2007年10月31日星期三

[Tips]DOM Based Cross Site Scripting

by Superhei
http://www.ph4nt0m.org
2007-11-01

现在xss非常流行.而且跑xss的工具到处都是,导致就和sqlinj一样,很多大站 基本很难找到很明显的xss bug了,以往我们查找xss 一般都黑盒,而且效果很明显,对于白盒,一般都是基于Server language如[php/asp/jsp ....]查找变量输出语句如:print/echo ....等.

今天刚看看大牛Amit Klein在2005写[DOM Based Cross Site Scripting or XSS of the Third Kind]:http://www.webappsec.org/projects/articles/071105.html 提到的DOM的xss比上面提到的那些更加难以发现,就luoluo牛说的找基于dom的xss才是王道 :)
找这类的xss需要分析js本身的代码,这样我们可以就和分析Server language的一些漏洞一样分析js了: 就和php等一样漏洞的产生是: 变量--->输出函数 ,而js是 变量--->输出给浏览器那么我们要找dom-xss就是分析变量的'提取'和'输出'语句了

比如变量的'输出'给浏览器执行的一些对象:document.write,eval ...等等
变量'输入/提取':document的一些对象 如document.URL document.location ...等等

就和Amit Klein文章里列举的那些:

2. Analyzing and hardening the client side (Javascript) code. Reference to DOM objects that may be influenced by the user (attacker) should be inspected, including (but not limited to):

document.URL
document.URLUnencoded
document.location (and many of its properties)
document.referrer
window.location (and many of its properties)
Note that a document object property or a window object property may be referenced syntactically in many ways - explicitly (e.g. window.location), implicitly (e.g. location), or via obtaining a handle to a window and using it (e.g. handle_to_some_window.location).

Special attention should be given to scenarios wherein the DOM is modified, either explicitly or potentially, either via raw access to the HTML or via access to the DOM itself, e.g. (by no means an exhaustive list, there are probably various browser extensions):

Write raw HTML, e.g.:
document.write(…)
document.writeln(…)
document.body.innerHtml=…
Directly modifying the DOM (including DHTML events), e.g.:
document.forms[0].action=… (and various other collections)
document.attachEvent(…)
document.create…(…)
document.execCommand(…)
document.body. … (accessing the DOM through the body object)
window.attachEvent(…)
Replacing the document URL, e.g.:
document.location=… (and assigning to location’s href, host and hostname)
document.location.hostname=…
document.location.replace(…)
document.location.assign(…)
document.URL=…
window.navigate(…)
Opening/modifying a window, e.g.:
document.open(…)
window.open(…)
window.location.href=… (and assigning to location’s href, host and hostname)
Directly executing script, e.g.:
eval(…)
window.execScript(…)
window.setInterval(…)
window.setTimeout(…)


那么我们分析dom-xss就可以直接分析那些js的函数了,那么我们怎么分析呢,和PHP等一样我们可以用grep等一些静态的方法,那么动态的方法呢? 可以使用基于proxy的中间自动fuzz,还有luoluo提出的js函数的'hook'等等 ...期待luoluo牛的fuzz-tool

另外在利用或者触发dom-xss要注意一个js的特点就是[js闭合标签优先]:http://superhei.blogbus.com/logs/10073294.html的特点.
最后感谢luoluo牛的耐心的指导,还有jx分享他的0day :)

没有评论: