diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 000000000..e70bceed6
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index e70bceed6..2173ed0a4 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index 2173ed0a4..53e9f7c1f 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index 53e9f7c1f..0ea1b8586 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index 0ea1b8586..b38f1e7c3 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index b38f1e7c3..0e554c193 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index 0e554c193..a8cfa5b77 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index a8cfa5b77..33c23d55b 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index 33c23d55b..bedca8e18 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index bedca8e18..a0a303a29 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png
index a0a303a29..f9a051e20 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png
index f9a051e20..0b96b38ef 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png
index 0b96b38ef..0ea2dbdc6 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1).png
index 0ea2dbdc6..af973a127 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1).png
index af973a127..4207464e0 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1).png
index 4207464e0..ca4f55331 100644
Binary files a/.gitbook/assets/image (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png
index ca4f55331..1e61555dd 100644
Binary files a/.gitbook/assets/image (1) (1).png and b/.gitbook/assets/image (1) (1).png differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index 1e61555dd..6856b34b8 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (10) (2) (2).png b/.gitbook/assets/image (10) (2) (2).png
new file mode 100644
index 000000000..86da99243
Binary files /dev/null and b/.gitbook/assets/image (10) (2) (2).png differ
diff --git a/.gitbook/assets/image (10) (2).png b/.gitbook/assets/image (10) (2).png
index 86da99243..12e1db392 100644
Binary files a/.gitbook/assets/image (10) (2).png and b/.gitbook/assets/image (10) (2).png differ
diff --git a/.gitbook/assets/image (10).png b/.gitbook/assets/image (10).png
index 12e1db392..746083bba 100644
Binary files a/.gitbook/assets/image (10).png and b/.gitbook/assets/image (10).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 000000000..eaa792ed6
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index eaa792ed6..eb7611c98 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index eb7611c98..4ede9266b 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index 4ede9266b..d7789e602 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index d7789e602..ca4b6651b 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index ca4b6651b..0330f840b 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png
index 0330f840b..8190e06a7 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png
index 8190e06a7..0c49287b0 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png
index 0c49287b0..bedca8e18 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png
index bedca8e18..611702103 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1).png
index 611702103..f0efd5ebd 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1).png
index f0efd5ebd..68b506e08 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1).png b/.gitbook/assets/image (2) (1) (1).png
index 68b506e08..94022a58d 100644
Binary files a/.gitbook/assets/image (2) (1) (1).png and b/.gitbook/assets/image (2) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1).png b/.gitbook/assets/image (2) (1).png
index 94022a58d..7118b03d4 100644
Binary files a/.gitbook/assets/image (2) (1).png and b/.gitbook/assets/image (2) (1).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
index 7118b03d4..ae8c5810e 100644
Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 000000000..455fbb8b7
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index 455fbb8b7..6874f9c86 100644
Binary files a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png
index 6874f9c86..38b71f3d4 100644
Binary files a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png
index 38b71f3d4..7dcdeb084 100644
Binary files a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png
index 7dcdeb084..865dc4ae4 100644
Binary files a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png
index 865dc4ae4..0d52048cb 100644
Binary files a/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1).png
index 0d52048cb..b98c9fbbc 100644
Binary files a/.gitbook/assets/image (3) (1) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1).png
index b98c9fbbc..78abb7891 100644
Binary files a/.gitbook/assets/image (3) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1).png b/.gitbook/assets/image (3) (1) (1).png
index 78abb7891..cdd56bb93 100644
Binary files a/.gitbook/assets/image (3) (1) (1).png and b/.gitbook/assets/image (3) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1).png b/.gitbook/assets/image (3) (1).png
index cdd56bb93..f406f4410 100644
Binary files a/.gitbook/assets/image (3) (1).png and b/.gitbook/assets/image (3) (1).png differ
diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png
index f406f4410..61513f7bf 100644
Binary files a/.gitbook/assets/image (3).png and b/.gitbook/assets/image (3).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 000000000..2fde683ec
Binary files /dev/null and b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png
index 2fde683ec..ea50c990a 100644
Binary files a/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png
index ea50c990a..bc4b76df1 100644
Binary files a/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1).png
index bc4b76df1..8cd1f020d 100644
Binary files a/.gitbook/assets/image (4) (1) (1) (1) (1).png and b/.gitbook/assets/image (4) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1).png
index 8cd1f020d..c4dc34691 100644
Binary files a/.gitbook/assets/image (4) (1) (1) (1).png and b/.gitbook/assets/image (4) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1).png b/.gitbook/assets/image (4) (1) (1).png
index c4dc34691..59ecb25fa 100644
Binary files a/.gitbook/assets/image (4) (1) (1).png and b/.gitbook/assets/image (4) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1).png b/.gitbook/assets/image (4) (1).png
index 59ecb25fa..0a0d96518 100644
Binary files a/.gitbook/assets/image (4) (1).png and b/.gitbook/assets/image (4) (1).png differ
diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png
index 0a0d96518..8f2e02767 100644
Binary files a/.gitbook/assets/image (4).png and b/.gitbook/assets/image (4).png differ
diff --git a/.gitbook/assets/image (5) (1) (1) (1) (1).png b/.gitbook/assets/image (5) (1) (1) (1) (1).png
new file mode 100644
index 000000000..b2c2c3d26
Binary files /dev/null and b/.gitbook/assets/image (5) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (5) (1) (1) (1).png b/.gitbook/assets/image (5) (1) (1) (1).png
index b2c2c3d26..77f2a8962 100644
Binary files a/.gitbook/assets/image (5) (1) (1) (1).png and b/.gitbook/assets/image (5) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (5) (1) (1).png b/.gitbook/assets/image (5) (1) (1).png
index 77f2a8962..d74f01753 100644
Binary files a/.gitbook/assets/image (5) (1) (1).png and b/.gitbook/assets/image (5) (1) (1).png differ
diff --git a/.gitbook/assets/image (5) (1).png b/.gitbook/assets/image (5) (1).png
index d74f01753..8f87ed9e5 100644
Binary files a/.gitbook/assets/image (5) (1).png and b/.gitbook/assets/image (5) (1).png differ
diff --git a/.gitbook/assets/image (5).png b/.gitbook/assets/image (5).png
index 8f87ed9e5..4e7cfeff2 100644
Binary files a/.gitbook/assets/image (5).png and b/.gitbook/assets/image (5).png differ
diff --git a/.gitbook/assets/image (6) (1) (3) (1).png b/.gitbook/assets/image (6) (1) (3) (1).png
new file mode 100644
index 000000000..6522f6120
Binary files /dev/null and b/.gitbook/assets/image (6) (1) (3) (1).png differ
diff --git a/.gitbook/assets/image (6) (1) (3).png b/.gitbook/assets/image (6) (1) (3).png
index 6522f6120..3ae281225 100644
Binary files a/.gitbook/assets/image (6) (1) (3).png and b/.gitbook/assets/image (6) (1) (3).png differ
diff --git a/.gitbook/assets/image (6) (1).png b/.gitbook/assets/image (6) (1).png
index 3ae281225..8f87ed9e5 100644
