Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201786491
HistoryMay 26, 2017 - 12:00 a.m.

hackerone vulnerability: how to use XSSI to steal a multi-line string-vulnerability warning-the black bar safety net

2017-05-2600:00:00
佚名
www.myhack58.com
428
JSON

First of all, I assume that students already know what isXSSI. If you don’t know the words, you can have a look below this paragraph is taken from the identity-based XXSI attack on the simple introduction:
Cross-site scripting: XSSI - Cross Site Script Inclusion is a way to allow an attacker to bypass the original boundary to steal a particular type of data attack techniques. It utilizes the fact that a browser does not block the page loading images and text and other resources, these resources are usually hosted on other domains and servers. For example, the attacker may be in a malicious Web page using the SCRIPT tag to complete the attack:
Technical analysis
Since the browser does not prevent a domain name in the page direct references to other domain resources, so we can be in a script tag in the introduction of third-party domain name resources, and then observe its operation, but we now also unable to read the request from the third party domain script tags in the content.
Note that contains the script tag does not necessarily have to be JS file, the beginning of the file without the label text/javascript, and the extension of the file also does not have to be“. js”.
The first time I reported to the HackerOne security issues from a theoretically exist, and the corresponding attack technology CSV with quotations theft in the identity-based XXSI attack of a text are introduced and described. Throughout the attack the core idea is in the JavaScript statement embedded in the CSV file contents, I reported the vulnerability to the node address as follows:
https://hackerone.com/settings/bounties.csv
This is HackerOne the new one function, you can access the Settings > Payments as “Download as CSV”to find this function. Click on this link after that the browser will send a simple GET request and pop up a Download dialog box. CSV file content is as follows:
report_id,report_title,program_name,total_amount,amount,bonus_amount,currency,awarded_at,status
1234,Sample report,Sample Program,100.0,100.0,0.0,USD,2017-01-01 12:30:00 UTC,confirmed
1234,Sample report,Sample Program,100.0,100.0,0.0,USD,2017-01-01 12:30:00 UTC,confirmed
1234,Sample report,Sample Program,100.0,100.0,0.0,USD,2017-01-01 12:30:00 UTC,confirmed
Since I can control where report_title, so I immediately thought of usingXSSI try to leak the file’s contents. CSV file the first line of the content is a bunch of comma-separated values, and they are all valid JavaScript variable name. So, now I just need my page to define these variable names, then re-imported into it.
I designed the PoC are as follows:

var report_id,report_title,program_name,total_amount,amount,bonus_amount,currency,awarded_at,status;

What I do is pure theory. I use the Burp Suite to modify the report_title, and then write them into valid JavaScript code, and finally with anti-quotation marks( )get to one of the many rows of data. The identity-based XXSI attacks on the author have already discussed how to read a multi-line string data, but also gives detailed examples.
When we modify the information and build a valid JavaScript statement, we can see the response content is as follows:
! [](/Article/UploadPic/2017-5/2017526175754164. png? www. myhack58. com)
Wherein the Sample this JavaScript variable contains a CSV file for all report content except for the last one.
About an hour later, I found anotherXSSI the point of attack, and this time I design a PoC is not required in the data transmission process to be modified. Contains a vulnerability in the node address as follows:

https://hackerone.com/reports/12345/export/raw?include_internal_activities=true
! [](/Article/UploadPic/2017-5/2017526175754877. png? www. myhack58. com)
Yes, this is not a CSV file, but we still possible to turn it into a valid JavaScript file. This is the“export”function of a part, it allows us to view or download the original contents of the report. After clicking, the browser will send the GET request. This is a XHR request, and with an anti-CSRF token.
We can in the browser to see the GET request corresponding to the full response information:
! [](/Article/UploadPic/2017-5/2017526175754455. png? www. myhack58. com)
In order to cross-domain leaks of the report Report content, all of the statement must be a valid JavaScript statement. So, I submitted a report demo: a
! [](/Article/UploadPic/2017-5/2017526175754698. png? www. myhack58. com)
The first line is a tag statement is the“Title”followed by the user-supplied Title, A labeled statement is a valid JavaScript statement can be followed by my own input parameters. In order to get to the multi-line string data, I’m here also to use anti-quotation marks( )。 Next, I will be at the end of the anti-quotation marks add a comment As String end flag.
Demo video
Now, I can be in my script tag embedded in the given above URL address, then remote extract my required data. The following is a PoC demo video:
Important part of the screenshot is as follows:
! [](/Article/UploadPic/2017-5/2017526175755600. png? www. myhack58. com)
I currently only know two ways to control the JavaScript multi-line String method series and the back quotation mark escape, and ECMAScript 6 also introduces an arrow function Arrow_Functions, it allows developers to use a short character to define the function. The following is a simple example:

[1] [2] next

JSON