The idea of 0-day mining and the new XSS defense scheme of a large number of Colleges and Universities

0 × 00 Cause
This may cause some impact, so the document does not mention the name of the email system. This email system is used by many colleges and universities and educational institutions. Last year, a younger brother asked me if I could intrude into the teacher's email address. After testing, I got this article, the article is only for technical research. I am not liable for any illegal means.
0 × 01 Mining ideas
(Because it was not a year ago, I wrote it with memories, but there were no images, but the value was not less than v ^ v. Penetration is the idea. If you think this article is valuable, you can read it several times .)

lusiyu@ubuntu:~$ telnet xxx.edu.cn 110Trying 202.116.xx.xx...Connected to xxx.edu.cn.Escape character is '^]'.+OK Welcome to coremail Mail Pop3 Server (gdufss[f38963dfe10fa8653143525dfb027a3es])

We can know that the mailbox system uses xxx mail. After a preliminary look, if we can find an XSS or meaningful CSRF intrusion mailbox examination full score, it is no longer a dream.
Focus on XSS, log in with the younger brother's account, and find that you can add image tags and hyperlink tags, try source code editing, and send an email to the younger brother's account.
Content:

<A href = paicirpt: alert (1)> click </a> <iframe/onload = alert (1)>

View content after receiving
Javascript in tag a is filtered out. iframe tag onload attribute is filtered out.
0-day after breakthrough
0 × 02 0day
0day1:
Set

<script>alert(1);</script>

Base64 encoding
Get

PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=

Source code editing Input

<a href=data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=>aa</a>

Send the email. After receiving the email, click "XSS.
0day2:
Source code editing
Insert

<iframe/onddd=alert(1)>

The onddd tag is still filtered out.
This indicates that server-side filtering is based on the blacklist, that is, all attributes starting with "on" are passed. It is estimated that many of the labels that can execute JS are starting with "on", so Programmers think so.
Find an iframe attribute that can execute JS without starting with on.
Https://developer.mozilla.org/zh-CN/docs/HTML/HTML5
Find a srcdoc attribute
Send email

<iframe srcdoc='<script>alert(1)</script>'>

Successfully logged on to the XSS guest email
I am busy with my work and have no time to continue the test. I told my younger brother about his ideas and threatened to illegally intrude into others' mailboxes and go to jail. Finally, he didn't do anything bad. v ^ v
0 × 03  Summary
This includes, but is not limited to, the Black Box Closed source system like xxx mail for XSS mining. We consider this mining:
1. What labels does it support?
For example, you can insert an image hyperlink.
Then we will know that <a href> these labels and attributes are supported, and then we will gradually think about whether the image method, such as the url property value, can be set to javascript: vbsrcept.
2. Filtered?
If it is filtered out, We will test whether it is a blacklist or a whitelist filter.
For example, for the attribute starting with "filter on", we can use the onddd attribute that starts with "on" but does not exist to check whether the attribute is a whitelist or a blacklist filter and then break through it.
The above is about the XSS of the mailbox body. Next, you can also consider how to test the attachment name in LINUX by using an XSS statement for the attachment name? There are email signatures and so on.
All user input is harmful. All data that you can control and display when the recipient receives the email address is worth testing.
0X04  How to defend black box systems
The official users of this mail should use a whitelist to restrict allowed tags. For example, if only some tags are allowed, write regular expressions for attributes,
For example, the src attribute of a hyperlink is restricted to regular URLs.
0 × 05  A new type  XSS  Defense scheme
XSS defense is believed to be a pain of many programmers. It is easy to filter the angle brackets and so on,
However, when writing code or joining new users, there is always negligence.
After all, when the business goes online, it may not be time to audit code security.
Is there any very lazy but useful way to block XSS?
So that programmers can focus on business development?
This method targets reflected XSS (including dom xss) or stored XSS caused by GET.
I haven't thought of a convenient defense method for the stored XSS caused by POST. If you have any, please contact me. Thank you for your advice.
Let's write a JS

<script>If(location.href.indexof(“<”)||location.href.indexof(“>”)||location.href.indexof(“%3c”)||location.href.indexof(“%3e”)||location.href.indexof(“javascript：”)||location.href.indexof(“vbscript:”){window.stop ? window.stop() : document.execCommand("Stop");</script>

Every page is embedded with this JS to effectively prevent reflected XSS (including dom xss) or stored XSS caused by GET. If it is bypassed, you can change this JS to be improved. Depends on the business situation.
In this way, programmers can focus on business security defense, and XSS is easier than half.