March 2017
Intermediate to advanced
262 pages
5h 26m
Chinese
Content preview from 物联网设备安全
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
20
|
第
1
章
xhr.send();
}
find_hue();
</SCRIPT>
</HTML>
假定这段
HTML
代码运行在一个外部网站上。如图
1-6
所示,这个域名为
www.
dhanjani.com
的网站能够获取网桥
id
、内部
IP
地址和
MAC
地址。如上述这段
HTML
代码所示,它是通过使用
XMLHttpRequest
对象获取这些信息的,
XMLHttpRequest
对象
可以使
Web
浏览器连接到除
www.dhanjani.com
之外的一个域名上(例如
www.meethue.
com
)。捕获了这些信息之后,外部网站的所有者就可以很轻松地保存这些信息了。
图 1-6:信息泄露给外部网站
从安全的角度来讲,仅仅是随意地访问一个网站并不会获取到这些信息。我们将上述内
容归结为信息泄露,因为它向一个没有得到数据拥有者授权的外部实体暴露了这些信息。
1.2.2 drive-by
攻击
运行在网桥上的
Web
服务器也将
Access-Control-Allow-Origin
头设置为
*
。如
果外部网站的所有者知道与该网桥关联的
whitelist
令牌,那么他就可以通过执行
XMLHttpRequest
对象请求获取网桥的内部
IP
地址(也就是前面我们提到过的内部
IP
地
址)以达到远程控制灯光的目的,进而他可以针对网桥
IP
地址执行一个带有
PUT
命令的
XMLHttpRequest
对象请求:
xhr.open('PUT', 'http://'+obj.internalipaddress+'/api/[whitelist ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.