3. Anti-hijacking
When it comes to hijacking, we must talk about the topic of anti-hijacking. Suppose you want to write a robust xss playload, you need to consider anti-hijacking. There are two problems to be solved:
How to determine whether it has been hijacked?
If you find that you have been hijacked, how can you counter hijack?
1. It is easy to determine whether a function has been hijacked. Write a small program to compare the difference before and after a function has been hooked:
Copy the codeThe code is as follows:
<textarea cols="80" rows="8"></textarea>
<script type="text/javascript">
<!--
("tb1").value = eval + "\n";
var _eval = eval;
eval = function(s) {
alert(s);
_eval(s);
}
("tb1").value += eval;
//-->
</script>
result:
function eval() {
[native code]
}
function(s) {
alert(s);
_eval(s);
}
We found that those built-in functions are [native code], while the custom ones are specific function definitions. This feature can be used to simply detect whether the function is hijacked:
function checkHook(proc) {
if (().indexOf("[native code]") > 0) {
return false;
} else {
return true;
}
}
2. How to counter-hijacking, the first idea is to restore the hijacked function. If the hijacking person saves the original function in a certain variable, it will be easy. Just call the original function directly, but the hijacker himself does not save the copy. He can only create a new environment and then use the clean functions in the new environment to restore the hooked ones here. How to create a new environment? The whole new iframe is ready, and it is a brand new environment inside. OK, let's do it:
Copy the codeThe code is as follows:
function unHook(proc) {
var f = ("iframe");
= "0";
= "0";
= "0";
(f);
var d = ;
("<script type=\"text/javascript\"> = escape;<\/script>");
();
}
Comprehensive sections 1 and 2, the entire test code is as follows:
<!---->
Copy the codeThe code is as follows:
<script type="text/javascript">
<!--
escape = function(s) {
return s;
}
//-->
</script>
<html>
<body>
<input type="button" onclick="javascript: test();" value="test" />
<script type="text/javascript">
<!--
function test() {
alert(escape("s y"));
if (checkHook(escape)) {
unHook(escape);
}
alert(escape("s y"));
}
function checkHook(proc) {
if (().indexOf("[native code]") > 0) {
return false;
} else {
return true;
}
}
function unHook(proc) {
var f = ("iframe");
= "0";
= "0";
= "0";
(f);
var d = ;
("<script type=\"text/javascript\"> = escape;<\/script>");
();
}
//-->
</script>
</body>
</html>
3. Haven’t both of the above problems been solved? Why do we need Section 3? Because that is not the best solution. Since we can create a brand new iframe, why not put the code directly into the brand new iframe to execute? If you do this, you will be green and environmentally friendly. You don’t have to consider the hook problem in the current context, nor do you need to change the current context, and it will not affect the execution of the program itself. Given two functions with common points:
Copy the codeThe code is as follows:
function createIframe(w) {
var d = ;
var newIframe = ("iframe");
= 0;
= 0;
(newIframe);
("<html><body></body></html>");
return newIframe;
}
function injectScriptIntoIframe(f, proc) {
var d = ;
var s = "<script>\n(" + () + ")();\n</script>";
(s);
}
Encapsulate your payload into a function, and then call these two methods to execute in the iframe:
function payload() {
// your code goes here
}
var f = createIframe(top);
injectScriptIntoIframe(f, payload);
4. Finally
Since there are few articles in China mention this, this article was compiled, hoping to attract attention. Due to my limited level, I am bound to understand if there are any mistakes or omissions. I have not explained clearly. Welcome to communicate with me.
There are also some people who have to thank you. Thank you Jianxin for his unreserved communication. Thank you for the many times that Heiguo encouraged me to write my experiences into words. Thank you all the friends of Phantom and the friends in the group who often talk nonsense together.
For advertisements, friends who cannot phantom blog can add hosts to break through:
72.14.219.190
Previous page123Next pageRead the full text