Response中所隐藏的杀机-揭秘响应中所存在的脆弱点

Response中所隐藏的杀机---揭秘响应中所存在的脆弱点

声明：文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由用户承担全部法律及连带责任，文章作者不承担任何法律及连带责任。

正文

1. 尝试注入Origin Header,例如:Origin: http://me.com，如果Response中包含Access-Control -Allow-Origin: http://me.com和Access-Control- allow - credentials: True，则有CORS

GET /getInfo HTTP/1.1
Host: www.company.com 
User-Agent: Mozilla/5.0
Referer: https://previous.com/path 
Origin: http://me.com

2. 尝试注入Origin Header,例如: http://company.com.me.com, http://Acompany.com, http://companyAcom, http://company.comA和null获得CORS

GET /getInfo HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path 
Origin: http://company.com.me.com

3.尝试注入带有特殊字符的Origin Header,例如

& ' ";！$ ^ * ( ) + = ` ~ - _ = | { } % 还有: %01-08 , %0b , %0c , %0e , %0f , %10-%1f 以及 %7f

GET /getInfo HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path 
Origin: http://me.com`.company.com

4.尝试注入Origin Header，例如:http://me.com，如果响应包含Access-Control-Allow-Origin: *和Cache-Control:no-cache尝试使用如下POC:

 
<html>
<script>
var url = "https://www.company.com/getInfo"; fetch(url, {
method: 'GET', cache: 'force-cache' });
</script>
 </html>

5.尝试使用Web缓存欺骗攻击，添加静态文件，例如nonexist .css或logo.png到接口去缓存敏感响应

GET /getInfo/nonexistent.css HTTP/1.1 
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path 
Origin: https://www.company.com

6.尝试添加jsonp 或者回调，例如 http://company.com/getInfo?jsonp=function ，保证可以读取响应

7.尝试在响应头中找出:在HTTP/1.1 Response中是否有 Cache-Control: no-cache或者Pragma: no-cache

 
HTTP/1.1 200 OK
Content-Length: Number
Cache-Control: no-cache , no-store , must-revalidate 
Content-Type: application/json
{
"phone" : "01*********", "token" : "*************"
}

8. 响应中是否存在X-Frame-Option Header(不得不承认google在给赏金方面很大方)

HTTP/1.1 200 OK
Content-Length: Number 
X-Frame-Option: SAMEORIGIN 
Content-Type: application/json
{
"phone" : "01*********", "token" : "*************"
}

9.尝试找出，有是否有 postMessage 的API，比如window.postMessage(“text”,“*”);或addEventListener(“message” function(message){message.origin});

复现步骤(这种漏洞往往赏金很高,fb给出的赏金往往好几万美金一个,读者可以根据我后面提供的最后参考可以深入研究):

• 跳转至http://company.com/getInfo
• 右击,查看 View Page Source
• 搜索postMessage With * addEventListener With Argument-Function.origin

参考

https://hackerone.com/reports/629892

https://hackerone.com/reports/688567

https://medium.com/@saamux/full-account-takeover-through-cors-with-connection-sockets-179133384815  (IDOR+CORS)

https://infosecwriteups.com/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397

https://hackerone.com/reports/761726

https://hackerone.com/reports/260697

https://hackerone.com/reports/397508

https://hackerone.com/reports/118631

https://wiki.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006)#How_to_Test

https://medium.com/@osamaavvan/1800-worth-clickjacking-1f92e79d0414

https://medium.com/@raushanraj_65039/google-clickjacking-6a04132b918a

https://vinothkumar.me/