HTMLencode解決QQ空間缺陷導(dǎo)致日志存儲型XSS

在這個系列的第一個漏洞時，由于2個缺陷點距離不遠(yuǎn)，當(dāng)時就已經(jīng)發(fā)現(xiàn)了這個問題，想著騰訊可能對第一個漏洞采用某些方式修復(fù)；如果是用 json.parse的方式修復(fù)，那么這第2個問題應(yīng)該會依然存在，如我所料，于是。。。

1. 接著看這個系列的第一個漏洞（content_gridsblog.js）中那部分的代碼。

騰訊為了修復(fù)這個漏洞，采用了更為安全的JSON.parse函數(shù)作為修復(fù)方案。這種修復(fù)是沒有問題的。

其它有類似缺陷的網(wǎng)站可以參考騰訊的修復(fù)方案。

2. 但實際上，在這段代碼下方的不遠(yuǎn)處，還存在著另外一處缺陷，如下圖所示：

可以看到， oGridInfo為 JSON.parse解析出來的一個[Object]

而 oGridInfo.templateName 取出來后，沒有經(jīng)過任何過濾，就傳入到了 innerHTML 中。

而從抓包的數(shù)據(jù)來看，json數(shù)據(jù)里的templateName 我們是可控的，那么這里就顯然存在問題啦～

3. 修改日志數(shù)據(jù)包中的templateName，并發(fā)送。

{"g0":{"visible":1,"id":0,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"?????????"},"g5":{"visible":1,"id":5,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"2012?????????"},"g1":{"visible":1,"id":1,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"???????"},"templateName":"","g4":{"visible":1,"id":4,"content":{"mood":"","image":"","date":"2013-03-20&1","text":""},"type":0,"title":"???? 2013-3-20"},"g7":{"visible":1,"id":7,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"??????????"},"version":"1.2","g2":{"visible":1,"id":2,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"??????"},"bgItem":{"bgId":"130","bgURL":"/qzone/newblog/v5/flashassets/bg130.swf?bgver=1.0&max_age=31104000","gridcolor":"0xF06368","alpha":1,"align":"right","wordcolor":"0xFFFFFF"},"tempId":56,"g8":{"visible":1,"id":8,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"???????????"},"g6":{"visible":1,"id":6,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"????????????"},"g3":{"visible":1,"id":3,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"2012?????????"}}

4. 用另外一個號，查看已經(jīng)發(fā)表的日志。 成功彈出啦。

由于代碼邏輯上，只有他人查看日志時，才會觸發(fā)此段代碼，故測試時，請以第三者身份查看包含缺陷代碼的日志

修復(fù)方案：

oGridInfo.templateName取出后，HTMLencode一下。