{"id":885,"date":"2022-03-31T11:06:41","date_gmt":"2022-03-31T04:06:41","guid":{"rendered":"https:\/\/dt-corp.com.vn\/?p=885"},"modified":"2022-03-31T13:36:55","modified_gmt":"2022-03-31T06:36:55","slug":"cach-lay-cookie-xss-chua-mat-khau-bang-javascript","status":"publish","type":"post","link":"https:\/\/dt-corp.com.vn\/?p=885","title":{"rendered":"C\u00e1ch l\u1ea5y cookie XSS ch\u1ee9a m\u1eadt kh\u1ea9u b\u1eb1ng JavaScript"},"content":{"rendered":"

JAVASCRIPT L\u00c0 G\u00cc ?<\/p>\n

JavaScript<\/a>\u00a0l\u00e0 m\u1ed9t trong nh\u1eefng ng\u00f4n ng\u1eef ph\u1ed5 bi\u1ebfn nh\u1ea5t \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng tr\u00ean web. N\u00f3 c\u00f3 th\u1ec3 t\u1ef1 \u0111\u1ed9ng h\u00f3a v\u00e0 t\u1ea1o ho\u1ea1t \u1ea3nh cho c\u00e1c th\u00e0nh ph\u1ea7n c\u1ee7a trang web, qu\u1ea3n l\u00fd n\u1ed9i dung trang web v\u00e0 th\u1ef1c hi\u1ec7n nhi\u1ec1u ch\u1ee9c n\u0103ng h\u1eefu \u00edch kh\u00e1c b\u00ean trong trang web. JavaScript c\u0169ng c\u00f3 nhi\u1ec1u ch\u1ee9c n\u0103ng c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng cho c\u00e1c m\u1ee5c \u0111\u00edch x\u1ea5u, bao g\u1ed3m \u0111\u00e1nh c\u1eafp cookie XSS c\u1ee7a ng\u01b0\u1eddi d\u00f9ng c\u00f3 ch\u1ee9a m\u1eadt kh\u1ea9u v\u00e0 c\u00e1c th\u00f4ng tin kh\u00e1c.<\/p>\n

COOKIE L\u00c0 G\u00cc ?<\/p>\n

Cookie l\u00e0 th\u00f4ng tin m\u00e0 m\u1ed9t trang web y\u00eau c\u1ea7u ho\u1eb7c duy tr\u00ec li\u00ean quan \u0111\u1ebfn nh\u1eefng ng\u01b0\u1eddi d\u00f9ng c\u1ee5 th\u1ec3 truy c\u1eadp trang. C\u00e1c cookie n\u00e0y ch\u1ee9a th\u00f4ng tin v\u1ec1 c\u00e1ch th\u1ee9c v\u00e0 th\u1eddi \u0111i\u1ec3m h\u1ecd truy c\u1eadp, c\u0169ng nh\u01b0 th\u00f4ng tin x\u00e1c th\u1ef1c cho trang web nh\u01b0 t\u00ean ng\u01b0\u1eddi d\u00f9ng v\u00e0 m\u1eadt kh\u1ea9u. V\u00ec nh\u1eefng cookie n\u00e0y ph\u1ea3i \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng b\u1ea5t c\u1ee9 khi n\u00e0o kh\u00e1ch truy c\u1eadp m\u1ed9t trang web nh\u1ea5t \u0111\u1ecbnh, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 l\u1ea5y c\u1eafp th\u00f4ng tin n\u00e0y v\u00e0 s\u1eed d\u1ee5ng n\u00f3 \u0111\u1ec3 m\u1ea1o danh ho\u1eb7c l\u1eadp danh m\u1ee5c th\u00f4ng tin v\u1ec1 nh\u1eefng ng\u01b0\u1eddi d\u00f9ng c\u1ee5 th\u1ec3.<\/p>\n

