Make A Contract with IE and Become a XSS Girl!

Make A Contract with IE and Become a XSS Girl!

This is the topic of Yosuke HASEGAWA, a representative of the Japanese hacker stream, on hit2011. At that time, he was lucky enough to have a speech with his friend hiphop over QQ. This topic is mainly about some ie6-8 issues that lead to xss. In fact, the main question is that "1st words suddenly refer to the Content-Type Header", and even the details are not provided later .....
However, the tragedy is that more friends at the scene showed an interest in "Introducing JavaScript obfuscation" at the beginning of the presentation!

The problem "1st suddenly indicates the Content-Type Header" is analyzed by nb:

Key conclusions:

In other words, setting Content-Type alone cannot defend against xss !! The Content-Type setting is directly ignored. The effect is similar to the problem of mhtml: Hacking with mhtml protocol handler.

Let's review the article about setting Content-Type in my blog:

Do not forget data parsing
"About utf7-BOM string injection"
Hacking with mhtml protocol handler http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt

In the "about utf7-BOM string injection" text:

<--------------------------------------------->
There are two solutions to this problem:
1. strictly control the data file and return Content-Type.
2. encoding is used for data storage.

When Party A's friends saw that html tags were directly inserted in json for xss, they basically used "2. when data is stored, encoding is used, and "Content-Type" is not restricted. Basically, "text/html" is continued ", this also laid the seeds of evil for this utf7-BOM string injection, if this time do not modify the Content-Type, I think there may be a chance to sprout and blossom seeds !! :) I think it would be a good choice if the above two schemes are used at the same time.
<--------------------------------------------->

This is exactly the opposite of the utf7-BOM, which is used for encoding when there is no "2. Data Storage. "And only" 1. strictly control the data file and return the Content-Type. . :) It seems that two people are indispensable to defend against these problems !!!

It seems like another "100 + xss "??

In the author's ppt, the example of MS has been fixed, so I thought of a point on taobao, this is a point you can see on a blog during the mhtml test [the specific url does not remember:

Http://www.taobao.com/expressway/index.php? Id = mytaobao & container = % 27% 22% 3E % 3 Cscript % 3 Ealert % 280347322% 29; % 3C/script % 3E % 0A % 3C % 22

In this case, Content-Type: text/javascript is set for direct access and the following message is displayed:



At that time, because there were multiple line breaks in the file, we didn't use mhtml to go to xss at that time... so let's look at adding x.html:
Http://www.taobao.com/expressway/index.php/x.html? Id = mytaobao & container = </iframe> <script> alert (1) </script>


OK !! Jj... [This vulnerability has been fixed!]

Finally, I would like to thank hiphop for its live broadcast.