a method of xss vulnerability aided mining based on stain analysis

Posted by tetley at 2020-03-08

1. order

In a previous article, I briefly explained several implementation methods of automatic audit of web application code.

In this paper, we take XSS vulnerability as an example to explain a practical example of gray box analysis.

As mentioned above, vulnerability can be considered as the process of input to dangerous function, so this article mainly involves three parts: input, dangerous function and specific implementation.

2. input

The input as the source of stain mainly considers three sources: current state, network request and storage function.

The current status mainly refers to such variables as window name, current URL, hash, referr, etc., which specifically correspond to the following variables: window.location.href window.location.hash window.location.pathname window.location.url document.URL document.documentURI document.URLUnencoded document.baseURI document.referrer

Network request mainly refers to the request and its response obtained asynchronously, which can be obtained through the hook XMLHttpRequest fetch and other APIs.

XMLHttpRequest fetch

Storage mainly refers to cookies, indexdb, localstorage, sessionstorage, etc.

Part of the input is determined when the web page is initialized, and this part is recorded by the program. Part of the input will change constantly, such as cookies. This part of the input will be monitored by means of stake insertion and event processing, and the change will be recorded in real time.

3. Hazard function

Here, dangerous functions are divided into five categories: directly executing JavaScript, loading URL, executing HTML, creating elements, and partially controllable execution. The specific functions and related modes involved are as follows.

3.1 direct JavaScript execution

Such dangerous functions directly execute input in the form of JavaScript code, for example.

eval(payload) setTimeout(payload, 100) setInterval(payload, 100) Function(payload)() <script>payload</script> <img src=x onerror=payload>

3.2 load URL

This type of dangerous function executes JavaScript code in the form of URL loading, but it is similar to JavaScript in general.

location=javascript:alert(/xss/) location.href=javascript:alert(/xss/) location.assign(javascript:alert(/xss/)) location.replace(javascript:alert(/xss/))

3.3 executing HTML

This kind of dangerous function directly executes the input in the form of HTML code, and can execute the code under certain circumstances.

xx.innerHTML=payload xx.outerHTML=payload document.write(payload) document.writeln(payload)

3.4 creating elements

Most of these calls are to create a DOM element and add it to the page. When the source of script is controllable or the construction of elements is controllable, problems may occur.

scriptElement.src domElement.appendChild domElement.insertBefore domElement.replaceChild

3.5 partially controlled execution

This kind of call has a certain dynamic component, and the degree of controllability is not high, but in some cases, it has value, so we add monitoring to the tool.

(new Array()).reduce(func) (new Array()).reduceRight(func) (new Array()).map(func) (new Array()).filter(func)

4. Overall structure

4.1 stain tracking

There are two ways to implement the stain tracing, one is to implement the native of hook browser, but this method requires a good understanding of the implementation mechanism of the browser itself, and the compilation process is complex, so it is difficult to migrate. Once the browser is updated, it needs to modify a lot of code to adapt.

Another idea is to build a JavaScript layer hook based on the browser plug-in. Although this way does not have the bottom layer of the browser source code layer hook, it is faster and easier to develop and migrate, and it is easier to adapt when there are new mechanisms.

In the chrome plug-in, the code is divided into content script, background, pop and other runtime. Only content script can manipulate the dom of the host page, but the host page JavaScript and content script are also in different sandbox, unable to hook, and can only be injected.

After hook, when a dangerous function call or network request occurs, it is recorded in the background.

4.2 confirmation of suspected use

Unlike many vulnerabilities, most of the storage vulnerabilities are not echoed, so we need to do some confirmation work.

After obtaining the information, take the domain name as the unit. Traverse the sink and source to find the coincidence. If source appears in the parameter of sink, it may be a vulnerability point. It should be noted that in addition to hash, various parameters such as network request are not necessarily controllable. In addition, it is necessary to remove the sink, the same source and the same returned result under the same domain name, the same parameter and the same call, so as to reduce duplicate data.

When confirming, consider that the parameters in the sink may be part of the source, and the source may only be part of the sink. Therefore, the common substring algorithm is used, as long as the length of the string is less than the minimum length of sink and source.

However, even if it is completely controllable, there may be WAF, sanitizer, CSP strategies that are difficult to bypass, etc. Therefore, this method will have a higher false alarm rate, but relatively, in the case of hook, the false alarm rate will be much smaller.

In addition to this approach mentioned above, the tool takes a dynamic pollution approach. By modifying the request parameters and the parameters when the function is called, some testable payloads are passed in. If the trusted results are obtained in the return interface, the vulnerability exists.

4.3 result viewing

In this paper, it is considered to directly display the possible results with the plug-in interface pop / background, and store the data with the browser layer's local storage, but this way will affect the compatibility of migration between browsers.

So in the end, we write a small site with vuejs + Django to receive the request and view the result.

5. Reference link