+) B\u1ea1n c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng JavaScript \u0111\u1ec3 l\u01b0u ho\u1eb7c s\u1eeda \u0111\u1ed5i cookie c\u1ee7a ng\u01b0\u1eddi d\u00f9ng cho m\u1ed9t domain nh\u1ea5t \u0111\u1ecbnh. M\u1eb7c d\u00f9 \u0111i\u1ec1u n\u00e0y th\u01b0\u1eddng \u0111\u01b0\u1ee3c \u00e1p d\u1ee5ng \u0111\u1ec3 t\u1ea1o v\u00e0 s\u1eed d\u1ee5ng cookie \u0111\u1ec3 ph\u00e1t tri\u1ec3n c\u00e1c web t\u01b0\u01a1ng t\u00e1c, nh\u01b0ng n\u1ebfu k\u1ebb t\u1ea5n c\u00f4ng c\u0169ng c\u00f3 th\u1ec3 xem cookie nh\u01b0 v\u1eady, n\u00f3 s\u1ebd tr\u1edf th\u00e0nh m\u1ed9t k\u1ef9 thu\u1eadt hack r\u1ea5t \u0111\u00e1ng g\u1eddm. C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng d\u1ef1a tr\u00ean JavaScript \u0111\u1eb7c bi\u1ec7t hi\u1ec7u qu\u1ea3 khi \u0111\u01b0\u1ee3c k\u1ebft h\u1ee3p v\u1edbi c\u00e1c k\u1ef9 thu\u1eadt nh\u01b0 injection, v\u00ec n\u00f3 cho ph\u00e9p m\u00e3 \u0111\u1ed9c \u0111\u01b0\u1ee3c th\u1ef1c thi tr\u00ean nh\u1eefng trang web \u0111\u00e1ng tin c\u1eady.<\/p>\n

M\u1eb7c d\u00f9 m\u00ecnh kh\u00f4ng \u1ee7ng h\u1ed9 vi\u1ec7c \u0111\u00e1nh c\u1eafp m\u1eadt kh\u1ea9u c\u1ee7a b\u1ea5t k\u1ef3 ai, nh\u01b0ng b\u00e0i vi\u1ebft n\u00e0y l\u00e0 m\u1ed9t ki\u1ebfn th\u1ee9c c\u1ea7n bi\u1ebft \u0111\u1ed1i v\u1edbi b\u1ea5t k\u1ef3 pentester ho\u1eb7c chuy\u00ean gia b\u1ea3o m\u1eadt CNTT n\u00e0o. N\u1ebfu b\u1ea1n kh\u00f4ng bi\u1ebft c\u00e1c hacker m\u0169 \u0111en l\u00e0m vi\u1ec7c nh\u01b0 th\u1ebf n\u00e0o, b\u1ea1n s\u1ebd kh\u00f4ng bao gi\u1edd c\u00f3 th\u1ec3 b\u1eaft \u0111\u01b0\u1ee3c ch\u00fang.<\/p>\n

SAU \u0110\u00c2Y L\u00c0 C\u00c1C B\u01af\u01a0C VI\u00caT TOOL COOKIE XSS B\u1eb0NG JAVASCRIPT \u0110\u1ec2 L\u1ea4Y M\u1eacT KH\u1ea8U<\/p>\n

B\u01b0\u1edbc 1: T\u1ea1o m\u1ed9t trang HTML d\u00f9ng \u0111\u1ec3 test<\/h3>\n

\u0110\u1ec3 \u0103n c\u1eafp cookie, tr\u01b0\u1edbc ti\u00ean cookie ph\u1ea3i c\u00f3 s\u1eb5n tr\u00ean domain web m\u00e0 ng\u01b0\u1eddi d\u00f9ng \u0111ang xem. \u0110i\u1ec1u n\u00e0y x\u1ea3y ra b\u1ea5t c\u1ee9 khi n\u00e0o ng\u01b0\u1eddi d\u00f9ng xem trang web. M\u1eb7c d\u00f9 ho\u00e0n to\u00e0n c\u00f3 th\u1ec3 \u0111\u01b0a JavaScript v\u00e0o c\u00e1c trang web b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng c\u00e1ch t\u1ea5n c\u00f4ng man-in-the-middleho\u1eb7c b\u1eb1ng c\u00e1ch khai th\u00e1c m\u1ed9t trang web d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng, nh\u01b0ng c\u1ea3 hai \u0111i\u1ec1u n\u00e0y s\u1ebd c\u1ea7n th\u00eam nhi\u1ec1u n\u1ed7 l\u1ef1c \u0111\u1ec3 th\u1ef1c hi\u1ec7n.<\/p>\n

