About utf7-BOM string injection

About utf7-BOM string injection

At one timeMario HeiderichDuring the communication, he asked me if I knew "+/v8". At that time, I knew nothing about this, so he sent me a bull.Gareth HeyesA paper 《XSS Lightsabre techniquesOn the 34 pages of the ppt:

CSS expressions with UTF-7
• UTF-7 BOM character can force UTF-7 in a external style sheet
• Wocould you let me upload a style sheet?
• @ Charset „ UTF-7 examples; works
• But you don't need t need it
• +/V8 is all you need
+/V8
Body {
Font-family:
+ AHgAJwA7AHgAcwBzADoAZQB4AHAAcgBlAHMAcwBpAG8AbgAoAGEAbA
BlAHIAdAAoADEAKQApADsAZgBvAG4AdAAtAGYAYQBtAGkAbAB5ADoAJw -;
}

So I knew "+/v8" :), so I thought that I could use this good xss Baidu space to access it with ie.My blogThe "/Happy New Year!" dialog box is displayed! Thx mario !!

This exploitation is basically the attack prototype mentioned in the Gareth Heyes ppt. What else can be used? Tested to automatically convert html starting with UTF-7 BOM character to UTF-7 in ie access, as long as we can control the several bytes at the beginning of the file, then I may have injected the UTF-7 BOM character for xss. Here, we naturally think of json callback, and immediately use 《Cross Site Scripting mhtml-file string injectionTest the column in:

Http://www.tudou.com/my/channel/item.srv? Icode = enQCgQKJTDs & callback = % 2B % 2Fv8% 20% bytes

QApADsAPAAvAHMAYwByAGkAcAB0AD4APAAvAGIAbwBkAHkAPgA8AC8AaAB0AG0APg-% 20 xsadas

Perfect! :) Search for one quickly using google...

As a result, "heige (@ hi_heige), another cross-chip xss exploitation method across the world" was born. Unfortunately, we did not find the available location for google [my dollar]. Then, in the hi group, I had to play with the friends of Party A, so there was a blog article titled 《How does IE process the meta steam Encoding & the 100 + xssThe analysis is thorough, and a mistake I corrected is cool!

For defense issues, refer to my previous blog article for json :《Do not forget data parsing":

There are two solutions to this problem:
1. strictly control the data file and return Content-Type.
2. encoding is used for data storage.

When Party A's friends saw that html tags were directly inserted in json for xss, they basically used "2. when data is stored, encoding is used, and "Content-Type" is not restricted. Basically, "text/html" is continued ", this also laid the seeds of evil for this utf7-BOM string injection, if this time do not modify the Content-Type, I think there may be a chance to sprout and blossom seeds !! :) I think it would be a good choice if the above two schemes are used at the same time.

The style sheet can be customized. Currently, only the filter method is used or the starting bytes of the css file are defined. This is because the charset you specified is unreliable! From this perspective, this should be an issue of ie. I tried to contact ms's official website. Unfortunately:

Delivery to the following recipient failed permanently:

Security@microsoft.com

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. we recommend contacting the other email provider for further information about the cause of this error. the error that the other server returned was: 550 550 5.4.1 security@microsoft.com: Recipient address rejected: Access Denied (state 14 ).

Through the above analysis, the main significance of the use of utf7-BOM string injection is bypass filter, such as Baidu space for "expression" and other keywords are using a violent attitude! Speaking of bypass filter we should mention ie8 ie8 xss filter, so we can also mention: "bypass ie8 xss filter using utf7-BOM string injection"


In addition, utf7 encountered the problem of automatic bom transcoding, not only in ie, but also in other applications, such:

Finally, I will mention the exploitation of this vulnerability on xss worm. In my previous blog, "html" target = _ blank> About Xss WormAs mentioned in "implementing multi-domain or non-domain worm", this vulnerability is definitely a perfect implementation opportunity!

Thanks:
Thanks Mario Heiderich for u tell me what is "+/v8 ":)
Thanks Gareth Heyes for u the nice paper.
There are also wonderful discussions with friends from the hi group! :)

 

Reference :《Byte order mark"