Who is watching my website? Second: Internet Explorer vs. cross-site scripting (XSS)

Source: External region of Alibaba Cloud

The Web, HTML, CSS, and various plug-ins are all being played in response to the security points, the process involves many efforts to repair the initial insecure design. IE, now it's IE 8.

In this article, "Who is viewing my website? First: DOM sandbox vs cross-site scripting (XSS )」.

Many of my friends have asked me via email, msn, or plurk. Why is this attack IE <= 7? In fact, this question is not clearly understood by both parties, so I only wrote IE & lt; = 7 in the article, I don't want to let a long article grow longer, but I didn't expect everyone to suffer. I still asked this question. Then we will try again. Why should we break IE <= 7 to work!

In fact, I only confirm that IE 7 can work, IE 8 can not, IE 1-6, I did not know, did not pass. But why I didn't say I could use IE 8, and why did some friends think I could? One of the biggest "creden" of friends that can be considered is that there is a line in the HTML of the beginning of the Plurk:

<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />

Since the CSS and HTML specifications are not constantly presented, various browser tools are constantly changing. How can a website be parsed, it is very important to decide which mode to use with the compiler to solve the problem. In HTML 5, three modes are defined: no quirks mode (standard mode) and quirks mode (compatible mode) and limited quirks mode (restrict compatible mode/near-standard mode, almost standards mode ). Different modes affect how the parser parses (parse) and shows an HTML file. In terms of information security, different modes have a huge impact, for example, the processing of scripts in a file may vary depending on different modes.

As far as the compiler is concerned, the biggest difference between different modes should be IE, and IE 7 to IE 8 should be clear. Internet Explorer 8 supports four modes: Internet Explorer 8 standard, Internet Explorer 8 standard, Internet Explorer 7 standard) mode, IE 5.5 quirks (compatible) mode. 「 Who is watching my website ?」 Attack points used in:

body {background-image: expression(alert("XSS"));}

That is, it is removed from IE 8 beta 2 and in IE 8 standard mode. This means that, in IE 8 standard mode, this attack is ineffective, and the expression cannot be broken. So how does IE 8 decide when to use which mode to implement? The answer is many articles, this includes HTTP headers, doctype, meta X-UA-Compatible, web site blacklist of microservices, and user settings. How can I find out which mode IE chooses to handle a network during the transparent coding process? Which of the following is the simplest method? FamilyID = E59C3964-672D-4511-BB3E-2D5E1DB91038 & displaylang = en "> IE Developer Toolbar. This tool has always been a good tool to differentiate itself from firebug. The IE Developer Toolbar shows the modes used by IE to parse the current network. Taking Plurk as an example, my Toolbar labels are shown as follows:

Why is Plurk running in IE 8 standard mode? Let's take a look at the program example:

Server: nginx/0.6.32Date: Sun, 28 Jun 2009 18:49:38 GMTContent-Type: text/html; charset=utf-8Connection: keep-aliveExpires: Sun, 28 Jun 2009 18:49:37 GMTCache-Control: no-cacheCache-Control: no-cachePragma: no-cacheContent-Length: 36704<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

Well, since doctype has been defined, it also uses meta to define X-UA-Compatible as "IE = EmulateIE7 」, that should force IE 8 to parse the Plurk in IE 7 standard mode. Why does the toolbar still show the "IE 8 standard mode 」, and is there no way to attack the hacker? The initiator is the javascript code before meta. If this javascript is not available, IE 8 will be switched to IE 7 standard mode, and the above attack will still be effective. Try at the venue. Use fiddler, and then use IE 8 to open the plurk, and use the lamb login token (goat_victim) to log in, And then renew my Plurk face, the attacker sends the following http request, but no request is sent to 553lab.org, indicating that the attacker has failed to attack the attacker:

At this time, we used "bpu http://www.plurk.com/armorize_waynew.here" to better understand the central point (breakpoint, see the bottom of the black box), and then press F5 on IE 8 to repeat it, select "Break on Response", and then wait until the http response responded by the plurk server is reached, and the center is stopped again. At this time, our hands change this HTML, move javascript to "X-UA-Compatible" and select "Run to Completion 」:

Next to the response line, we saw a request sent to the http://553lab.org on IE 8, indicating that our XSS (cross-site scripting vulnerability) was successful, javascript has been merged:

Back to IE 8, we can see that on my Plurk plane, the bot has automatically greeted the caller (goat_victim:

So why does IE 8 decide the solution process? The following process was taken from: http://hsivonen.iki.fi/doctype/ie8-mode.png

The highlighted part of the process was decided to use the "IE 8 standard mode" for this IE 8 decision. In addition to the HTTP headers and HTML content of the Internet site, the compatibility settings of Internet Explorer 8 have also been determined by IE 8. Set my Compatibility to compatible Settings ):

The decisions include:
1. Whether X-UA-Compatible meta is available: Actually: Yes, but javascript is available first.
2. is X-UA-Compatible set in the HTTP response header? Actually: No
3. Does my IE 8 compatibility Settings Check "display all websites 」? Actually: No
4 ....

It is possible that this is a deliberate design of Plurk, so that IE 8 can be written in "IE 8 standard mode, however, it may be that Plurk intends to switch IE 8 to "IE 7 standard mode" by setting X-UA-Compatible 」, however, a piece of javascript was added to the front, which allowed the pattern to jump back to the "IE 8 standard mode" and also invalidates our attack.

No matter how, Plurk makes IE 8 fail in "IE 8 standard mode", which invalidates the attack points we mentioned in the previous article, in the previous article, I did not say that the attacker could perform the attack on IE 8. As a result, some friends asked why the expression in CSS has been used for IE 8 bytes and can work. Why? The answer is, what kind of mode does your Internet Explorer 8 show? If X-UA-Compat is not set in the HTML or HTTP header