Binary files a/.gitbook/assets/image (6) (1).png and b/.gitbook/assets/image (6) (1).png differ
diff --git a/.gitbook/assets/image (6).png b/.gitbook/assets/image (6).png
index 8f87ed9e5..41d8904d5 100644
Binary files a/.gitbook/assets/image (6).png and b/.gitbook/assets/image (6).png differ
diff --git a/.gitbook/assets/image (7) (1) (1) (1) (1).png b/.gitbook/assets/image (7) (1) (1) (1) (1).png
new file mode 100644
index 000000000..7510b6e7e
Binary files /dev/null and b/.gitbook/assets/image (7) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (7) (1) (1) (1).png b/.gitbook/assets/image (7) (1) (1) (1).png
index 7510b6e7e..d56929629 100644
Binary files a/.gitbook/assets/image (7) (1) (1) (1).png and b/.gitbook/assets/image (7) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (7) (1) (1).png b/.gitbook/assets/image (7) (1) (1).png
index d56929629..c78341920 100644
Binary files a/.gitbook/assets/image (7) (1) (1).png and b/.gitbook/assets/image (7) (1) (1).png differ
diff --git a/.gitbook/assets/image (7) (1).png b/.gitbook/assets/image (7) (1).png
index c78341920..a75850811 100644
Binary files a/.gitbook/assets/image (7) (1).png and b/.gitbook/assets/image (7) (1).png differ
diff --git a/.gitbook/assets/image (7).png b/.gitbook/assets/image (7).png
index a75850811..f963370a1 100644
Binary files a/.gitbook/assets/image (7).png and b/.gitbook/assets/image (7).png differ
diff --git a/.gitbook/assets/image (722).png b/.gitbook/assets/image (722).png
new file mode 100644
index 000000000..55da1d380
Binary files /dev/null and b/.gitbook/assets/image (722).png differ
diff --git a/.gitbook/assets/image (723).png b/.gitbook/assets/image (723).png
new file mode 100644
index 000000000..110f6b19c
Binary files /dev/null and b/.gitbook/assets/image (723).png differ
diff --git a/.gitbook/assets/image (8) (3).png b/.gitbook/assets/image (8) (3).png
new file mode 100644
index 000000000..a254c23a8
Binary files /dev/null and b/.gitbook/assets/image (8) (3).png differ
diff --git a/.gitbook/assets/image (8).png b/.gitbook/assets/image (8).png
index a254c23a8..9674c12c6 100644
Binary files a/.gitbook/assets/image (8).png and b/.gitbook/assets/image (8).png differ
diff --git a/.gitbook/assets/image (9) (3) (1).png b/.gitbook/assets/image (9) (3) (1).png
new file mode 100644
index 000000000..72a70e974
Binary files /dev/null and b/.gitbook/assets/image (9) (3) (1).png differ
diff --git a/.gitbook/assets/image (9) (3).png b/.gitbook/assets/image (9) (3).png
index 72a70e974..e0f23369e 100644
Binary files a/.gitbook/assets/image (9) (3).png and b/.gitbook/assets/image (9) (3).png differ
diff --git a/.gitbook/assets/image (9).png b/.gitbook/assets/image (9).png
index e0f23369e..203b677d5 100644
Binary files a/.gitbook/assets/image (9).png and b/.gitbook/assets/image (9).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index 746083bba..354be02ad 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/README.md b/README.md
index e213b17cd..d041fe432 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
### [RootedCON](https://www.rootedcon.com/)
-
+
[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
@@ -40,7 +40,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
### [Intigriti](https://www.intigriti.com)
-
+
**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.**
@@ -50,7 +50,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
### [Trickest](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.
@@ -75,7 +75,7 @@ Intruder never rests. Round-the-clock protection monitors your systems 24/7. Wan
### [HACKENPROOF](https://bit.ly/3xrrDrL)
-
+
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
diff --git a/SUMMARY.md b/SUMMARY.md
index 593068882..3e7c68fc2 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -543,6 +543,10 @@
* [Web Vulns List](pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md)
* [2FA/OTP Bypass](pentesting-web/2fa-bypass.md)
* [Account Takeover](pentesting-web/account-takeover.md)
+* [Browser Extension Pentesting Methodology](pentesting-web/browser-extension-pentesting-methodology/README.md)
+ * [BrowExt - ClickJacking](pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md)
+ * [BrowExt - permissions & host\_permissions](pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host\_permissions.md)
+ * [BrowExt - XSS Example](pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md)
* [Bypass Payment Process](pentesting-web/bypass-payment-process.md)
* [Captcha Bypass](pentesting-web/captcha-bypass.md)
* [Cache Poisoning and Cache Deception](pentesting-web/cache-deception.md)
diff --git a/backdoors/salseo.md b/backdoors/salseo.md
index 8de81e96a..8bb2fee97 100644
--- a/backdoors/salseo.md
+++ b/backdoors/salseo.md
@@ -99,17 +99,17 @@ Open the SalseoLoader project using Visual Studio.
### Add before the main function: \[DllExport]
- (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
### Install DllExport for this project
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
- (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
- (1) (1) (1) (1) (1) (1).png>)
+ (1) (1) (1) (1) (1) (1) (1).png>)
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
@@ -127,7 +127,7 @@ Then, go to your **SalseoLoader folder** and **execute DllExport\_Configure.bat*
Select **x64** (if you are going to use it inside a x64 box, that was my case), select **System.Runtime.InteropServices** (inside **Namespace for DllExport**) and press **Apply**
- (1) (1) (1).png>)
+ (1) (1) (1) (1).png>)
### **Open the project again with visual Studio**
diff --git a/cryptography/certificates.md b/cryptography/certificates.md
index 3dd3f4849..161510227 100644
--- a/cryptography/certificates.md
+++ b/cryptography/certificates.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -197,7 +197,7 @@ openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/forensics/basic-forensic-methodology/linux-forensics.md b/forensics/basic-forensic-methodology/linux-forensics.md
index 495f7d8cd..964c2e52d 100644
--- a/forensics/basic-forensic-methodology/linux-forensics.md
+++ b/forensics/basic-forensic-methodology/linux-forensics.md
@@ -1,6 +1,6 @@
# Linux Forensics
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -161,7 +161,7 @@ icat -i raw -f ext4 disk.img 16
ThisisTheMasterSecret
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -224,7 +224,7 @@ find /sbin/ -exec dpkg -S {} \; | grep "no path found"
find /sbin/ –exec rpm -qf {} \; | grep "is not"
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -365,7 +365,7 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -451,7 +451,7 @@ Do you work in a **cybersecurity company**? Do you want to see your **company ad
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
index c309deca2..b4722c65c 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -231,7 +231,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
index e1d4b0bb0..ffe4d582d 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -268,7 +268,7 @@ Opera **stores browser history and download data in the exact same format as Goo
* **Browser’s built-in anti-phishing:** `grep --color 'fraud_protection_enabled' ~/Library/Application Support/com.operasoftware.Opera/Preferences`
* **fraud\_protection\_enabled** should be **true**
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
index ce7c1d8bb..61a6fe6af 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -113,7 +113,7 @@ Other tables inside this database contain more interesting information:
* **deleted\_fields**: Dropbox deleted files
* **date\_added**
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
index daa906b0b..e4bbde33f 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -92,7 +92,7 @@ Macro functions like `AutoOpen`, `AutoExec` or `Document_Open` will be **automat
* [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
index 1865758bb..d4b8cd698 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/brute-force.md b/generic-methodologies-and-resources/brute-force.md
index 7237edf6c..d7faa05c1 100644
--- a/generic-methodologies-and-resources/brute-force.md
+++ b/generic-methodologies-and-resources/brute-force.md
@@ -1,6 +1,6 @@
# Brute Force - CheatSheet
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -106,7 +106,7 @@ Finished in 0.920s.
