By Xylitol
Riusksk (quange: http://riusksk.blogbus.com)
0x100 The Cross Frame Scripting
0x110 theoretical explanation
The Cross Frame Scripting is abbreviated as "XFS", which is mainly caused by The lack of detection of variables in The frame address of The accessed page.
For example:
Http://www.site.com/navigate.php? Url = guestbook/index. php
The message book is displayed in the frame, but we can change it:
Http://www.site.com/navigate.php? Url = http://google.com
Direct it to the google homepage (do not confuse it with the vulnerability ).
Cross Frame Scripting is mainly used for phishing attacks because the vulnerability is harmful. A Cross-site attacker (xsser) can construct the following URL addresses:
? Url = http://xsser.com/phishing.php
At the same time, it is encoded as a hexadecimal value:
% 3F % 75% 72% 6C % 3D % 68% 74% 74% 70% 3A % 2F % 2F % 6C % 61% 6D % 7A % 6F % 72% 2E
% 63% 6F % 6D % 2F % 70% 68% 69% 73% 68% 69% 6E % 67% 2E % 70% 68% 70
Vulnerability trigger:
0x111 vulnerability code samples
We recommend a vulnerable micro-site. First, you need to create four files:
1. en_tete.htm
2. accueil.htm
3. navigation.htm
4. index. php
Navigation.htm:
<! DOCTYPE html PUBLIC "// W3C // dtd xhtml 1.0 Transitional // EN"
Http://www.w3.org/TR/xhtml1/DTD/xhtml1transitional.dtd>
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Head>
<Meta httpequiv = "ContentType" content = "text/html; charset = utf8"/>
<Title> Menu </title>
</Head>
<Body bgcolor = "# CCCCCC">
<Pre> & nbsp;
</Pre>
<P> & nbsp; </p>
<P> & nbsp; </p>
<Ul>
<Li> <a href = "index. php? Iframe = http://google.com "target =" _ parent "> google </a> </li>
<Li> <a href = "index. php? Iframe = http://fr.wikipedia.org/wiki/Accueil"
Target = "_ parent"> wiki </a> </li>
<Li> <a href = "index. php? Iframe = http://xylitol.free.fr/"target =" _ parent "> Xylitol </a> </li>
</Ul>
<P> & nbsp; </p>
</Body>
</Html>
En_tete.htm:
<! DOCTYPE html PUBLIC "// W3C // dtd xhtml 1.0 Transitional // EN"
Http://www.w3.org/TR/xhtml1/DTD/xhtml1transitional.dtd>
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Head>
<Meta httpequiv = "ContentType" content = "text/html; charset = utf8"/>
<Title> en tete </title>
<Style type = "text/css">
<!
. Style1 {
Color: # FFFFFF;
Fontsize: 36px;
}
>
</Style>
</Head>
<Body bgcolor = "# rj7f">
<Span class = "Style1"> Welcome in: mysiteisnotsecure. fr! </Span>
<Br/>
Valid W3C! 1! 1! 1 !! 1 Greetz: shésponspony
</Body>
</Html>
Accueil.htm:
<! DOCTYPE html PUBLIC "// W3C // dtd xhtml 1.0 Transitional // EN"
Http://www.w3.org/TR/xhtml1/DTD/xhtml1transitional.dtd>
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Head>
<Meta httpequiv = "ContentType" content = "text/html; charset = utf8"/>
<Title> Accueil </title>
</Head>
<Body bgcolor = "# FFCC66">
<H1> What the Hell? </H1>
</Body>
</Html>
Index. php:
<! DOCTYPE html PUBLIC "// W3C // dtd xhtml 1.0 Transitional // EN"
Http://www.w3.org/TR/xhtml1/DTD/xhtml1transitional.dtd>
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Html>
<Head>
<Meta httpequiv = "ContentType" content = "text/html; charset = utf8"/>
<Title> Welcome in mysiteisnotsecure. fr </title>
</Head>
<Frameset rows = "*" cols = "110, *" frameborder = "NO" border = "0" framespacing = "0">
<Frame src = "navigation.htm" name = "navigation" frameborder = "yes" scrolling = "" NO"
Bordercolor = "# 0000CC" id = "navigation">
<Frameset rows = "98, *" cols = "*" framespacing = "0" frameborder = "NO" border = "0">
<Frame src = "en_tete.htm" name = "entete" frameborder = "yes" scrolling = "NO"
Bordercolor = "#000000" id = "entete">
<Frame src = "<? Php
If (isset ($ _ GET [iframe])
Echo $ _ GET [iframe]; // OMG Epic fail!
Else
Echo "accueil.htm ";
?> "Name =" corps "scrolling =" auto "id =" corps ">
</Frameset>
</Frameset> <noframes> No frames :( </noframes>
</Html>
Syntax: index. php? Iframe = http://google.com
0x112 write Security Code
We can fix this vulnerability in the following ways:
Index. php:
<! DOCTYPE html PUBLIC "// W3C // dtd xhtml 1.0 Transitional // EN"
Http://www.w3.org/TR/xhtml1/DTD/xhtml1transitional.dtd>
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Html>
<Head>
<Meta httpequiv = "ContentType" content = "text/html; charset = utf8"/>
<Title> Welcome in mysiteissecurenow. fr </title>
</Head>
<Frameset rows = "*" cols = "110, *" frameborder = "NO" border = "0" framespacing = "0">
<Frame src = "navigation.htm" name = "navigation" frameborder = "yes" scrolling = "" NO"
Bordercolor = "# 0000CC" id = "navigation">
<Frameset rows = "98, *" cols = "*" framespacing = "0" frameborder = "NO" border = "0">
<Frame src = "en_tete.htm" name = "entete" frameborder = "yes" scrolling = "NO"
Bordercolor = "#000000" id = "entete">
<Frame src = "<? Php
// Secure code
If (isset ($ _ GET [iframe])
{
$ AllowUrls = array ("http://google.com", "http://fr.wikipedia.org/wiki/Accueil ",
"Http://xylitol.free.fr/"); // add your allowed links here
If (in_array ($ _ GET [iframe], $ allowUrls ))
Echo $ _ GET [iframe]; // if iframe have an url allowed
Else // for show the main page (or an error page)
Echo "accueil.htm ";
}
Else //!!!
Echo "accueil.htm ";
?> "Name =" corps "scrolling =" auto "id =" corps ">
</Frameset>
</Frameset> <noframes> No frames :( </noframes>
</Html>
Other solutions:
// Checking urls with regex
<? Php
If (isset ($ _ GET [iframe])
{
If (preg_match ("# http: // xylitolSfreeSfr/SiteSecure/[0-9A-Za-z .-
Optional bytes 1, 132.16.htm # ", $ _ GET [iframe]) // The document must make between 1 and 13 letters in front
". Htm", it leaves a short number preferably
Echo htmlentities ($ _ GET [iframe]); // we secure xss
Else // Show main page (or an error page)
Echo "accueil.htm ";
}
?>
0x200 Header for fun and profit
0x210 Cross Agent Scripting
Cross Agent Scripting (XAS) refers to executing html or JavaScript code in the User-Agent string of the browser. Assume that you have accessed a site and the site has provided you with User-Agent information. After the User-Agent is modified