M\u00f4i tr\u01b0\u1eddng th\u1eed nghi\u1ec7m \u0111\u00e1nh c\u1eafp cookie c\u1ee7a ch\u00fang ta s\u1ebd n\u1eb1m trong m\u1ed9t trang ch\u1ec9 m\u1ee5c HTML kh\u00e1 chu\u1ea9n. Ch\u00fang ta s\u1ebd c\u00f3 th\u1ec3 nh\u00fang t\u1ea5t c\u1ea3 c\u00e1c ph\u1ea7n t\u1eed JavaScript. \u0110\u1ea7u ti\u00ean, t\u1ea1o m\u1ed9t th\u01b0 m\u1ee5c m\u1edbi \u0111\u1ec3 ch\u1ee9a t\u1ec7p HTML. Tr\u00ean h\u1ec7 th\u1ed1ng Linux ho\u1eb7c macOS, ch\u00fang ta c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng l\u1ec7nh mkdir, nh\u01b0 h\u00ecnh d\u01b0\u1edbi \u0111\u00e2y.<\/p>\n

mkdir cookiestealer<\/code><\/p>\n

Ti\u1ebfp theo, truy c\u1eadp v\u00e0o th\u01b0 m\u1ee5c n\u00e0y b\u1eb1ng l\u1ec7nh cd:<\/p>\n

cd cookiestealer<\/code><\/p>\n

Khi \u1edf trong th\u01b0 m\u1ee5c n\u00e0y, ch\u00fang ta c\u00f3 th\u1ec3 t\u1ea1o t\u1ec7p index c\u1ee7a m\u00ecnh b\u1eb1ng l\u1ec7nh touch<\/p>\n

touch index.html<\/span><\/code><\/p>\n

\"\"<\/p>\n

Ti\u1ebfp theo, ch\u00fang ta c\u0169ng s\u1ebd ch\u1ec9nh s\u1eeda t\u1ec7p index n\u00e0y. \u0110\u1ea7u ti\u00ean, m\u1edf t\u1ec7p b\u1eb1ng nano.<\/p>\n

nano index.html<\/code><\/p>\n

Th\u00eam c\u00e1c th\u1ebb m\u1edf HTML c\u1ea7n thi\u1ebft. Trong tr\u01b0\u1eddng h\u1ee3p n\u00e0y, ch\u00fang ta ch\u1ec9 c\u1ea7n th\u1ebb \u201chtml\u201d v\u00e0 \u201cbody\u201d v\u00ec kh\u00f4ng c\u1ea7n ph\u1ea7n t\u1eed \u201chead\u201d \u0111\u1ec3 ki\u1ec3m tra JavaScript. T\u1ec7p b\u00e2y gi\u1edd s\u1ebd tr\u00f4ng gi\u1ed1ng nh\u01b0 b\u00ean d\u01b0\u1edbi.<\/p>\n

<html>
\n<body>
\n<\/body>
\n<\/html><\/p>\n

\"\"<\/p>\n

Ch\u00fang ta c\u00f3 th\u1ec3 l\u01b0u t\u1ec7p n\u00e0y b\u1eb1ng c\u00e1ch nh\u1ea5n Ctrl + O trong nano. T\u1ea1i th\u1eddi \u0111i\u1ec3m n\u00e0y, n\u1ebfu m\u1edf trong tr\u00ecnh duy\u1ec7t web, trang c\u1ee7a ch\u00fang ta s\u1ebd tr\u1ed1ng. Ch\u00fang ta c\u00f3 th\u1ec3 th\u00eam ph\u1ea7n t\u1eed ti\u00eau \u0111\u1ec1 ho\u1eb7c m\u1ed9t s\u1ed1 n\u1ed9i dung HTML c\u01a1 b\u1ea3n, nh\u01b0ng \u0111\u1ed1i v\u1edbi th\u1eed nghi\u1ec7m n\u00e0y, nhi\u00eau \u0111\u00e2y l\u00e0 \u0111\u1ee7.<\/p>\n

\"\"<\/p>\n

B\u01b0\u1edbc 2: T\u1ea1o Cookie<\/h3>\n

Ch\u00fang ta c\u00f3 th\u1ec3 t\u1ea1o m\u1ed9t tham s\u1ed1 c\u01a1 b\u1ea3n \u0111\u01b0\u1ee3c ch\u00e8n trong cookie b\u1eb1ng c\u00e1ch ch\u1ec9 s\u1eed d\u1ee5ng m\u1ed9t chu\u1ed7i duy nh\u1ea5t. Cookie n\u00e0y s\u1ebd ch\u1ec9 t\u1ed3n t\u1ea1i trong trang n\u00e0y v\u00e0 t\u01b0\u01a1ng t\u1ef1, k\u1ef9 thu\u1eadt \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 k\u1ebft xu\u1ea5t cookie sau n\u00e0y s\u1ebd \u00e1p d\u1ee5ng cho b\u1ea5t k\u1ef3 cookie n\u00e0o \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef trong trang m\u00e0 t\u1eadp l\u1ec7nh \u0111\u01b0\u1ee3c ch\u1ea1y ho\u1eb7c \u0111\u01b0a v\u00e0o.<\/p>\n