* [**https://hashkiller.io/listmanager**](https://hashkiller.io/listmanager)
* [**https://github.com/Karanxa/Bug-Bounty-Wordlists**](https://github.com/Karanxa/Bug-Bounty-Wordlists)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -542,7 +542,7 @@ set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst
crackmapexec winrm -d -u usernames.txt -p passwords.txt
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -745,7 +745,7 @@ zip -r file.xls .
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -906,7 +906,7 @@ Cracking Common Application Hashes
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/python/README.md b/generic-methodologies-and-resources/python/README.md
index a46305264..cb5c746c7 100644
--- a/generic-methodologies-and-resources/python/README.md
+++ b/generic-methodologies-and-resources/python/README.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -28,7 +28,7 @@ Get Access Today:
* [**Basic python web requests syntax**](web-requests.md)
* [**Basic python syntax and libraries**](basic-python.md)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/python/venv.md b/generic-methodologies-and-resources/python/venv.md
index 7b7d9cb92..ad50c057d 100644
--- a/generic-methodologies-and-resources/python/venv.md
+++ b/generic-methodologies-and-resources/python/venv.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -39,7 +39,7 @@ pip3 install wheel
inside the virtual environment
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/python/web-requests.md b/generic-methodologies-and-resources/python/web-requests.md
index 3a52385eb..de9ba823e 100644
--- a/generic-methodologies-and-resources/python/web-requests.md
+++ b/generic-methodologies-and-resources/python/web-requests.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -119,7 +119,7 @@ term = Terminal()
term.cmdloop()
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/search-exploits.md b/generic-methodologies-and-resources/search-exploits.md
index b28fe2a6f..5b998a7d6 100644
--- a/generic-methodologies-and-resources/search-exploits.md
+++ b/generic-methodologies-and-resources/search-exploits.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -62,7 +62,7 @@ You can also search in vulners database: [https://vulners.com/](https://vulners.
This searches for exploits in other databases: [https://sploitus.com/](https://sploitus.com)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/linux-hardening/privilege-escalation/docker-security/README.md b/linux-hardening/privilege-escalation/docker-security/README.md
index d8f5ccf18..e49d1816f 100644
--- a/linux-hardening/privilege-escalation/docker-security/README.md
+++ b/linux-hardening/privilege-escalation/docker-security/README.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -137,7 +137,7 @@ When I changed Docker host, I had to move the root keys and repository keys to o
***
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -450,7 +450,7 @@ If you have access to the docker socket or have access to a user in the **docker
* [https://en.wikipedia.org/wiki/Linux\_namespaces](https://en.wikipedia.org/wiki/Linux\_namespaces)
* [https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57](https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/linux-hardening/privilege-escalation/docker-security/cgroups.md b/linux-hardening/privilege-escalation/docker-security/cgroups.md
index f231a13b6..fba390ae5 100644
--- a/linux-hardening/privilege-escalation/docker-security/cgroups.md
+++ b/linux-hardening/privilege-escalation/docker-security/cgroups.md
@@ -53,7 +53,7 @@ Don’t be alarmed if the **output is significantly shorter** on your system; th
Cgroups are typically **accessed through the filesystem**. This is in contrast to the traditional Unix system call interface for interacting with the kernel.\
To explore the cgroup setup of a shell, you can look in the `/proc/self/cgroup` file to find the shell's cgroup, and then navigate to the `/sys/fs/cgroup` (or `/sys/fs/cgroup/unified`) directory and look for a **directory with the same name as the cgroup**. Changing to this directory and looking around will allow you to see the various **settings and resource usage information for the cgroup**.
-
+
Among the many files that can be here, **the primary cgroup interface files begin with `cgroup`**. Start by looking at `cgroup.procs` (using cat is fine), which lists the processes in the cgroup. A similar file, `cgroup.threads`, also includes threads.
diff --git a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md
index b5ce7fb98..e60cc7e6e 100644
--- a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md
+++ b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -521,7 +521,7 @@ cat /proc/self/status | grep CapEff
The second technique explained in the post [https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/](https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/) indicates how you can abuse bind mounts with user namespaces, to affect files inside the host (in that specific case, delete files).
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
@@ -663,7 +663,7 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new
* [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket)
* [https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4)
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
diff --git a/linux-hardening/useful-linux-commands/README.md b/linux-hardening/useful-linux-commands/README.md
index 3c6860ab1..1ff6f8de2 100644
--- a/linux-hardening/useful-linux-commands/README.md
+++ b/linux-hardening/useful-linux-commands/README.md
@@ -1,6 +1,6 @@
# Useful Linux Commands
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -141,7 +141,7 @@ sudo chattr -i file.txt #Remove the bit so you can delete it
7z l file.zip
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -314,7 +314,7 @@ iptables -P OUTPUT ACCEPT
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md b/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md
index 6fc976b3e..9ad4bad79 100644
--- a/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md
+++ b/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -366,7 +366,7 @@ If you are inside a filesystem with the **read-only and noexec protections** or
* [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0)
* [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/macos-hardening/macos-auto-start-locations.md b/macos-hardening/macos-auto-start-locations.md
index cc6b375de..8aefc08d1 100644
--- a/macos-hardening/macos-auto-start-locations.md
+++ b/macos-hardening/macos-auto-start-locations.md
@@ -474,7 +474,7 @@ The iTerm2 preferences located in **`~/Library/Preferences/com.googlecode.iterm2
This setting can be configured in the iTerm2 settings:
-
+
And the command is reflected in the preferences:
@@ -799,7 +799,7 @@ mv /tmp/folder.scpt "$HOME/Library/Scripts/Folder Action Scripts"
Then, open the `Folder Actions Setup` app, select the **folder you would like to watch** and select in your case **`folder.scpt`** (in my case I called it output2.scp):
-
+
Now, if you open that folder with **Finder**, your script will be executed.
@@ -811,7 +811,7 @@ Now, lets try to prepare this persistence without GUI access:
* `cp ~/Library/Preferences/com.apple.FolderActionsDispatcher.plist /tmp`
2. **Remove** the Folder Actions you just set:
-
+
Now that we have an empty environment
@@ -997,7 +997,7 @@ Writeup: [https://posts.specterops.io/saving-your-access-d562bf5bf90b](https://p
* `~/Library/Screen Savers`
* **Trigger**: Select the screen saver
-
+
#### Description & Exploit
diff --git a/macos-hardening/macos-red-teaming/README.md b/macos-hardening/macos-red-teaming/README.md
index 5d85c19b0..6e69fc374 100644
--- a/macos-hardening/macos-red-teaming/README.md
+++ b/macos-hardening/macos-red-teaming/README.md
@@ -49,11 +49,11 @@ You could use the script [**JamfSniper.py**](https://github.com/WithSecureLabs/J
Moreover, after finding proper credentials you could be able to brute-force other usernames with the next form:
- (1).png>)
+ (1) (1).png>)
#### JAMF device Authentication
-
+
The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\
Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`**
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
index 08c4157e6..96dae43c5 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
@@ -22,7 +22,7 @@ Obviously, this is so powerful that it is **complicated to load a kernel extensi
* When **entering recovery mode**, kernel **extensions must be allowed** to be loaded:
-
+
* The kernel extension must be **signed with a kernel code signing certificate**, which can only be **granted by Apple**. Who will review in detail the company and the reasons why it is needed.
