Shulou(Shulou.com)05/31 Report--

Based on AST JSONP hijacking automatic mining how to understand, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Brief introduction of 0x01 JSONP hijacking

JSONP uses the cross-domain ability of script tags to access cross-domain data. Request a dynamically generated JS script with a callback function name as an argument. After the server receives the request, the dynamic generation script generates the data, and calls the callback function with the generated data as the parameter in the code.

JSONP hijacking is to visit the attacker's website without the victim's knowledge, and the attacker obtains the user's sensitive information on other websites through the JSONP interface.

Therefore, it is usually used to:

Accurate fraud caused by the disclosure of sensitive information.

One of the source traceability of the defender, such as obtaining a portrait of an attacker in a honeypot.

Introduction to 0x02 AST

AST (Abstract Syntax Tree, abstract syntax tree) is an abstract representation of the syntax structure of the source code. It represents the grammatical structure of the programming language in the form of a tree. So code with the same meaning, even in different forms of implementation, is unified at the AST level.

The unity and consistency at the AST level can not be achieved by the traditional regular matching. It makes it easy for us to solve the following situations:

Callback ({"username": "xray"}); callback ({"data": {username: "xray"}); / * aa*/ window.cb & & window.cb ({"username": "xray"}) callback ([{"info": {"username": "array"}]) cb ('{"username": "xray"}') a = {"username": "xray"}; cb ({"s": a}) 0x03 JSONP vulnerability Mining

Master Koalr's sharing is very good, https://koalr.me/post/a-tour-of-xray/.

When manually mining JSONP vulnerabilities, it is mainly divided into the following steps:

Find the jsonp interface

Check whether the response contains sensitive information

Go around the referer

When doing automated mining, we should mainly consider the following issues:

Excellent crawler (using crawlergo)

Sift out js resources: it can be judged by content-type. Refer to chrome. Https://github.com/chromium/chromium/blob/fc262dcd403c74cf3e22896f32d9723ba463f0b6/third_party/blink/common/mime_util/mime_util.cc#L42

Const char* const kSupportedJavascriptTypes [] = {"application/ecmascript", "application/javascript", "application/x-ecmascript", "application/x-javascript", "text/ecmascript", "text/javascript", "text/javascript1.0", "text/javascript1.1", "text/javascript1.2", "text/javascript1.3", "text/javascript1.4", "text/javascript1.5", "text/jscript" "text/livescript", "text/x-ecmascript", "text/x-javascript",}

Parse js type resources and check whether each key in query satisfies the characteristics of jsonp. Regular Dafa is good:

(M) (I) (callback) | (jsonp) | (^ cb$) | (function)

The referer is configured in the same domain and requests the js to get a response.

Parse the JSONP response into AST, and the JSONP vulnerability can be determined if the generated AST meets the following conditions.

1. Callee.Name = = callback function name

2. Check for sensitive information: recursively traverse the AST to get the key and value, whether it satisfies the regular (? M) (? I) (uid) | (userid) | (user_id) | (nin) | (name) | (username) | (nick), and the value is not empty

Request again after replacing Referer, revalidating step 5.

How 0x04 tools are used

The above logic is realized through golang: https://github.com/jweny/check_jsonp_based_on_ast

This component does not provide a separate crawler, it must be used in conjunction with the crawler (recommended crawlergo), and the js resources of the crawler can be tested directly with the tool.

A vulnerability environment for jsonp is provided in the project, if you need to pick it up.

Input parameter: js uri

Return: whether there are vulnerabilities (Bool type, true for vulnerabilities), err

Example:

Result, err: = CheckSenseJsonp ("after reading the above, http://127.0.0.1/jsonp_env/getUser.php?id=1&jsoncallback=callbackFunction"), have you mastered the method of automatic mining of JSONP hijacking based on AST? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.