Response中所隐藏的杀机---揭秘响应中所存在的脆弱点
Response中所隐藏的杀机---揭秘响应中所存在的脆弱点
声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由用户承担全部法律及连带责任,文章作者不承担任何法律及连带责任。
正文
尝试注入Origin Header,例如: Origin: http://me.com,如果Response中包含Access-Control -Allow-Origin: http://me.com和Access-Control- allow - credentials: True,则有CORS
GET /getInfo HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: http://me.com
尝试注入Origin Header,例如: http://company.com.me.com,http://Acompany.com,http://companyAcom,http://company.comA和null获得CORS
GET /getInfo HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: http://company.com.me.com
3.尝试注入带有特殊字符的Origin Header,例如
& ' ";!$ ^ * ( ) + = ` ~ - _ = | { } % 还有: %01-08 , %0b , %0c , %0e , %0f , %10-%1f 以及 %7f
GET /getInfo HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: http://me.com`.company.com
4.尝试注入Origin Header,例如:http://me.com,如果响应包含Access-Control-Allow-Origin: *和Cache-Control:no-cache尝试使用如下POC:
<html>
<script>
var url = "https://www.company.com/getInfo"; fetch(url, {
method: 'GET', cache: 'force-cache' });
</script>
</html>
5.尝试使用Web缓存欺骗攻击,添加静态文件,例如nonexist .css或logo.png到接口去缓存敏感响应
GET /getInfo/nonexistent.css HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: https://www.company.com
6.尝试添加jsonp 或者回调,例如 http://company.com/getInfo?jsonp=function ,保证可以读取响应
7.尝试在响应头中找出:在HTTP/1.1 Response中是否有 Cache-Control: no-cache或者Pragma: no-cache
HTTP/1.1 200 OK
Content-Length: Number
Cache-Control: no-cache , no-store , must-revalidate
Content-Type: application/json
{
"phone" : "01*********", "token" : "*************"
}
响应中是否存在 X-Frame-Option Header(不得不承认google在给赏金方面很大方)
HTTP/1.1 200 OK
Content-Length: Number
X-Frame-Option: SAMEORIGIN
Content-Type: application/json
{
"phone" : "01*********", "token" : "*************"
}
9.尝试找出,有是否有 postMessage 的API,比如window.postMessage(“text”,“*”);或addEventListener(“message” function(message){message.origin});
复现步骤(这种漏洞往往赏金很高,fb给出的赏金往往好几万美金一个,读者可以根据我后面提供的最后参考可以深入研究):
跳转至 http://company.com/getInfo右击,查看 View Page Source 搜索 postMessage With * addEventListener With Argument-Function.origin
参考
https://hackerone.com/reports/629892
https://hackerone.com/reports/688567
https://medium.com/@saamux/full-account-takeover-through-cors-with-connection-sockets-179133384815 (IDOR+CORS)
https://www.youtube.com/watch?v=wgkj4ZgxI4c
https://infosecwriteups.com/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397
https://hackerone.com/reports/761726
https://hackerone.com/reports/260697
https://hackerone.com/reports/397508
https://hackerone.com/reports/118631
https://wiki.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006)#How_to_Test
https://medium.com/@osamaavvan/1800-worth-clickjacking-1f92e79d0414
https://medium.com/@raushanraj_65039/google-clickjacking-6a04132b918a
https://vinothkumar.me/