* The kernel extension must also be **notarized**, Apple will be able to check it for malware.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md
index 71df34fbb..f7e7540cb 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md
@@ -203,7 +203,7 @@ Example of **section header**:
If you **add** the **section offset** (0x37DC) + the **offset** where the **arch starts**, in this case `0x18000` --> `0x37DC + 0x18000 = 0x1B7DC`
-
+
It's also possible to get **headers information** from the **command line** with:
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
index b1fcaa2d0..9da9b5e09 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
@@ -21,7 +21,7 @@ It creates a 2 of names pipes per .Net process in [dbgtransportsession.cpp#L127]
So, if you go to the users **`$TMPDIR`** you will be able to find **debugging fifos** you could use to debug .Net applications:
-
+
The function [**DbgTransportSession::TransportWorker**](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp#L1259) will handle the communication from a debugger.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
index eb45754e2..deb083949 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
@@ -62,7 +62,7 @@ Binary file Slack.app//Contents/Frameworks/Electron Framework.framework/Versions
You could load this file in [https://hexed.it/](https://hexed.it/) and search for the previous string. After this string you can see in ASCII a number "0" or "1" indicating if each fuse is disabled or enabled. Just modify the hex code (`0x30` is `0` and `0x31` is `1`) to **modify the fuse values**.
-
+
Note that if you try to **overwrite** the **`Electron Framework` binary** inside an application with these bytes modified, the app won't run.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md
index 216c2852c..6389388cb 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md
@@ -341,10 +341,10 @@ This is the same function decompiled in a difefrent Hopper free version:
Actually if you go to the function **`0x100004000`** you will find the array of **`routine_descriptor`** structs. The first element of the struct is the **address** where the **function** is implemented, and the **struct takes 0x28 bytes**, so each 0x28 bytes (starting from byte 0) you can get 8 bytes and that will be the **address of the function** that will be called:
-
-
+
+
This data can be extracted [**using this Hopper script**](https://github.com/knightsc/hopper/blob/master/scripts/MIG%20Detect.py).
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md
index 4271ac514..ac9b1df8e 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md
@@ -301,7 +301,7 @@ authenticate-session-owner, authenticate-session-owner-or-admin, authenticate-se
If you find the function: **`[HelperTool checkAuthorization:command:]`** it's probably the the process is using the previously mentioned schema for authorization:
-
+
Thisn, if this function is calling functions such as `AuthorizationCreateFromExternalForm`, `authorizationRightForCommand`, `AuthorizationCopyRights`, `AuhtorizationFree`, it's using [**EvenBetterAuthorizationSample**](https://github.com/brenwell/EvenBetterAuthorizationSample/blob/e1052a1855d3a5e56db71df5f04e790bfd4389c4/HelperTool/HelperTool.m#L101-L154).
@@ -313,7 +313,7 @@ Then, you need to find the protocol schema in order to be able to establish a co
The function **`shouldAcceptNewConnection`** indicates the protocol being exported:
-
+
In this case, we have the same as in EvenBetterAuthorizationSample, [**check this line**](https://github.com/brenwell/EvenBetterAuthorizationSample/blob/e1052a1855d3a5e56db71df5f04e790bfd4389c4/HelperTool/HelperTool.m#L94).
@@ -337,7 +337,7 @@ Lastly, we just need to know the **name of the exposed Mach Service** in order t
* In the **`[HelperTool init]`** where you can see the Mach Service being used:
-
+
* In the launchd plist:
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md
index 541b48dbe..c7ea75d7b 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md
@@ -86,7 +86,7 @@ To perform the attack:
3. What this means is that we can send XPC messages to `diagnosticd`, but any **messages `diagnosticd` sends go to `smd`**.
* For `smd`, both our and `diagnosticd`’s messages appear arrive on the same connection.
-
+
4. We ask **`diagnosticd`** to **start monitoring** our (or any active) process and we **spam routine 1004 messages to `smd`** (to install a privileged tool).
5. This creates a race condition that needs to hit a very specific window in `handle_bless`. We need the call to `xpc_connection_get_pid` to return the PID of our own process, as the privileged helper tool is in our app bundle. However, the call to `xpc_connection_get_audit_token` inside the `connection_is_authorized` function must use the audit token of `diganosticd`.
@@ -109,7 +109,7 @@ For this scenario we would need:
We wait for _A_ to send us a message that expects a reply (1), instead of replying we take the reply port and use it for a message we send to _B_ (2). Then, we send a message that uses the forbidden action and we hope that it arrives concurrently with the reply from _B_ (3).
-
+
## Discovery Problems
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md
index af2eefede..0a3e737f9 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md
@@ -76,7 +76,7 @@ Some of the returned folders doesn't even exist, however, **`/Library/Perl/5.30`
However, note that you **need to be root to write in that folder** and nowadays you will get this **TCC prompt**:
{% endhint %}
-
+
For example, if a script is importing **`use File::Basename;`** it would be possible to create `/Library/Perl/5.30/File/Basename.pm` to make it execute arbitrary code.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md b/macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md
index 6eee6e11b..ac7c4bf0b 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md
@@ -42,7 +42,7 @@ It's essentially a bastardized [VNC](https://en.wikipedia.org/wiki/Virtual\_Netw
However, the **Screen Sharing option** is just a **basic VNC** server. There is also an advanced ARD or Remote Management option to **set a control screen password** which will make ARD backwards **compatible for VNC clients**. However there is a weakness to this authentication method that **limits** this **password** to an **8 character auth buffer**, making it very easy to **brute force** with a tool like [Hydra](https://thudinh.blogspot.com/2017/09/brute-forcing-passwords-with-thc-hydra.html) or [GoRedShell](https://github.com/ahhh/GoRedShell/) (there are also **no rate limits by default**).\
You can identify **vulnerable instances of Screen Sharing** or Remote Management with **nmap**, using the script `vnc-info`, and if the service supports `VNC Authentication (2)` then they are likely **vulnerable to brute force**. The service will truncate all passwords sent on the wire down to 8 characters, such that if you set the VNC auth to "password", both "passwords" and "password123" will authenticate.
-
+
If you want to enable it to escalate privileges (accept TCC prompts), access with a GUI or spy the user, it's possible to enable it with:
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
index 628c40a7d..a9294193e 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
@@ -128,7 +128,7 @@ Allows to **change** the **`NFSHomeDirectory`** attribute of a user that changes
Allow to modify files inside apps bundle (inside app.app), which is **disallowed by default**.
-
+
It's possible to check who has this access in _System Settings_ > _Privacy & Security_ > _App Management._
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md
index ce1a9e40d..d6a7222a1 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md
@@ -406,7 +406,7 @@ Therefore, you won't be able to abuse the full FDA habilities.
This is the TCC prompt to get Automation privileges over Finder:
-
+
{% hint style="danger" %}
Note that because the **Automator** app has the TCC permission **`kTCCServiceAppleEvents`**, it can **control any app**, like Finder. So having the permission to control Automator you could also control the **Finder** with a code like the one below:
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md
index 364c0691c..f4350011d 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md
@@ -149,7 +149,7 @@ $> ls ~/Documents
Notes had access to TCC protected locations but when a note is created this is **created in a non-protected location**. So, you could ask notes to copy a protected file in a noe (so in a non-protected location) and then access the file:
-
+
### CVE-2021-30782 - Translocation
@@ -515,11 +515,11 @@ In several occasions files will store sensitive information like emails, phone n
This doesn't work anymore, but it [**did in the past**](https://twitter.com/noarfromspace/status/639125916233416704/photo/1)**:**
-
+
Another way using [**CoreGraphics events**](https://objectivebythesea.org/v2/talks/OBTS\_v2\_Wardle.pdf):
-
+
## Reference
diff --git a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
index 51d607e9a..e3c1473b8 100644
--- a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
+++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -149,7 +149,7 @@ You can see that in [the next tutorial](frida-tutorial-2.md).
