JavaScript Forgery Referer Route method

Javascript is a case-sensitive client-side scripting language developed by Netscape's LiveScript to prototype inherited object-based dynamic types, primarily to address server language, such as Perl, legacy speed issues, To provide customers with a smoother browsing effect.

Because the server-side script can easily forge Referer, so the major statistical site CNZZ, Baidu Statistics, GA,51LA, etc. are through JS to determine the route, but now there is a way JS Referer can also be forged.

winhttp.winhttprequest.5.1 is the underlying object of MSXML 4.0, which means that xmlhttp/serverxmlhttp is also encapsulated on its basis. With WinHttpRequest's request, the Fiddler is not monitored.

Google found that it actually used to successfully forge all the HTTP request header information! The following code, by forging the value of the Referer, pretends to submit a form from the Baidu home page to the specified URL:

var url = "http://www.yourtarget.com";  var param = "name=david&age=30";  var obj = new ActiveXObject("WinHttp.WinHttpRequest.5.1");  obj.Open("POST", url, false);  obj.Option(4) = 13056;  obj.Option(6) = false; //false可以不自动跳转，截取服务端返回的302状态。  obj.setRequestHeader("Content-Type","application/x-www-form-urlencoded");  obj.setRequestHeader("Referer", "http://www.baidu.com");  obj.Send(param);  WScript.Echo(obj.responseText);

Since it can be used to forge the header of all HTTP requests, the Cookies, Sessionid, and so on will naturally be available and passed. Here is the actual combat code, with the command line login Blog Park, a total of three requests, the first request to obtain the form of VIEWSTATE and Eventvalidation, the second time with the account login, the third time with a cookie to access its home:

function Remotecall (method, URL, param, header) encapsulated as remote access {var obj = new ActiveXObject ("Winhttp.winhttprequest.5.      1 "); Obj. Open (method| | "      GET ", url, false); Obj.      Option (4) = 13056; Obj.      Option (6) = false;      if (method== "POST") {Obj.setrequestheader ("Content-type", "application/x-www-form-urlencoded");                  } if (header) {for (var key in header) {if (key== "cookie") {/////////////////* * * * * * * * * * * *              Obj.setrequestheader ("Cookie", "string");          } obj.setrequestheader (key, Header[key]); }}, obj.      Send (param);  return obj;  }//The login entry for the first Remote Access Blog park var url = "Http://passport.cnblogs.com/login.aspx";  var Objfirst = Remotecall ("GET", url, null); Get viewstate with eventvalidation var viewstate = ObjFirst.responseText.match (/id= "__viewstate" value= "(. *?)" \/>/) [1  ];  var eventvalidation = ObjFirst.responseText.match (/id= "__eventvalidation" value= "(. *?)" \/>/) [1]; Enter your own account and password var username = "";  var password = ""; var param = "" + "__viewstate=" +encodeuricomponent (VIEWSTATE) + "&__eventvalidation=" +encodeuricomponent ( eventvalidation) + "&tbusername=" +username + "&tbpassword=" +password + "&btnlogin=" +encodeURIComponent ("  Login ");  var objsecond = Remotecall ("POST", url, param); After successful login, the server performs a Response.Redirect jump, which sends a 302 status code WScript.Echo (Objsecond.status) to the client; 302 that is, if the login is successful, if it is 200, then the login fails, the page does not jump//with the Cookie after successful login, again access its homepage var json = {"Cookie": Objsecond.getresponseheader ("  Set-cookie ")};  var Objthird = Remotecall ("GET", "http://www.cnblogs.com", NULL, JSON); FSO = THIS.FSO | | New ActiveXObject ("Scripting.FileSystemObject"), var file = "C:/output.txt", newtxt = 0;newtxt = fso. OpenTextFile (file, 2, True); Newtxt.writeline (Objthird.responsetext);//wscript.echo (Objthird.responsetext);

The above code actually has a certain malicious, just to prove that the use of winhttprequest can actually simulate the browser to send the request, the service side can not be distinguished from the browser, or from the command line.

Conclusion: Any data submitted from the client is not trustworthy, because the HTTP packets sent are not only the form value can be modified, even the header of the packet can be modified arbitrarily. It also shows that using VIEWSTATE is of no use to the security of the form.

Article from: http://www.phperz.com/article/14/0702/2917.html

JavaScript Forgery Referer Route method