An xss Cross-Site vulnerability in the YY website

An xss Cross-Site vulnerability in the YY website

The xss Cross-Site vulnerability of the YY website can be stolen. I will not talk much about it. Please refer to the details below.

Next, let's see:

This vulnerability was caused by a flash file address: http://m.yy.com/live/swf/Shareobject.swf? V = 1.1
 

Flash files: http://m.yy.com/live/swf/Shareobject.swf? V = 1.1

Take a look at the as code and use javasdobject and addCallback, but do not filter the parameters, so xss appears.

 

private function fl_get(param1:uint = 9999) : Object        {            var _loc_2:* = SharedObject.getLocal("yy-sharedobject", "/");            if (!_loc_2.data.shareObj)            {                _loc_2.data.shareObj = {};            }            if (!_loc_2.data.shareObj[param1])            {                return null;            }            return _loc_2.data.shareObj[param1];        }// end function

The problematic URL is the live video page of entertainment, for example:

http://m.yy.com/live/1980062727/

Observe the js file and find the following code:

 

function saveViewHisoryToCache() {var b = "ent_view_history";var a = getShareobjData(b);if (!a || a.length == 0) {a = [window.liveRoomTopId]} else {var c = $.inArray(window.liveRoomTopId, a);if (c >= 0) {a.splice(c, 1)}a.push(window.liveRoomTopId);if (a.length > 18) {a.shift()}}saveShareobjData(b, a)}

After entering the page, the "ent_view_history" item of flash export dobject is automatically read, so you can create a webpage and write the code.

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



Visit the following page, and then open the above http://m.yy.com/live/1980062727:
 
 


The following is a chat:

There is a problem here, that is, it can only be used once, and the website will automatically reset the stored content. However, it is obvious that this is not the problem, because one time is enough.

You can use the code to directly obtain the cookie of the website. More importantly, you can also use the js Code to obtain all the ticket required for one-click logon to the web page on the current computer, however, I did not test whether the ticket has an IP address.

You may say that cookies and ticket are time-sensitive, but in this validity period, you can log on in batch and steal ycoin in batch to open a member to give a gift.

You may also say that the enforceability is poor, but believe me, it is really easy to let people on YY visit a webpage. There are too many white ones. What's more, this is hard to prevent, because on the surface, there is no problem. The term used in the tutorial is "Buried thunder attack "!