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/mobile-pentesting/android-app-pentesting/install-burp-certificate.md b/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
index 1db2b60f1..d897a02c2 100644
--- a/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
+++ b/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
@@ -52,19 +52,19 @@ Explained in [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) you n
1. **Install a CA certificate**: Just **drag\&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate`
-
+
* Check that the certificate was correctly stored going to `Trusted credentials` -> `USER`
-
+
2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag\&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone:
-
+
* After rebooting, go to `Trusted credentials` -> `SYSTEM` and check the Postswigger cert is there
-
+
## Post Android 14
diff --git a/mobile-pentesting/ios-pentesting-checklist.md b/mobile-pentesting/ios-pentesting-checklist.md
index 119032d83..2b1ab2fe7 100644
--- a/mobile-pentesting/ios-pentesting-checklist.md
+++ b/mobile-pentesting/ios-pentesting-checklist.md
@@ -1,6 +1,6 @@
# iOS Pentesting Checklist
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -120,7 +120,7 @@ Get Access Today:
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/mobile-pentesting/ios-pentesting/README.md b/mobile-pentesting/ios-pentesting/README.md
index 72e066750..cb9000ca4 100644
--- a/mobile-pentesting/ios-pentesting/README.md
+++ b/mobile-pentesting/ios-pentesting/README.md
@@ -1,6 +1,6 @@
# iOS Pentesting
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -395,7 +395,7 @@ struct CGSize {
However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download\_freeware/).
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -757,7 +757,7 @@ Jun 7 13:42:14 iPhone touch[9708] : MS:Notice: Injecting: (null) [touch
...
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -1246,7 +1246,7 @@ You can find the **libraries used by an application** by running **`otool`** aga
* [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS)
* [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md b/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md
index 9f0eac99e..b56c8b9bf 100644
--- a/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md
+++ b/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md
@@ -1,4 +1,4 @@
-# Burp Suite Configuration for iOS
+# iOS Burp Suite Configuration
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -120,7 +120,7 @@ Steps to configure Burp as proxy:
* Click on _**Ok**_ and the in _**Apply**_
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/mobile-pentesting/xamarin-apps.md b/mobile-pentesting/xamarin-apps.md
index b1f3ebb21..3302d20bf 100644
--- a/mobile-pentesting/xamarin-apps.md
+++ b/mobile-pentesting/xamarin-apps.md
@@ -18,7 +18,7 @@ Xamarin is an open-source platform that gives developers access to a comprehensi
### Xamarin Android Architecture
-
+
Xamarin offers .NET bindings to Android.\* and Java.\* namespaces. Xamarin.
@@ -36,7 +36,7 @@ It runs along with the Objective-C Runtime. The runtime environments run on top
The below-given diagram depicts this architecture:
-
+
### What is .Net Runtime and Mono Framework?
@@ -70,7 +70,7 @@ If you encounter a Full AOT compiled application, and if the IL Assembly files a
Just **unzip the apk/ipa** file and copy all the files present under the assemblies directory:
-
+
In case of Android **APKs these dll files are compressed** and cannot be directly used for decompilation. Luckily there are tools out there that we can use to **uncompress these dll files** like [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ) and [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress).
@@ -88,7 +88,7 @@ In the case of the iOS, **dll files inside the IPA files can be directly loaded*
**Most of the application code can be found when we decompile the dll files.** Also note that Xamarin Framework based apps contain 90% of common code in the builds of all platforms like iOS and Android etc.
-
+
From the above screenshot of listing the dll files that were present in the apk, we can confirm that it is a Xamarin app. It contains app-specific dll files along with the library files that are required for the app to run, such as `Xamarin.Essentails.dll` or `Mono.Security.dll` .
diff --git a/network-services-pentesting/1099-pentesting-java-rmi.md b/network-services-pentesting/1099-pentesting-java-rmi.md
index 831d09ede..9d15ad1b4 100644
--- a/network-services-pentesting/1099-pentesting-java-rmi.md
+++ b/network-services-pentesting/1099-pentesting-java-rmi.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -325,7 +325,7 @@ Entry_1:
Command: rmg enum {IP} {PORT}
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/network-services-pentesting/113-pentesting-ident.md b/network-services-pentesting/113-pentesting-ident.md
index 2df7c382e..7265b9638 100644
--- a/network-services-pentesting/113-pentesting-ident.md
+++ b/network-services-pentesting/113-pentesting-ident.md
@@ -12,7 +12,7 @@
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
@@ -87,7 +87,7 @@ ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )
identd.conf
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
diff --git a/network-services-pentesting/15672-pentesting-rabbitmq-management.md b/network-services-pentesting/15672-pentesting-rabbitmq-management.md
index df029e2b9..f5f8d960c 100644
--- a/network-services-pentesting/15672-pentesting-rabbitmq-management.md
+++ b/network-services-pentesting/15672-pentesting-rabbitmq-management.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -60,7 +60,7 @@ Content-Length: 267
* `port:15672 http`
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/49-pentesting-tacacs+.md b/network-services-pentesting/49-pentesting-tacacs+.md
index 662f71848..28fd15ea3 100644
--- a/network-services-pentesting/49-pentesting-tacacs+.md
+++ b/network-services-pentesting/49-pentesting-tacacs+.md
@@ -65,7 +65,7 @@ We see which banner was used.
We find the username of the user `admin`
-
+
As a result, **we have the `admin:secret1234` credentials,** which can be used to access the hardware itself. **I think I’ll check their validity.**
diff --git a/network-services-pentesting/8086-pentesting-influxdb.md b/network-services-pentesting/8086-pentesting-influxdb.md
index 4e1990610..a42d069f0 100644
--- a/network-services-pentesting/8086-pentesting-influxdb.md
+++ b/network-services-pentesting/8086-pentesting-influxdb.md
@@ -1,6 +1,6 @@
# 8086 - Pentesting InfluxDB
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -153,7 +153,7 @@ msf6 > use auxiliary/scanner/http/influxdb_enum
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/network-services-pentesting/pentesting-postgresql.md b/network-services-pentesting/pentesting-postgresql.md
index 5236c3379..552544eed 100644
--- a/network-services-pentesting/pentesting-postgresql.md
+++ b/network-services-pentesting/pentesting-postgresql.md
@@ -1,6 +1,6 @@
# 5432,5433 - Pentesting Postgresql
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -681,7 +681,7 @@ The **password-based** authentication methods are **md5**, **crypt**, and **pass
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/network-services-pentesting/pentesting-ssh.md b/network-services-pentesting/pentesting-ssh.md
index 96cc59d2b..36c0f8fef 100644
--- a/network-services-pentesting/pentesting-ssh.md
+++ b/network-services-pentesting/pentesting-ssh.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -317,7 +317,7 @@ id_rsa
* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-web/graphql.md b/network-services-pentesting/pentesting-web/graphql.md
index fe3a1559e..01550aae4 100644
--- a/network-services-pentesting/pentesting-web/graphql.md
+++ b/network-services-pentesting/pentesting-web/graphql.md
@@ -31,7 +31,7 @@ When performing your directory brute force attacks make sure to add the followin
* `/graphql/api`
* `/graphql/graphql`
-
+
Once you find an open graphQL instance you need to know **what queries it supports**. This can be done by using the introspection system, more details can be found here: [**GraphQL: A query language for APIs.**\
It’s often useful to ask a GraphQL schema for information about what queries it supports. GraphQL allows us to do so…](https://graphql.org/learn/introspection/)
diff --git a/network-services-pentesting/pentesting-web/jboss.md b/network-services-pentesting/pentesting-web/jboss.md
index 9b5d170d8..dcc55a9a8 100644
--- a/network-services-pentesting/pentesting-web/jboss.md
+++ b/network-services-pentesting/pentesting-web/jboss.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -40,7 +40,7 @@ You can expose **management servlets** via the following paths within JBoss (dep
inurl:status EJInvokerServlet
```
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-web/moodle.md b/network-services-pentesting/pentesting-web/moodle.md
index 07db318ca..00f20a6f3 100644
--- a/network-services-pentesting/pentesting-web/moodle.md
+++ b/network-services-pentesting/pentesting-web/moodle.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -120,7 +120,7 @@ find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
/usr/local/bin/mysql -u --password= -e "use moodle; select email,username,password from mdl_user; exit"
```
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
index 19a836435..85600c8b4 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
@@ -130,7 +130,7 @@ From: [https://medium.com/bugbountywriteup/solving-each-and-every-fb-ctf-challen
#### ReDoS Bypass
-
+
In short the problem happens because the `preg_*` functions in PHP builds upon the [PCRE library](http://www.pcre.org/). In PCRE certain regular expressions are matched by using a lot of recursive calls, which uses up a lot of stack space. It is possible to set a limit on the amount of recursions allowed, but in PHP this limit [defaults to 100.000](http://php.net/manual/en/pcre.configuration.php#ini.pcre.recursion-limit) which is more than fits in the stack.