<script type=\"text\/javascript\">document.cookie = \"username=Null Byte\";<\/script><\/code><\/p>\n

T\u1eadp l\u1ec7nh n\u00e0y ph\u1ea3i \u0111\u01b0\u1ee3c ch\u00e8n trong ph\u1ea7n \u201cbody\u201d c\u1ee7a t\u1ec7p HTML, nh\u01b0 b\u00ean d\u01b0\u1edbi.<\/p>\n

\"\"<\/p>\n

N\u1ebfu trang web c\u00f3 t\u1eadp l\u1ec7nh n\u00e0y \u0111\u01b0\u1ee3c m\u1edf, m\u1ed9t cookie s\u1ebd \u0111\u01b0\u1ee3c thi\u1ebft l\u1eadp, nh\u01b0ng s\u1ebd kh\u00f4ng c\u00f3 g\u00ec hi\u1ec3n th\u1ecb trong tr\u00ecnh duy\u1ec7t. Ch\u00fang ta c\u00f3 th\u1ec3 k\u1ebft xu\u1ea5t cookie tr\u1ef1c ti\u1ebfp v\u00e0o ch\u00ednh trang \u0111\u00f3 b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng ch\u1ee9c n\u0103ng \u201cdocument.write\u201d. \u0110i\u1ec1u n\u00e0y s\u1ebd kh\u00f4ng c\u00f3 \u00edch g\u00ec cho vi\u1ec7c xu\u1ea5t cookie cho ng\u01b0\u1eddi d\u00f9ng, nh\u01b0ng n\u00f3 c\u00f3 th\u1ec3 gi\u00fap ch\u00fang ta hi\u1ec3u \u0111\u1ecbnh d\u1ea1ng m\u00e0 k\u1ef9 thu\u1eadt cookie ho\u1ea1t \u0111\u1ed9ng. Ch\u00fang tac\u00f3 th\u1ec3 th\u00eam d\u00f2ng sau v\u00e0o t\u1eadp l\u1ec7nh c\u1ee7a m\u00ecnh \u0111\u1ec3 ki\u1ec3m tra.<\/p>\n

document.write(document.cookie);<\/code><\/p>\n

T\u1eadp l\u1ec7nh c\u1ee7a ch\u00fang ta b\u00e2y gi\u1edd s\u1ebd tr\u00f4ng gi\u1ed1ng nh\u01b0 b\u00ean d\u01b0\u1edbi.<\/p>\n

\n
\n
\n
1. <<\/span>script type=<\/span>“text\/javascript”<\/span>><\/span><\/div>\n<\/div>\n
\n
2. document.<\/span>cookie<\/span> = <\/span>“username=Null Byte”<\/span>;<\/span><\/div>\n<\/div>\n
\n
3. document.<\/span>write<\/span>(<\/span>document.<\/span>cookie<\/span>)<\/span>;<\/span><\/div>\n<\/div>\n
\n
4. <<\/span>\/script<\/span>><\/span><\/div>\n
\"\"<\/div>\n
Khi m\u1edf trong tr\u00ecnh duy\u1ec7t, n\u00f3 s\u1ebd tr\u00f4ng gi\u1ed1ng nh\u01b0 h\u00ecnh d\u01b0\u1edbi \u0111\u00e2y.<\/div>\n
\"\"<\/div>\n
\n

B\u00e2y gi\u1edd ch\u00fang ta \u0111\u00e3 \u0111\u1eb7t th\u00e0nh c\u00f4ng \u201cusername=Null Byte\u201d l\u00e0m cookie cho trang n\u00e0y. B\u00e2y gi\u1edd ch\u00fang ta c\u00f3 th\u1ec3 x\u00f3a \u201cdocument.write (document.cookie);\u201d ch\u1ee9c n\u0103ng c\u1ee7a t\u1eadp l\u1ec7nh, v\u00ec thay v\u00e0o \u0111\u00f3 ch\u00fang ta s\u1ebd chuy\u1ec3n ti\u1ebfp c\u00e1c cookie \u0111\u01b0\u1ee3c truy xu\u1ea5t t\u1eeb \u200b\u200btrang c\u1ee7a ng\u01b0\u1eddi d\u00f9ng \u0111\u01b0\u1ee3c nh\u1eafm m\u1ee5c ti\u00eau \u0111\u1ebfn m\u1ed9t trang \u0111\u1ed9c l\u1eadp, n\u01a1i ch\u00fang ta c\u00f3 th\u1ec3 vi\u1ebft v\u00e0 l\u01b0u tr\u1eef ch\u00fang.<\/p>\n