Content-Type prevents XSS Bypass

 

I. Preface

09 wrote an article: json xss prevention (http://www.bkjia.com/Article/200904/37645.html ).

The article describes the control of the Content-type for json callback function interface (such as: http://y.baidu.com/vote/data/detail_vote/290b873e69f2ec33a1e0c9f2? Alt = html & callback = window. alert % 28document. cookie % 29 & t = 1294931209000)

XSS attack prevention:

 

<? PHP

Header ("Content-type: application/json ");

$ Woyigui = $ _ GET ["xss"];

Echo $ woyigui;

?>

 

Because the company used all PHP code before, this solution is quite effective for PHP code. After changing to the company, I began to access the java, MVC, and other frameworks. I found that the XSS solution was ineffective in the current scenario.

Ii. Vulnerability description

The nearest test finds that when the header such as application/json is set with the suffix .htm \. html, it does not work in the IE browser, and the script will still be executed. For example:

 

Xss.html? Callback = <script> alert (1) </script>

Returned header:

 

HTTP/1.1 200 OK

Date: Mon, 11 Jul 2011 06:17:05 GMT

Server: Apache

Content-Type: application/json; charset = GBK

In this case, you will be prompted to download the script in firefox and other browsers. The script cannot be executed successfully, but when you access the file in IE, the script will be executed.

For example, utf-7 xss problems:

 

Xss.htm? Callback = % 2B % 2Fv9% 20% bytes-

If you use the control file content scheme to set the application/json header to prevent XSS, the script will also be executed.

Test found:

12.16.html: can be bypassed

22.16.htm: can be bypassed

32.16.txt: can be bypassed

4.. php: Protection

5. do: Protection

6. other: not tested

Test environment:

1. windows xp + ie6 + ie8

2. windows 7 + ie8 + ie9

 

Iii. Cause

When the requested http url file name is extended :. htm. in html, IE will first determine the file content to be parsed Based on the file extension (rather than the application/json header as the primary basis), leading to the success of XSS attacks and bypassing defense methods;

Lenovo: Internet Explorer image XSS Parsing Vulnerability, utf-7 xss and so on in content parsing rather than using extension Parsing attack example.

 

Iv. Details

1. application/javascript and other types do not work in IE.

2. After the header is set: Cache-Control: max-age = 0 and no-cache, You need to request the vulnerability URL twice in IE.

 

5. Solutions

There are many solutions to this problem. Do not use the Content-Type Control Solution in the extended. html framework.

 

Reprinted Please note: woyigui's blog