What makes the“Baidu”cross-site—INPUT the XSS works and the idea of parsing-vulnerability warning-the black bar safety net

ID MYHACK58:62200714728
Type myhack58
Reporter 佚名
Modified 2007-03-26T00:00:00


Article author: lszm Technical team: fooling around with the client information security team www.xaqd.net) The Western Union network security group http://bbs.zmke.com) What is the INUPT XSS which for many people is perhaps a new term it! INPUT XSS related to the use of one of the earliest to appear in the 0 to 6 end of the year, as to meet 0 to 7 years of a New Year's Eve exploits, it is in the traditionalXSSthe use of what weeks? Traditional cross-site generally from now to: text editing area, the resource search bar, site background relevant to set the bar, etc. And a new INPUT XSSwill this Battlefield be a to expand, it appears to a member of the site the user name input bar! In Baidu INPUT XSS to be described·

! Click here to open new window CTRL+Mouse wheel to zoom in/out

As shown in Figure, when we in the user name field, enter a system itself does not exist the user name, or when we enter a system already existing username, but wrong password, the system will return to give us a page, in the General case, we incorrectly entered the username, only the password is empty here, Baidu is not the password is empty, special case one, so this time, we view the returned page source code, find us enter the username in the source code. So we enter the vulnerability test code: Submit! View the source code it! Username: "class="ip"/>

Key code: Our in source code appeared, so we should think about that Baidu on the user name input field and does not perform any filtering, at least not of: a filter, for cross-site, this has been enough! But when we were there the input cross-site code was found, the number of words is limited to! Not enough cross-site code word, then what do we do? Actually here, we can construct their own Baidu login information to submit URL now! We thus constructed http://passport.baidu.com/?login&username="alert(/lszm%2 0%20www. zmke. com%2 0%20QQ:9 1 5 5 6 5 8/)"&password=lszm Submit!

! Across the station is not successful, so we view the source:

Username: alert(/lszm www.zmke.com QQ:9 1 5 5 6 5 8/)\"" class="ip"/>

Have not found that our cross-site code make(the Red part of the shield, and this simple shield, of course not beat us, so we again construct the URL, let the shield code in advance of the end of and are available! So: http://passport.baidu.com/?login&username=">alert(/lszm%2 0%20www. zmke. com%2 0%20QQ:9 1 5 5 6 5 8/) To access it:


Look across the station a success! But we are now such a URL while already doing very well, but for a scripting language there is to know, or not good enough, so we can be on this URL for 1 6-ary coding! For example, Netease INPUT XSS is URL encoded as follows: http://reg.163.com/login.jsp?username=%22%3E%3cscript%3Ealert%28/%4Cs%5Am%20QQ%3A91%35%356%358/%29%3C/script%3E%3C%22&password= So after coding, the cross-stations of the traces also left a few? ASCII code table address: http://bbs.xaqd.net/read.php?tid=228 For this vulnerability related note, I also will continue to be released, please everyone's attention, while everyone is welcome to communicate with me, QQ: 9 1 5 5 6 5 8