Response中所隐藏的杀机—响应中所存在的脆弱点

声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由用户承担全部法律及连带责任,文章作者不承担任何法律及连带责任。

本文选自本人公众号: growing0101

正文

  1. 尝试注入Origin Header,例如:Origin: http://me.com,如果Response中包含Access-Control -Allow-Origin: http://me.comAccess-Control- allow - credentials: True,则有CORS
GET /getInfo HTTP/1.1
Host: www.company.com 
User-Agent: Mozilla/5.0
Referer: https://previous.com/path 
Origin: http://me.com
  1. 尝试注入Origin Header,例如: http://company.com.me.com, http://Acompany.com, http://companyAcom, http://company.comAnull获得CORS
GET /getInfo HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path 
Origin: http://company.com.me.com

3.尝试注入带有特殊字符的Origin Header,例如

& ‘ “;! $ ^ * ( ) + = ` ~ – _ = | { } % 还有:
%01-08 , %0b , %0c , %0e , %0f , %10-%1f 以及 %7f

GET /getInfo HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path 
Origin: http://me.com`.company.com

4.尝试注入Origin Header,例如:http://me.com,如果响应包含Access-Control-Allow-Origin: *Cache-Control:no-cache尝试使用如下POC:

 
<html>
<script>
var url = "https://www.company.com/getInfo"; fetch(url, {
method: 'GET', cache: 'force-cache' });
</script>
 </html>

5.尝试使用Web缓存欺骗攻击,添加静态文件,例如nonexist .css或logo.png到接口去缓存敏感响应

GET /getInfo/nonexistent.css HTTP/1.1 
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path 
Origin: https://www.company.com

6.尝试添加jsonp 或者回调,例如 http://company.com/getInfo?jsonp=function ,保证可以读取响应

7.尝试在响应投中找出:在HTTP/1.1 Response中是否有 Cache-Control: no-cache或者Pragma: no-cache

 
HTTP/1.1 200 OK
Content-Length: Number
Cache-Control: no-cache , no-store , must-revalidate 
Content-Type: application/json
{
"phone" : "01*********", "token" : "*************"
}
  1. 响应中是否存在X-Frame-Option Header(不得不承认google在给赏金方面很大方)
HTTP/1.1 200 OK
Content-Length: Number 
X-Frame-Option: SAMEORIGIN 
Content-Type: application/json
{
"phone" : "01*********", "token" : "*************"
}

9.尝试找出,有是否有 postMessage 的API,比如window.postMessage(“text”,“*”);addEventListener(“message” function(message){message.origin});

复现步骤(这种漏洞往往赏金很高,fb给出的赏金往往好几万美金一个,读者可以根据我后面提供的最后参考可以深入研究):

  • 跳转至http://company.com/getInfo
  • 右击,查看 View Page Source
  • 搜索postMessage With * addEventListener With Argument-Function.origin

更多精彩内容请关注公众号 growing0101

参考

https://hackerone.com/reports/629892

https://hackerone.com/reports/688567

https://medium.com/@saamux/full-account-takeover-through-cors-with-connection-sockets-179133384815 (IDOR+CORS)

https://www.youtube.com/watch?v=wgkj4ZgxI4c

https://infosecwriteups.com/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397

https://hackerone.com/reports/761726

https://hackerone.com/reports/260697

https://hackerone.com/reports/397508

https://hackerone.com/reports/118631

https://wiki.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006)#How_to_Test

https://medium.com/@osamaavvan/1800-worth-clickjacking-1f92e79d0414

https://medium.com/@raushanraj_65039/google-clickjacking-6a04132b918a

https://vinothkumar.me/

原文地址:http://www.cnblogs.com/richard1230/p/16843887.html

1. 本站所有资源来源于用户上传和网络,如有侵权请邮件联系站长! 2. 分享目的仅供大家学习和交流,请务用于商业用途! 3. 如果你也有好源码或者教程,可以到用户中心发布,分享有积分奖励和额外收入! 4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解! 5. 如有链接无法下载、失效或广告,请联系管理员处理! 6. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需! 7. 如遇到加密压缩包,默认解压密码为"gltf",如遇到无法解压的请联系管理员! 8. 因为资源和程序源码均为可复制品,所以不支持任何理由的退款兑现,请斟酌后支付下载 声明:如果标题没有注明"已测试"或者"测试可用"等字样的资源源码均未经过站长测试.特别注意没有标注的源码不保证任何可用性