介绍
最近,我遇到了互联网的一种常见情况-一位亲戚的经典要求,就是以某种投票的方式为他们投票。事实证明,该人被骗子“砍死”,而与选票的链接是网络钓鱼资源。
我喜欢安全性,因此我出于兴趣而决定检查网络钓鱼资源的安全性。
诈骗者的管理面板已成功被黑客入侵,里面有n个被盗帐户。他们的登录信息已转移到VK安全服务,并且相应的“滥用”投诉也发送给了注册服务商,托管人。
现在,我将告诉您“仿冒即服务”面板的方式和作用
这一切都像往常一样开始,是亲戚的要求以某种投票方式为他投票:
相对:
嗨,我只想赢:) http://x-vote.ru/votes/701738#vote
![](https://habrastorage.org/webt/ge/rz/vb/gerzvbrdnoxcpcwuutckfacqbe4.jpeg)
实际上,很可能会忽略这样的请求,但是从安全角度来看,有兴趣检查种族本身的投票情况-一个账户实际上有可能在短时间内发送几张来投几张票。
, . , , , Oauth , .
![](https://habrastorage.org/webt/93/7j/lu/937jlup1k5_jbihxmfxvrpanmqm.jpeg)
, , .
, Race Condition , , , , , - - .
, , , - , , , , / "" HTML+JS, Blind XSS. , — / .
xsshunter — . XSS, :
- url, ;
- IP;
- Cookie;
- Dom-;
… . , , , VPS.
, blind XSS- .
![](https://habrastorage.org/webt/mu/sv/q7/musvq7pxmndj2_unf2xersbfzai.jpeg)
, XSS " " ( document.cookie).
, — "httpOnly", JS.
XSS , - API , (), .
, "" .
, , .
, , , — .
![](https://habrastorage.org/webt/5t/xl/mf/5txlmf1ssmq5n2xofgynd1dpsgo.jpeg)
![](https://habrastorage.org/webt/em/p4/1d/emp41dbbcar9nhd5d4_ccrvwo20.jpeg)
. bootstrap , , :
:
![](https://habrastorage.org/webt/ub/51/nq/ub51nqvcoimp2caihro6_9wjxau.jpeg)
:
![](https://habrastorage.org/webt/e-/gt/pk/e-gtpkne9tblll92mzbn8qzfavi.jpeg)
API:
![](https://habrastorage.org/webt/_p/o3/yg/_po3yguqlhyluck5vqz-p1po4no.jpeg)
IP.
![](https://habrastorage.org/webt/cu/6f/mw/cu6fmwytdtvhogbx_uqfzdmcgvi.jpeg)
, , :
![](https://habrastorage.org/webt/mh/iy/k-/mhiyk-97msqycyrzjccu0prkxls.jpeg)
![](https://habrastorage.org/webt/rr/2d/we/rr2dwe2wr7sgymm9jwevs9qok2w.jpeg)
:
![](https://habrastorage.org/webt/29/tn/0m/29tn0muqmezjigkpbt4rydwogsg.jpeg)
![](https://habrastorage.org/webt/5s/0y/0m/5s0y0mstn6gnuhr3wtrumhbdbs0.jpeg)
, :
![](https://habrastorage.org/webt/8m/3h/jd/8m3hjdesm_xycdhs6wqcmf2eczo.jpeg)
![](https://habrastorage.org/webt/xo/rq/se/xorqsej2qjhxqwachdjrfqpmbiq.jpeg)
![](https://habrastorage.org/webt/hy/my/rq/hymyrqpxcqtxy-fzzhdyvoah9ig.jpeg)
… .
API , , , , .., execute.getDialogsWithProfilesNewFixGroups.php, :
https://vk.com/dev/execute
.
— VK .
access-, , .
:
GET /method/execute.getDialogsWithProfilesNewFixGroups?access_token=****b750be150c961c******ace8d9dd54e448d5f5e5fd2******7e21388c497994536a740e3a45******&lang=ru&https=1&count=40&v=5.69 HTTP/1.1
Host: vk-api-proxy.xtrafrancyz.net
HTTP/1.1 200 OK
Date: Tue, 03 Mar 2020 09:57:08 GMT
Content-Type: application/json; charset=utf-8
Connection: close
Vary: Accept-Encoding
Server: vk-proxy
X-Powered-By: PHP/3.23359
Cache-Control: no-store
X-Frame-Options: DENY
Access-Control-Allow-Origin: *
Content-Length: 57453
{"response":{"a":{"count":271,"unread_dialogs":151,"items":[{"message":{"id":592***,"date":1583222677,"out":0,"user_id":14967****,"read_state":1,"title":"","body":" : 063725.","owner_ids":[]},"in_read":592***,"out_read":592***}
, . , — "" , . , + , , .
, , , , .
, , ?
-, , , , , : , , blind xss , VK Bo0oM, , , , .
complaint' . cloudflare', . , , , . - Cloudflare , https://www.cloudflare.com/abuse/form, — 1 url ¯ \ (ツ) / ¯
— 10 .
![](https://habrastorage.org/webt/5p/eu/n8/5peun8dsm3nzt7iyo-fqmkvsaps.jpeg)
, , .
UPD: QIWI Yandex, .