diff --git a/network-services-pentesting/pentesting-web/put-method-webdav.md b/network-services-pentesting/pentesting-web/put-method-webdav.md
index 64cf83816..e0a4ed94b 100644
--- a/network-services-pentesting/pentesting-web/put-method-webdav.md
+++ b/network-services-pentesting/pentesting-web/put-method-webdav.md
@@ -1,6 +1,6 @@
# WebDav
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -66,7 +66,7 @@ curl -T 'shell.txt' 'http://$ip'
curl -X MOVE --header 'Destination:http://$ip/shell.php' 'http://$ip/shell.txt'
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -132,7 +132,7 @@ wget --user --ask-password http://domain/path/to/webdav/ -O - -q
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/network-services-pentesting/pentesting-web/web-api-pentesting.md b/network-services-pentesting/pentesting-web/web-api-pentesting.md
index e42ec49a0..eeee2158f 100644
--- a/network-services-pentesting/pentesting-web/web-api-pentesting.md
+++ b/network-services-pentesting/pentesting-web/web-api-pentesting.md
@@ -12,7 +12,7 @@
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
@@ -222,7 +222,7 @@ kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0
* [**API-fuzzer**](https://github.com/Fuzzapi/API-fuzzer): API\_Fuzzer gem accepts a API request as input and returns vulnerabilities possible in the API.
* [**race-the-web**](https://github.com/TheHackerDev/race-the-web): Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) _simultaneously_, and then compares the responses from the server for uniqueness.
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
diff --git a/network-services-pentesting/pentesting-web/wordpress.md b/network-services-pentesting/pentesting-web/wordpress.md
index cae23a0eb..c050aa85d 100644
--- a/network-services-pentesting/pentesting-web/wordpress.md
+++ b/network-services-pentesting/pentesting-web/wordpress.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -44,7 +44,7 @@ Default login paths to check: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admi
* The `wp-content` folder is the main directory where plugins and themes are stored.
* `wp-content/uploads/` Is the directory where any files uploaded to the platform are stored.
* `wp-includes/` This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.
-* `wp-sitemap.xml` In Wordpress versions 5.5 and greater, Worpress generates a sitemap XML file with all public posts and publicly queryable post types and taxonomies.
+* `wp-sitemap.xml` In Wordpress versions 5.5 and greater, Worpress generates a sitemap XML file with all public posts and publicly queryable post types and taxonomies.
**Post exploitation**
@@ -109,7 +109,7 @@ curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/supp
```
{% endcode %}
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -142,12 +142,14 @@ You can also try to get information about the users by querying:
```
curl http://blog.example.com/wp-json/wp/v2/users
```
+
Another `/wp-json/` endpoint that can reveal some information about users is:
+
```
curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL
```
-Note that this endpoint only exposes users that have made a post.
-**Only information about the users that has this feature enable will be provided**.
+
+Note that this endpoint only exposes users that have made a post. **Only information about the users that has this feature enable will be provided**.
Also note that **/wp-json/wp/v2/pages** could leak IP addresses.
@@ -297,7 +299,7 @@ wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detec
#You can try to bruteforce the admin user using wpscan with "-U admin"
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -441,7 +443,7 @@ Also, **only install trustable WordPress plugins and themes**.
* **Limit login attempts** to prevent Brute Force attacks
* Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses.
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/browser-extension-pentesting-methodology/README.md b/pentesting-web/browser-extension-pentesting-methodology/README.md
new file mode 100644
index 000000000..efd627095
--- /dev/null
+++ b/pentesting-web/browser-extension-pentesting-methodology/README.md
@@ -0,0 +1,621 @@
+# Browser Extension Pentesting Methodology
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
+
+## Basic Information
+
+Browser extensions are written in JavaScript and loaded by the browser in the background. It has its [DOM](https://www.w3schools.com/js/js\_htmldom.asp) but can interact with other sites' DOMs. This means that it may compromise other sites' confidentiality, integrity, and availability (CIA).
+
+## Main Components
+
+Extension layouts look best when visualised and consists of three components. Let’s look at each component in depth.
+
+
+
+### **Content Scripts**
+
+Each content script has direct access to the DOM of a **single web page** and is thereby exposed to **potentially malicious input**. However, the content script contains no permissions other than the ability to send messages to the extension core.
+
+To view and debug content scripts in Chrome, you can open the Chrome developer tools menu from Options > More tools > Developer tools OR (Press - Ctrl + Shift + I).
+
+With developer tools displayed, click the **Source tab**, then click the **Content Scripts** tab. Here you can see the running content scripts of the various extensions and set breakpoints to monitor the flow of execution. In our case, we have shown via the Wappalyzer browser extension.
+
+
+
+### **Extension Core**
+
+The extension core contains most of the extension privileges/access, but the extension core can only interact with web content via [XMLHttpRequest](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest) and content scripts. Also, the extension core does not have direct access to the host machine.
+
+### **Native Binary**
+
+The extension allows a native binary that can **access the host machine with the user’s full privileges.** The native binary interacts with the extension core through the standard Netscape Plugin Application Programming Interface ([NPAPI](https://en.wikipedia.org/wiki/NPAPI)) used by Flash and other browser plug-ins.
+
+### Boundaries
+
+{% hint style="danger" %}
+To obtain the user's full privileges, an attacker must convince the extension to pass malicious input from the content script to the extension's core and from the extension's core to the native binary.
+{% endhint %}
+
+Each component of the extension is separated from each other by **strong protective boundaries**. Each component runs in a **separate operating system process**. Content scripts and extension cores run in **sandbox processes** unavailable to most operating system services.
+
+Moreover, content scripts separate from their associated web pages by **running in a separate JavaScript heap**. The content script and web page have **access to the same underlying DOM**, but the two **never exchange JavaScript pointers**, preventing the leaking of JavaScript functionality.
