XSS vulnerabilities must be many industry insiders have heard of, this time I want to share the experience of digging holes is also very unexpected.

Most of the time, the XSS code you sow may magically bring you a surprise one day.

Here will not talk about the basic knowledge of XSS, but through a real case to take you to dig baidu network disk a storage XSS vulnerability, this vulnerability principle is very simple, I can dig more is luck, at the same time he will be a very basic actual teaching materials.









Stories from long ago, even before baidu network location on the client side has a nickname to the changes, then use baidu network backup client itself to modify the nickname can only modify 10, but I caught, modify the package, heavy contract out the steps to find the nickname can be modified for a very long string.




And I thought, well, since they’re just doing a front-end restriction here, does that mean that I can put strings like <script>alert(1)<script> in there without filtering them? It also happens to circumvent the length limit of the front end by doing so. It is possible that there is a stored XSS vulnerability, so I changed the nickname to <script>alert(document.cookie)<script>.




What is storage XSS? Stored XSS vulnerability is also called persistent XSS vulnerability, because this vulnerability itself stores the attack code (also called playload) persistently in one place of the target business (such as database, cache, etc.), and then displays the attack code on the page in another place. When displayed, the browser treats it as a legitimate script and starts executing the offensive JavaScript script. The point where you submit your attack code is called the input point, and the point where you display your attack code is called the output point.

Since we are mining a stored XSS vulnerability, and we have found the input point, we need to find the output point. At that time I in Baidu network disk each page have done global search, the results can find the place are filtered output. So I left the leak alone.

After a few months later, now and then one night I met online a net friend prepared by baidu cloud comes to the features of the to share your friends when I share files, all of a sudden he told me that when you’re ready to share the user select the click share list pops up the dialog box, a web page content is his cookies, my heart suddenly a surprised, Could the output point be here? Originally, this kind of output point needs interaction and will be rendered after opening a certain window. This is a relatively hidden output point, no wonder I haven’t found it before. Well, I guess penetration testing is a fine point.

If you have the heart, you can easily change the personal information of some websites you have registered into a variety of XSS scripts, maybe one day you will be lucky to dig an XSS. Sow what you sow and wait for the harvest.

So I hurried to capture, change and replay the packet, and changed the nickname into the receiving script of XSS platform. Then I repeated the process, and found that cookie could be hit unexpectedly, and cookie contained the most critical BDUSS field of Baidu account, which is the only field used by Baidu account to identify users. As long as there is this field in almost all Baidu business, it is equal to having the same account authority.

When social workers let each other share files with you, without anyone knowing, you will lose the baidu account of the other party, and now many people have used baidu network disk cloud disk synchronization and other functions, resulting in your mobile phone messages, call records, address book, photo gallery and so on. Especially text synchronization function is very dangerous, for example, baidu post bar for examination and approval of the main operation is judgment by means of message authentication code, if the text synchronization, so we have this account in the case, just by looking at the synchronization to the cloud of SMS, can through his bank account for examination and approval by their main application, think about how terrible.

Finally, I submitted this vulnerability to cloud cloud, ranked 13, and gave doll key chains and other small gifts. Later, I heard from a friend in the security circle that he had submitted a similar vulnerability, which had many points, which could be exchanged for cash rewards of equal amount such as various shopping cards. If I submitted this vulnerability to Baidu’s private BSRC, there might be three-digit to four-digit cash rewards, which was a pity.

If you search [Baidu network disk] and other keywords in the major cloud mirror station should be able to find the details of the vulnerability.


This article by the @ chang d original in zhihu column – the beauty of the code https://www.zhihu.com/codes starting, reprint please indicate the source, thank you.