- The Guide to Finding and Reporting Web Vulnerabilities
- About the Author
- About the Tech Reviewer
- Foreword
- Introduction
- Who This Book Is For
- What Is In This Book
- Happy Hacking!
- 1 Picking a Bug Bounty Program
- 2 Sustaining Your Success
- 3 How the Internet Works
- 4 Environmental Setup and Traffic Interception
- 5 Web Hacking Reconnaissance
- 6 Cross-Site Scripting
- 7 Open Redirects
- 8 Clickjacking
- 9 Cross-Site Request Forgery
- 10 Insecure Direct Object References
- 11 SQL Injection
- 12 Race Conditions
- 13 Server-Side Request Forgery
- 14 Insecure Deserialization
- 15 XML External Entity
- 16 Template Injection
- 17 Application Logic Errors and Broken Access Control
- 18 Remote Code Execution
- 19 Same-Origin Policy Vulnerabilities
- 20 Single-Sign-On Security Issues
- 21 Information Disclosure
- 22 Conducting Code Reviews
- 23 Hacking Android Apps
- 24 API Hacking
- 25 Automatic Vulnerability Discovery Using Fuzzers
Hunting for SOP Bypasses
Let’s start hunting for SOP bypass vulnerabilities by using what you’ve learned! SOP bypass vulnerabilities are caused by the faulty implementation of SOP relaxation techniques. So the first thing you need to do is to determine whether the target application relaxes the SOP in any way.
让我们利用所学知识开始寻找 SOP 绕过漏洞!SOP 绕过漏洞是由 SOP 松弛技术错误实现引起的。因此,你需要做的第一件事就是确定目标应用程序是否以任何方式放松了 SOP。
Step 1: Determine If SOP Relaxation Techniques Are Used
You can determine whether the target is using an SOP-relaxation technique by looking for the signatures of each SOP-relaxation technique. When you’re browsing a web application, open your proxy and look for any signs of cross-origin communication. For example, CORS sites will often return HTTP responses that contain an Access-Control-Allow-Origin header. A site could be using postMessage() if you inspect a page (for example, by right-clicking it in Chrome and choosing Inspect , then navigating to Event Listeners ) and find a message event listener ( Figure 19-1 ).
你可以通过查找每种 SOP 松弛技术的特征来确定目标是否使用 SOP 松弛技术。当你浏览一个网页应用程序时,请打开代理并查找任何跨域通信的迹象。例如,CORS 网站通常会返回包含 Access-Control-Allow-Origin 头的 HTTP 响应。如果你检查一个页面(例如,在 Chrome 中右键单击它并选择检查,然后导航到事件监听器),并找到一个消息事件监听器(图 19-1),那么这个网站可能正在使用 postMessage()。
And a site could be using JSONP if you see a URL being loaded in a <script> tag with a callback function:
如果您看到一个带有回调函数的<script>标记中加载的 URL,则网站可能正在使用 JSONP:
<script src="https://a.example.com/user_info?callback=parseinfo"></script>
<script src="https://a.example.com/user_info?jsonp=parseinfo"></script>If you see clues of cross-origin communication, try the techniques mentioned in this chapter to see if you can bypass the SOP and steal sensitive info from the site!
如果您看到了跨域通信的线索,请尝试本章介绍的技术,看看是否可以绕过 SOP 并从该网站窃取敏感信息!
Figure 19-1 : Finding the event listeners of a page in the Chrome browser
图 19-1:在 Chrome 浏览器中查找页面的事件监听器。
Step 2: Find CORS Misconfiguration
If the site is using CORS, check whether the Access-Control-Allow-Origin response header is set to null .
如果该站点正在使用 CORS,请检查 Access-Control-Allow-Origin 响应头是否设置为 null。
Origin: nullIf not, send a request to the site with the origin header attacker.com , and see if the Access-Control-Allow-Origin in the response is set to attacker.com . (You can add an Origin header by intercepting the request and editing it in a proxy.)
如果没有设置,则向网站发送一个带有攻击者的来源头部(attacker.com)的请求,并查看响应中的 Access-Control-Allow-Origin 是否设置为 attacker.com。(您可以通过拦截请求并在代理中进行编辑来添加一个来源头部。)
Origin: attacker.comFinally, test whether the site properly validates the origin URL by submitting an Origin header that contains an allowed site, such as www.example.com.attacker.com . See if the Access-Control-Allow-Origin header returns the origin of the attacker’s domain.
最后,测试网站是否可以通过提交包含允许网站的 Origin 头来正确验证来源 URL,例如 www.example.com.attacker.com。查看 Access-Control-Allow-Origin 头是否返回攻击者域的来源。
Origin: www.example.com.attacker.comIf one of these Access-Control-Allow-Origin header values is returned, you have found a CORS misconfiguration. Attackers will be able to bypass the SOP and smuggle information offsite ( Figure 19-2 ).
如果返回其中任何一个"Access-Control-Allow-Origin"头部值,则说明存在 CORS 配置错误。攻击者可以绕过同源策略,窃取站外信息(图 19-2)。
Figure 19-2 : Is the site vulnerable to a CORS misconfiguration vulnerability?
图 19-2:该网站是否容易受到 CORS 配置错误漏洞的影响?
Step 3: Find postMessage Bugs
If the site is using postMessage , see if you can send or receive messages as an untrusted site. Create an HTML page with an iframe that frames the targeted page accepting messages. Try to send messages to that page that trigger a state-changing behavior. If the target cannot be framed, open it as a new window instead:
如果该网站使用 postMessage,请尝试作为不受信任的网站发送或接收消息。创建一个 HTML 页面,其中包含一个框架,框架是针对可接受消息的目标页面的。尝试向该页面发送消息以触发状态改变行为。如果无法对目标进行框架设置,请打开它作为新窗口:
var recipient_window = window.open("https://TARGET_URL", target_domain)
recipient_window.postMessage("RANDOM MESSAGE", "*");You can also create an HTML page that listens for events coming from the target page, and trigger the postMessage from the target site. See if you can receive sensitive data from the target page.
你还可以创建一个 HTML 页面,监听来自目标页面的事件,并从目标站点触发 postMessage。看看是否可以从目标页面接收敏感数据。
var sender_window = window.open("https://TARGET_URL", target_domain)
function parse_data(event) {
// Run some code if we receive data from the target
}
window.addEventListener("message", parse_data);Step 4: Find JSONP Issues
Finally, if the site is using JSONP, see if you can embed a script tag on your site and request the sensitive data wrapped in the JSONP payload:
如果该网站使用 JSONP,请尝试嵌入一个脚本标签到你的网站,并请求 JSONP 有效载荷中包含的敏感数据。
<script src="https://TARGET_URL?callback=parseinfo"></script>Step 5: Consider Mitigating Factors
When the target site does not rely on cookies for authentication, these SOP bypass misconfigurations might not be exploitable. For instance, when the site uses custom headers or secret request parameters to authenticate requests, you might need to find a way to forge those to exfiltrate sensitive data.
当目标网站不依赖于 cookie 进行身份验证时,这些 SOP 绕过错误配置可能无法利用。例如,当网站使用自定义标头或秘密请求参数来认证请求时,您可能需要找到一种方法来伪造这些内容以窃取敏感数据。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论