+
+## **`manifest.json`**
+
+A Chrome extension is just a ZIP folder with a [.crx file extension](https://www.lifewire.com/crx-file-2620391). The extension's core is the **`manifest.json`** file at the root of the folder, which specifies layout, permissions, and other configuration options.
+
+Example:
+
+```json
+{
+ "manifest_version": 2,
+ "name": "My extension",
+ "version": "1.0",
+ "permissions": [
+ "storage"
+ ],
+ "content_scripts": [
+ {
+ "js": [
+ "script.js"
+ ],
+ "matches": [
+ "https://example.com/*",
+ "https://www.example.com/*"
+ ],
+ "exclude_matches": ["*://*/*business*"],
+ }
+ ],
+ "background": {
+ "scripts": [
+ "background.js"
+ ]
+ },
+ "options_ui": {
+ "page": "options.html"
+ }
+}
+```
+
+### `content_scripts`
+
+Content scripts are **loaded** whenever the user **navigates to a matching page**, in our case any page matching the **`https://example.com/*`** expression and not matching the **`*://*/*/business*`** regex. They execute **like the page’s own scripts** and have arbitrary access to the page’s [Document Object Model (DOM)](https://developer.mozilla.org/en-US/docs/Web/API/Document\_Object\_Model).
+
+```json
+"content_scripts": [
+ {
+ "js": [
+ "script.js"
+ ],
+ "matches": [
+ "https://example.com/*",
+ "https://www.example.com/*"
+ ],
+ "exclude_matches": ["*://*/*business*"],
+ }
+ ],
+```
+
+In order to include or exclude more URLs it's also possible to use **`include_globs`** and **`exclude_globs`**.
+
+This is an example content script which will add an explain button to the page when [the storage API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/storage) to retrieve the `message` value from extension’s storage.
+
+```js
+chrome.storage.local.get("message", result =>
+{
+ let div = document.createElement("div");
+ div.innerHTML = result.message + " ";
+ div.querySelector("button").addEventListener("click", () =>
+ {
+ chrome.runtime.sendMessage("explain");
+ });
+ document.body.appendChild(div);
+});
+```
+
+
+
+When this button is clicked the content script **uses** [**runtime.sendMessage() API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/runtime/sendMessage) **to send a message to the extension pages**. That’s because a content script only has direct access to a handful of APIs such as `storage`. Everything else has to be done by extension pages that content scripts can send messages to.
+
+{% hint style="warning" %}
+The **content script capabilities** differ slightly depending on browser. For Chromium-based browsers you can find the list in the [Chrome Developers documentation](https://developer.chrome.com/docs/extensions/mv3/content\_scripts/#capabilities), for Firefox [MDN](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content\_scripts#webextension\_apis) is the ultimate source.\
+Remember that the Content Script can also **communicate with the background scripts** so they perform actions and send back the response
+{% endhint %}
+
+### Injected content scripts
+
+{% hint style="success" %}
+Note that **Content Scripts aren't mandatory** as it's also possible to **dynamically** **inject** scripts and to **programatically inject them** in web pages via **`tabs.executeScript`**. This actually provides more **granular controls**.
+{% endhint %}
+
+To inject a content script programmatically, your extension needs [host permissions](https://developer.chrome.com/docs/extensions/reference/permissions) for the page it's trying to inject scripts into. Host permissions can either be granted by **requesting them** as part of your extension's manifest or temporarily via [**activeTab**](https://developer.chrome.com/docs/extensions/reference/manifest/activeTab)**.**
+
+#### Example activeTab-based extension
+
+{% code title="manifest.json" %}
+```json
+{
+ "name": "My extension",
+ ...
+ "permissions": [
+ "activeTab",
+ "scripting"
+ ],
+ "background": {
+ "service_worker": "background.js"
+ },
+ "action": {
+ "default_title": "Action Button"
+ }
+}
+```
+{% endcode %}
+
+* **Inject a JS file on click:**
+
+```javascript
+// content-script.js
+document.body.style.backgroundColor = "orange";
+
+//service-worker.js - Inject the JS file
+chrome.action.onClicked.addListener((tab) => {
+ chrome.scripting.executeScript({
+ target: { tabId: tab.id },
+ files: ["content-script.js"]
+ });
+});
+```
+
+* **Inject a function** on click:
+
+```javascript
+//service-worker.js - Inject a function
+function injectedFunction() {
+ document.body.style.backgroundColor = "orange";
+}
+
+chrome.action.onClicked.addListener((tab) => {
+ chrome.scripting.executeScript({
+ target : {tabId : tab.id},
+ func : injectedFunction,
+ });
+});
+```
+
+#### Example with scripting permissions
+
+```javascript
+// service-workser.js
+chrome.scripting.registerContentScripts([{
+ id : "test",
+ matches : [ "https://*.nytimes.com/*" ],
+ excludeMatches : [ "*://*/*business*" ],
+ js : [ "contentScript.js" ],
+}]);
+
+// ANother example
+chrome.tabs.executeScript(tabId, { file: "content_script.js" });
+```
+
+In order to include or exclude more URLs it's also possible to use **`include_globs`** and **`exclude_globs`**.
+
+### Content Scripts `run_at`
+
+The `run_at` field controls **when JavaScript files are injected into the web page**. The preferred and default value is `"document_idle"`.
+
+The possible values are:
+
+* **`document_idle`**: Whenever possible
+* **`document_start`**: After any files from `css`, but before any other DOM is constructed or any other script is run.
+* **`document_end`**: Immediately after the DOM is complete, but before subresources like images and frames have loaded.
+
+#### Via `manifest.json`
+
+```json
+{
+ "name": "My extension",
+ ...
+ "content_scripts": [
+ {
+ "matches": ["https://*.nytimes.com/*"],
+ "run_at": "document_idle",
+ "js": ["contentScript.js"]
+ }
+ ],
+ ...
+}
+
+```
+
+Via **`service-worker.js`**
+
+```javascript
+chrome.scripting.registerContentScripts([{
+ id : "test",
+ matches : [ "https://*.nytimes.com/*" ],
+ runAt : "document_idle",
+ js : [ "contentScript.js" ],
+}]);
+```
+
+### `background`
+
+When content scripts send a message its destination is the **background page**. The background page is a special page that is **always present** unless specified otherwise in the extension manifest. It is invisible to the user, despite being a regular page with its own DOM and everything. Its function is typically coordinating all other parts of the extension.
+
+{% hint style="success" %}
+If a background page isn’t declared explicitly, the browser will helpfully **generate one** automatically and make sure all the **declared background scripts are loaded** into it, like in the previous manifest.json example.
+{% endhint %}
+
+Example background script:
+
+```js
+chrome.runtime.onMessage.addListener((request, sender, sendResponse) =>
+{
+ if (request == "explain")
+ {
+ chrome.tabs.create({ url: "https://example.net/explanation" });
+ }
+})
+```
+
+It uses [runtime.onMessage API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/runtime/onMessage) to listen to messages. When an `"explain"` message is received, it uses [tabs API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs) to open a page in a new tab.
+
+### Options pages and other
+
+Browser extensions can contain various kinds of pages:
+
+* **Action pages** are displayed in a **drop-down when the extension ico**n is clicked.
+* Pages that the extension will **load in a new tab**.
+* **Option Pages**: This page displays on top of the extension when clicked. In the previous manifest In my case I was able to access this page in `chrome://extensions/?options=fadlhnelkbeojnebcbkacjilhnbjfjca` or clicking:
+
+
+
+
+
+Unlike the background page, these pages aren’t persistent but rather load when needed. Yet all of them can **receive messages from content scripts**. And all of them have **full access to extension-specific APIs**, as far as the extension’s permissions allow.
