CVE-2017-0135 vulnerability analysis: the use of the Edge of the browser XSS filter bypass CSP-vulnerability warning-the black bar safety net

In this article, I to share the one I at last found the Edge of the browser vulnerabilities. This exploits the browserXSSfilter the defects, to bypass anotherXSSdefensive measures: CSP（Content Security Policy, Content Security Policy. Note that this vulnerability is not in bypassXSSfilter, but the use of it so some would have noXSSof the page, forcing manufacturing out of the availableXSSvulnerabilities.
! [](/Article/UploadPic/2018-3/2018319192829380. jpg? www. myhack58. com)
0×01 background
BrowserXSSfilter the birth in IE 8, It is used to prevent reflection typeXSSattack. Its basic principle is to[reference 1,2,3]: since it is a reflective type, then the URL in the a parameter value is bound in the page somewhere appear. Of course not every is reflected to the HTML page in parameters areXSS, the 比如example.com/index.php?id=12345 if the page contains 12345, which is obviously doesn’t matter. 但是如果example.com/index.php?id=alert(1)in the script element is reflected back, it is possible toXSSattack. Filter determination logic is probably this: the first determines whether the GET or POST data has no parameter may containXSScode, which is a step in the browser’s built-in a more complex regular to match. If the match is successful, then search for the value of this parameter a does not appear in the server returns the HTML. If there is, the browser thinks this is aXSSattack. Edge and IEXSSthe filter has two modes, one is found after the attack to shield the entire page, another is to try to fixXSS. The default is the second mode, the server may set the HTTP header field X-XSS-Protection: 1; mode=block transferred into the first mode[reference 4]. Fig.
Said the following about Microsoft’s browser is how to“try to fixXSS”. For example, 假设URL是example.com/index.php?id=alert(1), and the HTML code contains alert(1), then the browser will take the HTML of this element to modify is the alert(1)。 After revision and then to the HTML parser. Since it is the r changed to#, to destroy the script element, then after this the JavaScript code will not be executed. embed, iframe, object, meta and other tags similarly are use#to replace a letter to ruin these labels.
Above this repair method, although effective to repair a part of the reflectionXSS, but it also has potential dangers. Since IE 8 introducedXSSfilter has been researchers through abuse of the repair logic, to have been noXSSvulnerabilities page injectionXSS. A simple use of the method is: for example, the page already have, we construct the URL: example.com/index.php the?. IE and the Edge will be false positives this is aXSSattacks, and according to the above way of repair, repair after the code became, thus jquery. js can’t load. Of course this example is not a vulnerability, because it’s like jquery. js file does not exist, although the function may be affected, but not security issues.
In reference[5], The author mentions another use of the method, for example such an img tag: where alt is the value of the injection point. Originally this tag does not execute code, but IE self-defeating to repair. the onload is executed.
0×02 CVE-2017-0135
上文我们说了利用过滤器的误报来干掉jquery.js the. Since it is capable off script tag, then can’t get rid of the other tags? Especially can kill and security related tags. I think the Content Security Policy there are two kinds of setting method, either in the HTTP header field settings, but also in the HTML used to set. So I try the next, if the site is using meta tags to set the CSP, can I use the filter the false positives to get rid of this meta tag, so that the CSP failure. Conclusion is can. I construct a HTML page 假设其URL是http://example.com/xss.html to:
html>
head>
title>CSP Testtitle>
meta http-equiv=“Content-Security-Policy” content=“script-src ‘self’”>
head>
body>
script>alert(document. domain);script>

[1] [2] next