width": 1024,
"height": 768
}
}
]
}
GET api/images/wKTI6b/myphoto.jpg?size=L
Content-Disposition: filename="myphoto.jpg"
Content-Type: text/html
<BLOB>
Content-Type: text/html
POST api/images
Content-Disposition: filename="myphoto.jpg"
Content-Type: text/html
<script>alert(1);</script>
POST api/images
Content-Disposition: filename="myphoto.png"
Content-Type: text/html
<BLOB>
<script>alert(1);</script>
GET https://staff.skbkontur.ru/api/images/wKTI6b/myphoto.png
Content-Type: text/html
<iframe src="/api/images/wKTI6b/myphoto.png"></iframe>
Allow "image/*"
image/svg+xml
<svg height="100" width="100">
<circle cx="50" cy="50" r="40" fill="red" />
<script>alert(document.cookie)</script>
</svg>
blob.domain.com
content type whitelist