Baidu knows the XSS Vulnerability (fixed)

This vulnerability was discovered in the evening and fixed at around PM.

The cause of this incident is that I saw a strange question on Baidu's knowledge that the body contains a connection (here). Normally, this situation is impossible.

I think of the XSS vulnerability. Out of curiosity, I decided to explore this vulnerability.

By checking the source code, I immediately found the root cause of the problem: the uncompleted <a> tag. <Pre class = "line q-content mt-10" accuse = "qContent"> help me write an extract <a href = "http: // "superjoin expression in quotation marks (only http headers are required. Thank you. </pre>

 

I guess I can insert the <a> label, so I try to insert <a href = "http://www.baidu.com"> a </a>. The result is similar to what I expected and is filtered out.

 

What if the tag is incomplete? It is useless and will be escaped.

 

Here, let's take a closer look. Why are the previous labels not filtered, but those written later are filtered? The difference between the previous and second attempts is that the url address of the <a> tag href attribute submitted for the second time is complete, www.2cto.com, and the previous one is http ://.

So far, I can probably guess how this vulnerability was triggered: an incomplete tag + href = "http ://".

Now that you have determined how to trigger the vulnerability, let's take a look at the vulnerability. Since tags can be retained, you can post on attributes. At the same time, my classmate is already trying to use style.

Use style = "color: red" to change the font color

 

At this time, I can't help but want to make an out-of-box <div style = "background-color: blue; color: red; font-size: 64px; font-weight: bold; width: 1024px; height: 1024px; position: fixed; left: 0; top: 0; "onclick =" alert (1); "href =" http: // "Ha </pre>

In this way, the page is completely invisible and The onclick event is added.

 

Okay. So far, if you have ulterior motives to continue exploring, You can launch a large-scale XSS attack on the entire Baidu website. I would like to report this vulnerability to the backend development team that Baidu knows, but cannot find the corresponding channel on the pages that Baidu knows. There is such a feedback area, but it is just a post. It is estimated that my feedback will only be considered crazy.

 

Finally, I guess the cause of the vulnerability. As a matter of fact, it is clear that it is only a logical error. Baidu knows that there are two filters involved in the background (in the current discussion). The first time the url is included with the <a> tag, the second time the html special characters are materialized. What Baidu knows is that it does not first implement html ing, but first processes URLs. When url Processing fails, html ING also fails.