A blood case caused by replace ()

Not long ago, Twitter once broke an XSS. The tragedy was that the programmer's patch solution was faulty and the result was once again cracked.

For detailed analysis, see
Html "target = _ blank>Http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html

Let's not talk about other problems in this patch solution. Let's take a look at the use of replace () in javascript.

At that time, twitter programmers had such patches:
Var c = location. href. split ("#! ") [1];
If (c ){
Window. location = c. replace (":","");
} Else {
Return true;
}

However, javascript has a terrible issue. The first parameter of the replace () function must be written in regular format. What if the first parameter is a string?By default, javascript will only Replace the first character it finds.

This is different from many other languages!

Therefore, in the POC of twitter's second burst of chrysanthemum, use two: This patch is bypassed.

Http://twitter.com /#! Javascript: alert (document. domain );

Gareth Heyes wrote a blog to address this problem.

Http://www.thespanner.co.uk/2010/09/27/string-replace-javascript-bad-design/

This is a very detailed problem, and many programmers will use it incorrectly.

I reviewed several major pages on the Chinese site and found that qq, Baidu, and so on have not found this problem for the time being, some Usage errors have been found on the following sites (of course, it may be that the programmer understands and deliberately uses them like this ):

Youku:
Common. js:
Window. nova_init_hook_initsearch = function (){150Var fullPath = document. location. pathname. replace (_,/);151Var path = fullPath. split (/);152Var module = index;153If (path [1]) {module = path [1];}


Clove Garden:
Function clicksum (objs, placeId ){468Var xhttp = getXmlhttp ();469For (var I = 0; I <objs. length; I ++ ){470Var obj = objs [I];471Obj. onclick = function (){472If (this. href. indexOf ("http: //") =-1 | this. innerHTML. length = 0) return true;473Var href = this. href. replace (":", "% 3A "). replaceAll ("/", "% 2F "). replace ("#", "% 23 ");474Var innerHTML = encodeURIComponent (this. innerHTML );


Sohu:
Adm2008.js:
Function _ SoAD_DoFSCommand (a, B ){
Var c = null;
If (a & (eval ("typeof (_ SoAD _" + a + ")")! = "Function ")){
Return;
}
If (_ SoAD_DoFSCommand.caller ){
C = _ SoAD_DoFSCommand.caller.toString ();
C = c. substring (9, c. indexOf ("("). replace ("_ DoFSCommand ","");

// Hide suggestion div1152Function Wb ()1153{1154Var hh = sug $ (sugmaindivname );1155If (hh & hh. style ){1156Hh. style. display = "none ";1157If (sug $(suggimg2 ))1158Sug $ (suggimg2). src = sug $ (suggimg2). src. replace (up, down );


However, security problems may not occur if an error is used, but unpredictable consequences may occur, commonly known as bugs.

Under what circumstances will there be security problems? When replace is used for security filtering.

I have found many such examples on google codesearch:

Http://www.google.com/codesearch? Hl = en & lr = & q = lang % 3 Ajavascript + % 22. replace % 28% 27% 3 Cscript % 22 & sbtn = Search




You can also find more information by changing search conditions, such
Lang: javascript ". replace ("
Lang: javascript ". replace (javascript"

And so on.

Therefore, to safely use the replace function in javascript, you 'd better use the regular expression:
. Replace (//,) single
. Replace (// g,) Global

The first parameter uses a string, which is a bad habit, although we often commit: D