Shulou(Shulou.com)05/31 Report--

How to mine the XSS of the YouPorn website and use it successfully, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

From lack of filtering to open redirection

I launched the browser and Burp and sent a request on the search form. I searched foobar. As you can see in the screenshot below, the search term is output in the meta tag without any filtering (except for uppercase letters):

But when we tried to write the close tag and added Javascript payload, we found that our payload was not executed:

Even so, we decided to use the meta HTML tag. This is a very powerful tag because it contains http-equiv instructions. This directive is equivalent to the header function of http.

The http-equiv directive sets the value to refresh, which can be used to redirect the user to another page. This open redirection vulnerability is very useful if a phishing attack occurs:

You send someone a link to http://youporn.com

Your payload redirects them to the website you control, mimicking YouPorn's CSS

You ask for their credentials, their credit card numbers, etc.

Send a http://youporn.com link with your payload to the target

The payload redirects the target user to the high imitation YouPorn phishing site you control.

Ask the target user for credentials, credit card number, etc.

We entered the following payload for vulnerability testing:

As you can see, there is a small problem: the dash in http-equiv is not inserted into the source code. I decided to use double coding to try to bypass. First I did the HTML code for the dash, and then I did the URL code for it.

Dash, -, HTML encoded to & # 45, URL encoded to% 26% 2345% 3b:

Bingo! Now we have successfully obtained a payload that can redirect the user URL.

Mark as duplicate

At the same time, when I found out and immediately informed YouPorn, I received the following reply from YouPorn:

In fact, the loophole you reported has been submitted before you. But the submitter failed to provide valid proof of utilization, so I can only mark it as duplicate currently. But the door of opportunity will be open to you, if you can provide the payload, we will be happy to accept and provide you with the corresponding reward!

Thank you!

From Open Redirection to reflective XSS

Now that we have one in hand, we can redirect the user's URL payload.

An idea suddenly occurred to me, so can we use the same technique to replace the dash with > and

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.