通过iFrame代理解决方案访问网站的XSS浏览器JS执行
[英]XSS browser JS execution with website accessed though iFrame Proxy solution
问题描述
I've a question on XSS on a website accessed through a iframe proxy solution...bypassing corporate proxy and executing code in browser's victim. 
我对通过iframe代理解决方案访问的网站上的XSS有疑问...绕过公司代理并在浏览器的受害者中执行代码。
This is in a security test process. 这是在安全测试过程中。
I'm on a LAN of a company, which use a corporate proxy (obviously), [ named corporate.proxy below ]
我在公司的LAN上,该公司使用公司代理(显然),[在下面命名为Corporate.proxy] To illustrate security phishing campains and XSS I need to find a way to illustrate lack of security filtering from the proxy part (I know the vuln need to be corrected on server side, but as a company you don't always choose which websites your users go.. :)
为了说明安全网络钓鱼活动和XSS,我需要找到一种方法来说明缺乏来自代理部分的安全过滤(我知道需要在服务器端纠正漏洞,但是作为一家公司,您并不总是选择用户所使用的网站)走.. :) I put a php proxy to navigate in an iFrame on my server outside, on the internet, [ named my.outsideserver.com below ] (somethink like miniproxy ).
我放置了一个php代理,以在Internet上我的服务器上的iFrame中进行导航,[在下面名为my.outsideserver.com](有点像miniproxy )。 The url of my miniproxy is in my test: h**p://my.outsideserver.com/miniproxy.php 我的迷你代理的网址正在测试中:h ** p://my.outsideserver.com/miniproxy.php If a traditionnaly blocked webpage (youpr0n) is accessed this time, by going from internal to this URL: h**p://my.outsideserver.com/miniproxy.php?url=youpr0n.com ==> I Access the website...
如果此次访问的是传统上被阻止的网页(youpr0n),请从内部访问此URL:h ** p://my.outsideserver.com/miniproxy.php?url = youpr0n.com ==>我访问该网站...
Now my question: If a website is vulnerable to XSS [ named xss.vulnwebsite.com below ] here: h**p://xss.vulnwebsite.com?q= NB: Imagine website is youpr0n.. 现在我的问题是:如果一个网站容易受到XSS的攻击[在下面命名为xss.vulnwebsite.com]:h ** p://xss.vulnwebsite.com?q =注意:想象一下网站是youpr0n。
I can create a link like this : h* p://my.outsideserver.com/miniproxy.php?url=h *p://xss.vulnwebsite.com?q= 我可以创建这样的链接:h * p://my.outsideserver.com/miniproxy.php?url = h * p://xss.vulnwebsite.com?q =
and send this link to a company's victim in a Phishing campain. 并将此链接发送给网络钓鱼营地中的公司受害者。 If the victim click on the link, i see there 2 vulnerabilities : 如果受害者单击链接,我会看到2个漏洞:
1) First one is the proxy filtering bypass ---> The user from company go on a website which is normally blocked and now accessible.. 1)第一个是代理过滤绕过--->公司用户进入一个通常被阻止并且现在可以访问的网站。
2) The real website (youpr0n) has a xss, and leveraging this xss code is executed in the victim's browser. 2)实际网站(youpr0n)带有xss,并且利用此xss代码在受害者的浏览器中执行。 NB: I know because of Same Origin Policy, the content loaded in an iFrame won't be able (if vuln to xss) to be read...but.. 注意:我知道由于同源策略的原因,iFrame中加载的内容将无法读取(如果对xss不利)...但是。
Here's my question, the code is executed in the victim's browser.. The SOP (Same Origin Policy) will protect any user to read by the attacker, the content on youpr0n (his sessions cookies eg), but NOT protect it's browser !! 这是我的问题,代码是在受害者的浏览器中执行的。SOP(相同来源策略)将保护攻击者读取任何用户的youpr0n上的内容(例如,其会话cookie), 但不能保护它的浏览器!
If i send this link: h* p://my.outsideserver.com/miniproxy.php?url=h *p://xss.vulnwebsite.com?q=alert(1) I successfully see the popup displaying "1" in my browser. 如果我发送此链接:h * p://my.outsideserver.com/miniproxy.php?url = h * p://xss.vulnwebsite.com?q = alert(1),我成功地看到了弹出窗口,显示“ 1在我的浏览器中。 At the moment, the only browser protection is the browser's XSS filtering mechanism (?). 目前,唯一的浏览器保护是浏览器的XSS过滤机制(?)。 Corporate proxy mechanisms are bypassed (correct ? /0) 公司代理机制被绕过(正确的?/ 0)
- What do you think about all of that. 您如何看待所有这些。 It's crap i'm sure (or not) don't blame me... 我确定(或不)不要怪我...
- What are the mitigations (except telling users not to click shit..) for corporate proxies... are there dynamic security content filtering solutions working.... ? 对企业代理有什么缓解措施(告诉用户不要单击“ ..”除外)...是否有动态安全内容过滤解决方案在起作用?
My point is is to illustrate the risks , imagine I send phishing links by mail spaming thousands of corporate users. 我的观点是说明风险 ,想象一下我通过向成千上万的企业用户发送邮件来发送网络钓鱼链接。 The email subject is "Access Any website from your Company" by using our free proxy mechanism... You can see pr0n at work !!!!! 通过使用我们的免费代理机制,电子邮件主题为“从您的公司访问任何网站” ...您可以在工作中看到pr0n !!!!
Then users will surely click on link (I would) :D 然后用户一定会单击链接(我会):D
Thanks for your answers : Do you agree that code can be executed in victim's browser. 感谢您的回答:您是否同意可以在受害者的浏览器中执行代码。 Do you agree on the proxy filtering bypass ? 您是否同意代理过滤绕过? What are solutions (for the company...) 什么是解决方案(对于公司...)
1 个解决方案
解决方案1
0 2013-01-10 17:43:29
A proxy like Miniproxy is acting as an HTTP client and displaying HTTP responses on http://my.outsideserver.com/miniproxy.php , the SOP is enforced by the browser. 像Miniproxy这样的代理充当HTTP客户端,并在http://my.outsideserver.com/miniproxy.php上显示HTTP响应,SOP由浏览器强制执行。 There for the browser treats all JavaScript displayed on http://my.outsideserver.com/miniproxy.php as originating from that source, regardless of where the miniproxy is obtaining the content. 浏览器在那里将http://my.outsideserver.com/miniproxy.php上显示的所有JavaScript视为源自该源,而不管miniproxy在何处获取内容。
In short, this is not an SOP abuse. 简而言之,这不是滥用SOP。 Corporate firewalls are easy to bypass, but that is well known. 公司防火墙很容易绕开,但这是众所周知的。
I recommend picking up a copy of "A tangled web" and reading the Google Browser Security Handbook . 我建议您拿起一份“纠结的网站”,并阅读《 Google浏览器安全手册》 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.