Hijack users' private message content (bypassing Cross-Domain Policy/bypass) with design defects of everyone)

Hijack users' private message content (bypassing Cross-Domain Policy/bypass) with design defects of everyone)

Don't go around during the design. Didn't I find that I ran back to the starting point for half a day? I said it was a bypass. In fact, I used the design vulnerability.
Cross-origin error: Blocked a frame with origin "xxxxx" from accessing
 

1. This vulnerability exploits
 

contentWindow

2. this function allows the parent window to get the content of the subwindow, provided that the content of the subwindow is in the same domain. For example, I can obtain the content of the personal center of Renren users on the campus of www.renren,


 

3. As for XSS, find an unrepaired XSS that was submitted last year.

WooYun: The Renren sub-station has another xss vulnerability.







Bytes -------------------------------------------------------------------------------------





4. Interface for getting user chat Information


 

http://webpager.renren.com/api/getChatList?lt=15&st=0&type=0&roomId=874460788

5. The roomId of this interface represents the user's chat object. You just need to traverse the data-id (here I bring up the entire body, but I didn't get the array traversal)
 

 

Bytes ---------------------------------------------------------------------------------------







6. The next step is how to cross-origin. This interface
 

http://webpager.renren.com/api/getChatList?lt=15&st=0&type=0&roomId=874460788

Belongs to the webpager.renren.com domain. If the obtained content is correct, an error is returned.



Because http://st.renren.com/belongs to the renren.comdomain
 

 

Bytes ----------------------------------------------------------------------------------------------



7. However, in the user's personal center, an address exists, and later found that this address belongs to the renren.com domain name,


 

http://webpager.renren.com/api/ime.jsp

 

 

Bytes -------------------------------------------------------------------------------------------------



8. If the above is messy, I will sort out the logic above.



①.

http://webpager.renren.com/api/ime.jsp

Belongs to the renren.com domain



②.

http://webpager.renren.com/api/getChatList?lt=15&st=0&type=0&roomId=874460788

Belongs to the webpager.renren.com domain





Bytes -------------------------------------------------------------------------------------------





9. At this time, the design defects will emerge.



①

http://st.renren.com/

(This belongs to the renren.com domain and has an XSS vulnerability)



Bytes



②

http://www.renren.com/

(This belongs to the renren.com domain)



Bytes



③.

http://webpager.renren.com/api/ime.jsp

Belongs to the renren.com domain



Bytes





④.

http://webpager.renren.com/api/getChatList?lt=15&st=0&type=0&roomId=874460788

Belongs to the webpager.renren.com domain





Bytes --------------------------------------------------------------------------------------





10. Because document. domain can be set to its own domain, there is also a basic domain, that is



①.

http://st.renren.com/

And

http://www.renren.com/

Can communicate with each other





②.

http://webpager.renren.com/api/ime.jsp

And

http://webpager.renren.com/api/getChatList?lt=15&st=0&type=0&roomId=874460788

Can communicate with each other





③ Because

http://www.renren.com/

And

http://webpager.renren.com/api/ime.jsp

Can communicate with each other





4. In other words,
 

http://st.renren.com/

And

http://webpager.renren.com/api/getChatList?lt=15&st=0&type=0&roomId=874460788

Can communicate with each other





Bytes ---------------------------------------------------------------------------------------------



11. My summary is,

http://st.renren.com/

With,

http://www.renren.com/

, And then use

http://webpager.renren.com/api/ime.jsp

And

http://webpager.renren.com/api/getChatList?lt=15&st=0&type=0&roomId=874460788

Communication











12. Therefore, this design,

http://st.renren.com/

Attackers can bypass and

http://webpager.renren.com/api/getChatList?lt=15&st=0&type=0&roomId=874460788

Communication



Bytes ----------------------------------------------------------------------------------------------



13. The following is a test to obtain the chat content in the webpager.renren.com domain.

①.

 

1. Check the vulnerability proof above.







2. In idol words, the results are no longer important at this time.

Solution:

1. It is best to separate domains from each other.







2. I'm a little white, you are amazing.