Analysis of using jsonp cross domain vulnerability and XSS vulnerability in honeypot

One 、 Preface

When we played the red team , I often encounter honeypots , And some more “ Active defense ” Some cross domain vulnerabilities and xss, Make a simple analysis of this .

Two 、 The concept of honeypot

Honeypot is mainly through the arrangement of bait , Entice the attacker to attack , Then capture through traffic 、 Behavioral analysis, etc. on the attacker's portrait and trace the source .

for example HFish Honeypot , It belongs to the honey pot of high intercourse , By capturing attacker behavior , Get attacker attack data 、IP Address, etc , However, it is far from enough to obtain these data for the attacker's portrait , and HFish It also provides customization web Deployment of Honeypot , Simply analyze the two honeypots you encounter .

The following are screenshots of two honeypots encountered in the red team and vulnerability mining .

Why is it “ Active defense ” Well ？

When the attacker visits the page ,JS Automatically , Send requests to many of our favorite websites , These requests take advantage of many websites jsonp Cross domain vulnerabilities and xss Loophole , Get COOKIE、 user name 、 Mobile phone number and other information , So as to trace the source of the attacker , And the attacker just visits this page , So it's “ Active defense ”.

3、 ... and 、jsonp Cross domain

jsonp Cross domain vulnerabilities are similar to CSRF Loophole , Some are also called read type CSRF Loophole , You can get some user names of website users 、 Mobile phone number and other sensitive data , If you are not familiar with this vulnerability, you can baidu by yourself ~

Here are some uses in the honey pot jsonp Screenshot of data package with cross domain vulnerability .

If you have logged in to the website and have cookie There is , You can often return the user name 、 Phone number data .

Four 、xss Loophole

xss Vulnerabilities are basically eval(name), I think there are some problems with the honeypot configuration , see js code , Is all added to one iframe In the label , Then set the iframe In the label name The variable is a string js Code , And here it is eval(name), In my understanding, it should be preset js Code , Set up name Variable , Then execute the string js Code .（P.S. JS I know a little about the code , This paragraph may be misunderstood and analyzed , I won't go into it .）

jsonp Improper configuration will also occur xss, Here's the picture ：

There are also direct xss, For example, this csdn Of （csdn The size of is a little heavier ）

Blog park xss（ Duplicate code ）

I believe these two websites are engaged in IT It should be used by most people , Honeypots exploit the loopholes of such websites , You can also easily get the attacker's user name 、 Mobile phone number and other information .

Sum up , The so-called active defense honeypot , As long as the attacker uses the browser to access , And there is a website that exploits the vulnerability of honeypot configuration to obtain user information in the browser cache COOKIE, Then the honey pot can be used jsonp perhaps xss Vulnerability to obtain the attacker's personal information , With a name 、ID、 After the mobile phone number and other information , Tracing the source of the red team has also become easier .

5、 ... and 、 Reverse honeypot

The honeypot is also a system , There are also some loopholes , for example HFish Honeypot once had unauthorized access to information vulnerabilities and storage XSS Loophole , The magic array honeypot of mo'an technology also had an unauthorized access vulnerability , Take advantage of the loopholes in the honeypot itself to reverse the honeypot .

Honey pot my research is not deep , More ideas depend on the free play of teachers , You can still try it when you encounter it XSS And other loopholes .

6、 ... and 、 How to defend the honeypot

If these honeypots are commercial , Many interfaces are the same , For example, the second picture in this article , But there are also user-defined interfaces , So I think it is troublesome to prevent honeypots through features , And cannot be completely prevented .

7、 ... and 、 Precautions

1、 If you have code ability , You can write browser plug-ins or burp plug-in unit , Detected that the packet contains callback、jsonp Wait for keywords , Intercept and let the user confirm .

2、 Browsers use noscript Plug-ins can find potential xss threat , It can be found that partial utilization xss Loophole honeypot .