XSS exploration: a wonderful journey to link available points

XSS exploration: a wonderful journey to link available points

Macy's (http://www.macys.com/) is the site's Alexa ranking of 241st when I published this article, it is a very valuable website in terms of traffic, but from the security point of view, it is no longer. I will prove this to you.

Escape of backslash

Open the following website (the GET request contains our harmless test string "xxxxxxxx 'yyyyy). The following figure shows the returned data: the author will first discuss some problems in Figure 3, and finally find a way to enter the injection point and finally cause xss, which is a general structure ).

Http://www1.macys.com/shop/search? Keyword = % 22 xxxxxxxx % 27 yyyyy % 3C % 2 Fimg

 

 

 

Line 1 in the figure, that is, the JavaScript code (keywordsearch = kws. replace (/"/g, '\\\"');) to replace "\\\", it can be seen from this that the developer's intention is to use three backslash to escape. Generally, developers use double quotation marks to limit the location of user data. Normally, one backslash \ "(Escape double quotation marks) or \ (Escape backslash) are used) to escape. Of course, it is okay to use three backslashes for escape. I will use another website to describe this. (open the following link in chrome, pay attention to the 21st rows ).

View-source: http://mashable.com/search? Utf8 = % E2 % 9C % 93 & q = % 22 xxxxxxxx % 27 yyyyy % 3C/img)

 

Note:You can also see similar processing methods in YouTube Gaming. Use a backslash (\) and three backslash (\) on the same page. to escape, open this link in chrome browser (view-source: https://gaming.youtube.com/results? Search_query = % 22 xxxxxxxx % 27 yyyyy % 3C % 2 Fimg), in rows 204th and 200th.

 

 

So far, everything has been handled well, but wait a moment. What if I use backslash \ for injection? Will they filter the backslash? You may remember an article I 've written about backslash, such as opening the following link (http://www1.macys.com/shop/search? Keyword = \). By viewing the source code of the page, you will find that the backslash is not filtered, as shown in:

 

 

Construct xss

Therefore, we can construct such an attack vector: \ "; confirm (1); // to implement our xss. The link is as follows:

Http://www1.macys.com/shop/search? Keyword = \ % 22; % 20 confirm (1); % 20 //

Let's take a look at how the page source code is displayed:

 

 

From the figure above, we can see our injection statement \ "; confirm (1); // becomes \"; confirm (1 );//, because of the filtering requirements, "replaced with \", but not processed. All in all, we now have four backslash, but we are still in the keywordsearch variable, the code is similar to keywordsearch = "\\\"; confirm (1 );//";. How can I run this variable? If the number of backslashes is one, three, or five... (An odd number), the escape effect can be achieved, but if the number of backslashes is 2, 4, or 6... (Even), the escape will fail.

In short, double quotation marks are no longer escaped characters due to the relationship between the four backslash characters. The browser will regard them as the ending character of a variable. In the attack vector, it becomes the statement Separator in JavaScript. Finally, execute confirm (1); in the attack vector. In the pop-up window, use // to comment out the following ";" code.

Theoretically, this link (www1.macys.com/shop/search? Keyword = \ "; % 20 confirm (1); % 20 //) can successfully trigger xss, but unfortunately not yet!

On the top of the keywordsearch variable, There is a condition judgment in the position of row 1949th.

If false is returned, the execution point cannot be reached. Why is false returned? The conditions are as follows:

 

 

if(currentPageUrl.indexOf("cm_kws")!= -1) 

 

CurrentPageUrl is a variable defined in row 1948. var currentPageUrl = window. location. href gets the value of window. location. href and assigns it to this variable. The current link is http://www1.macys.com/shop/search? Keyword = \ % 22; % 20 confirm (1); % 20 //, the JavaScript indexOf function returns the first position where the specified string appears, if this character is not found,-1 is returned. The function cannot find the cm_kws string in the current link. Therefore,-1 is returned and no 1951st rows are returned, therefore, we must construct an attack vector to meet the conditions and enter 1951st rows.

We can meet the above requirement by adding a cm_kws parameter in the request, link such as: http://www1.macys.com/shop/search? Keyword = \ % 22; % 20 confirm (1); % 20 // & cm_kws or directly put it on the http://www1.macys.com/shop/search? Keyword = \ % 22; % 20 confirm (1); % 20 // cm_kws. If a new parameter is added, currentPageUrl is returned. indexOf ("cm_kws") will return 66, and 66 will not be equal to-1. If it is placed directly at the end, currentPageUrl. indexOf ("cm_kws") will return, 65 is not equal to-1, so both can meet the condition judgment.

 

 

All the points that trigger the xss are connected together. The following links can trigger the xss:

Http://www1.macys.com/shop/search? Keyword = \ % 22; % 20 confirm (1); % 20 // & cm_kws

 

 

I want to trigger xss through confirm (1) because it is not filtered, the link is as follows:

Http://www1.macys.com/shop/search? Keyword = % 3C/script % 3E % 3 Cscript % 3 Econfirm (1) % 3C/script % 3E % C2 % A0

However, it seems that there is WAF, which causes interception and displays Access Denied.

 

 

Bypass WAF

I have seen similar interceptions on the Akamai website, which seems to indicate that Akamai does not use other security protection measures. After all, they have their own WAF protection system, from the interception information of Kona and Builtwith, we can also see that these sites also use Akamai WAF.

You have to bypass WAF! As I said before, it will be blocked, but it will not be blocked. The following links can easily bypass WAF protection:

Http://www1.macys.com/shop/search? Keyword = % 3C/script % 0 Aanything % 3E % 3 Cdetails % 20 ontoggle = % 27 confirm % 281% 27 //

Http://www1.macys.com/shop/search? Keyword = % 3C/script % 0 Aanything % 3E % 3 Cinput % 20 type = search % 20 oninput = % 27 confirm % 281% 27 //

I noticed that Macy's allows single and double quotation marks in product names. I think they may not be able to handle the problems caused by Single and Double quotation marks. For example, the following product names contain these symbols:

Http://www1.macys.com/shop/product/under-armour-mens-downtown-11-performance-shorts? ID = 2106127 & CategoryID = 3310 # fn = sp % 3D1% 26spc % 3D180% 26 ruleId % 3D % 26 slotId % 3D1

Http://www1.macys.com/shop/product/under-armour-mens-raid-performance-10-shorts? ID = 2015103 & CategoryID = 3310 # fn = sp % 3D1% 26spc % 3D180% 26 ruleId % 3D % 26 slotId % 3D2

I suddenly came up with a question: what will happen if I search for products with single quotes and double quotes in the search box? What will happen to the website. I tried to search for a product with both single quotes and double quotes:

Under Armour Men's Raid Performance 10" Shorts

 

The link is as follows:

Http://www1.macys.com/shop/search? Keyword = under + armour + men % 27 s + raid + performance + 10% 22 + shorts

It returns three results to view the source code of the page. It is surprising that a product name causes some content to run out of the attributes in the tag.

 

 

Another problem is that the product name is "not filtered or escaped,

 

 

This means that we can use the product name "to construct xss, the attack vector such as-confirm (1)-", combined with the previous product name, the final attack vector will look like this:

Under Armour Men's Raid Performance 10"-confirm(1)-" Shorts

 

The final link is as follows:

 

 

Translator's note: The author of this article is very keen on observation and has a strong ability to associate usable points. When it comes to xss, the translators also like this. In the future, I will also translate the author's other articles on xss. If you have any questions or questions, you can leave a message below the article, I will turn into a passer-by to answer your questions.