See how I found the Yahoo XSSi vulnerability to achieve the user information stealing-vulnerability warning-the black bar safety net

2018-08-17T00:00:00
ID MYHACK58:62201891189
Type myhack58
Reporter 佚名
Modified 2018-08-17T00:00:00

Description

! Find some specific categories of vulnerability is composed of two key parts, that is the vulnerability the cognitive as well as mining the degree of difficulty. Cross-site script contains a vulnerabilityXSSi in a recognized security standards OWASP TOP 10 and is not mentioned, but it is also not some publicly available tools. But the effects of it relates to personal storage for information disclosure, the token protection mechanism bypass as well as account hijacking, etc. Currently, due toXSSi vulnerability exists widely and the lack of effective means of detection, leading to its vulnerability is the degree of harm increases. In this article I will share I found a YahooXSSi vulnerability, exploit the vulnerability can be achieved on the Yahoo user's information stolen. Inkling Participation in the Yahoo(Yahoo vulnerability the public test project, in my some times with BurpSuite to capture the analysis, by chance saw the following request: ! In I found this to be a JSONP service after the end, I immediately realized that this might form aXSSi vulnerability, cross-site script included in. In the Yahoo website, the API, the. crumb value is actually a random string with the user's session and authentication values associated, I noted that if in the request, GET parameters . crumb value is invalid, then its response is as follows: ! Use Now, I think if can somehow go to steal the victim's effective. crumb values, then we can steal each other's specific account information. Therefore, I'm in BurpSuite capture, to find all the contain effective . crumb the value of the request, in the end, I found out in a dynamic Javascript file the existence of such information, 该Javascript文件位于https://messenger.yahoo.com/embed/app.js the. If you now go check out this Javascript file, you will find it one of the logoutCrumb value has been deleted fix, I first discovered, its source code is as follows: ! Now, XSSi vulnerability principle in fact is such that it allows an attacker to bypass the original boundary to steal a particular type of data, the use of the tag's src attribute to break the same origin policy( SOP, i.e., in the tag, the browser will not block the page loading images and text and other third-party resources. Therefore, in order to steal https://messenger. yahoo. com/embed/app. js in valid callback . crumb value, and then put it in the link: https://jsapi. login. yahoo. com/w/device_users?. crumb=POR1. kRjsx in a request to get to the relevant user session information, I wrote the following PoC code: html> head> title>Yahoo XSSi PoCtitle> head> body> div style="width: 60%; margin-right: auto; margin-left: auto; margin-bottom: 30px;"> h1 style="text-align: center;">Proof of Concepth1> b>Dataset 1:b> div id="content1" style="width: 100%; border: 1px solid black; padding: 10px; overflow: scroll; font-family: monospace;">div> br/> b>Dataset 2:b> div id="content2" style="width: 100%; border: 1px solid black; padding: 10px; overflow: scroll; font-family: monospace;">div> div> script> function processDeviceUsers(data) { document. getElementById("content1"). innerHTML = JSON. stringify(data); } window. onload = function () { var config = {}; config_data = {};

[1] [2] next