开发者

Web security - Possible to interrupt webpage loading, change HTML & JavaScript, and continue loading?

开发者 https://www.devze.com 2023-02-21 01:38 出处:网络
I\'m wondering if this is possible and how it would be done if it could. I don\'t have any deep understanding of h开发者_如何学编程ow browsers render web pages, so I\'m thinking a browser will downlo

I'm wondering if this is possible and how it would be done if it could.

I don't have any deep understanding of h开发者_如何学编程ow browsers render web pages, so I'm thinking a browser will download the HTML and JavaScript and start rendering. Is it possible for someone to interrupt rendering, essentially edit/change the HTML and/or JavaScript?

Or perhaps someone could wget all outward-facing files, save them locally, and run them locally.

In my head, it sounds theoretically possible, and I was wondering what this might mean in terms of web security.

Edit

"Who" being a user viewing the web page on their browser, assuming delivery from server to client and back is secure.


Yes, it is possible. I'm using charles for that ( http://www.charlesproxy.com/documentation/tools/map-local/ ) but it can be done using apache/nginx proxy as well. You basically have to assume that everything that happens in the browser can be changed by the end user.


They could just somehow inject Javascript code as early as possible into the document (e.g. right after <head> and it would be executed before the rest of the page is loaded (some adware uses this to display additional banners/popups). It could be done using browser addons, some kind of proxy or whatever (tons of possibilities), but using https removes some of these. In case of addons or proxies you wouldn't even need JavaScript. As for Javascript it's essentially able to modify everything a document shows unless it's prevented by the browser (e.g. blocking modification of an embedded iframe showcasing some https content).

0

精彩评论

暂无评论...
验证码 换一张
取 消