+
+Altogether the relevant contexts for browser extensions look like this:
+
+
+
+### `permissions` & `host_permissions`
+
+**`permissions`** and **`host_permissions`** are entries from the `manifest.json` that will indicate **which permissions** the browser extensions has (storage, location...) and in **which web pages**.
+
+As browser extensions can be so **privileged**, a malicious one or one being compromised could allow the attacker **different means to steal sensitive information and spy on the user**.
+
+Check how these settings work and how thye could get abused in:
+
+{% content-ref url="browext-permissions-and-host_permissions.md" %}
+[browext-permissions-and-host\_permissions.md](browext-permissions-and-host\_permissions.md)
+{% endcontent-ref %}
+
+### `content_security_policy`
+
+A c**ontent security policy** can be declared also inside the `manifest.json`. If there is one defined, it could be **vulnerable**.
+
+The default setting for browser extension pages is rather restrictive:
+
+```bash
+script-src 'self'; object-src 'self';
+```
+
+For more info about CSP and potential bypasses check:
+
+{% content-ref url="../content-security-policy-csp-bypass/" %}
+[content-security-policy-csp-bypass](../content-security-policy-csp-bypass/)
+{% endcontent-ref %}
+
+### `web_accessible_resources`
+
+in order for a webpage to access a page of a Browser Extension, a `.html` page for example, this page needs to be mentioned in the **`web_accessible_resources`** field of the `manifest.json`.\
+For example:
+
+```javascript
+{
+ ...
+ "web_accessible_resources": [
+ {
+ "resources": [ "images/*.png" ],
+ "matches": [ "https://example.com/*" ]
+ },
+ {
+ "resources": [ "fonts/*.woff" ],
+ "matches": [ "https://example.com/*" ]
+ }
+ ],
+ ...
+}
+```
+
+These pages are accesible in URL like:
+
+```
+chrome-extension:///message.html
+```
+
+In public extensions the **extension-id is accesible**:
+
+
+
+Although, if the `manifest.json` parameter **`use_dynamic_url`** is used, this **id can be dynamic**.
+
+Being allowed to access these pages make these pages **potentially vulnerable ClickJacking**:
+
+{% content-ref url="browext-clickjacking.md" %}
+[browext-clickjacking.md](browext-clickjacking.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Allowing these pages to be loaded only by the extension and not by random URLs could prevent CLickJacking attacks.
+{% endhint %}
+
+### `externally_connectable`
+
+A per the [**docs**](https://developer.chrome.com/docs/extensions/reference/manifest/externally-connectable), The `"externally_connectable"` manifest property declares **which extensions and web pages can connect** to your extension via [runtime.connect](https://developer.chrome.com/docs/extensions/reference/runtime#method-connect) and [runtime.sendMessage](https://developer.chrome.com/docs/extensions/reference/runtime#method-sendMessage).
+
+* If the **`externally_connectable`** key is **not** declared in your extension's manifest or it's declared as **`"ids": ["*"]`**, **all extensions can connect, but no web pages can connect**.
+* If **specific IDs are specified**, like in `"ids": ["aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"]`, **only those applications** can connect.
+* If **matches** are specified, those web apps will be able to connect:
+
+```json
+"matches": [
+ "https://*.google.com/*",
+ "*://*.chromium.org/*",
+```
+
+* If it's specified as empty: **`"externally_connectable": {}`**, no app or web will be able to connect.
+
+The **less extensions and URLs** indicated here, the **smaller the attack surface** will be.
+
+{% hint style="danger" %}
+If a web page **vulnerable to XSS or takeover** is indicated in **`externally_connectable`**, an attacker will be able to **send messages directly to the background script**, completely bypassing the Content Script and its CSP.
+
+Therefore, this is a **very powerful bypass**.
+{% endhint %}
+
+## Web **↔︎** Content Script Communication
+
+Although the execution environments of **content scripts and the pages** that host them are **isolated** from each other, they **share access to the page's DOM**. If the page wishes to communicate with the content script, or with the extension via the content script, it must do so through the **shared DOM**.
+
+### Post Messages
+
+{% code title="content-script.js" %}
+```javascript
+var port = chrome.runtime.connect();
+
+window.addEventListener("message", (event) => {
+ // We only accept messages from ourselves
+ if (event.source !== window) {
+ return;
+ }
+
+ if (event.data.type && (event.data.type === "FROM_PAGE")) {
+ console.log("Content script received: " + event.data.text);
+ port.postMessage(event.data.text);
+ }
+}, false);
+```
+{% endcode %}
+
+{% code title="example.js" %}
+```javascript
+document.getElementById("theButton").addEventListener("click", () => {
+ window.postMessage(
+ {type : "FROM_PAGE", text : "Hello from the webpage!"}, "*");
+}, false);
+```
+{% endcode %}
+
+A secure Post Message communication should check the authenticity of the received message, this can be done checking:
+
+* **`event.isTrusted`**: This is True only if the event was triggered by a users action
+ * The content script might expecting a message only if the user performs some action
+* **origin domain**: It can be checked against an allowlist of domains.
+ * If a regex is used, be very careful
+* **Source**: `received_message.source !== window` can be used to check if the message was **from the same window** where the Content Script is listening.
+
+The previous checks, even if performed, could be vulnerable, so check in the following page **potential Post Message bypasses**:
+
+{% content-ref url="../postmessage-vulnerabilities/" %}
+[postmessage-vulnerabilities](../postmessage-vulnerabilities/)
+{% endcontent-ref %}
+
+### Iframe
+
+Another possible way of communication might be through **Iframe URLs**, you can find an example in:
+
+{% content-ref url="browext-xss-example.md" %}
+[browext-xss-example.md](browext-xss-example.md)
+{% endcontent-ref %}
+
+### DOM
+
+This isn't "exactly" a communication way, but the **web and the content script will have access to the web DOM**. So, if the **content script** is reading some information from it, **trusting the web DOM**, the web could **modify this dat**a (because the web shouldn't be trusted, or because the web is vulnerable to XSS) and **compromise the Content Script**.
+
+You can also find an example of a **DOM based XSS to compromise a browser extension** in:
+
+{% content-ref url="browext-xss-example.md" %}
+[browext-xss-example.md](browext-xss-example.md)
+{% endcontent-ref %}
+
+## Sensitive Information in Memory/Code
+
+If a Browser Extension stores **sensitive information inside it's memory**, this could be **dumped** (specially in Windows machines) and **searched** for this information.
+
+Therefore, the memory of the Browser Extension **shouldn't be considered secure** and **sensitive information** such as credentials or mnemonic phrases **shouldn't be stored**.
+
+Of course, do **not put sensitive information in the code**, as it will be **public**.
+
+## Content Script **↔︎** Background Script Communication
+
+A Content Script can use the functions [**runtime.sendMessage()**](https://developer.chrome.com/docs/extensions/reference/runtime#method-sendMessage) **or** [**tabs.sendMessage()**](https://developer.chrome.com/docs/extensions/reference/tabs#method-sendMessage) to send a **one-time JSON-serializable** message.
+
+To handle the **response**, use the returned **Promise**. Although, for backward compatibility, you can still pass a **callback** as the last argument.
+
+Sending a request from a **content script** looks like this:
+
+```javascript
+(async () => {
+ const response = await chrome.runtime.sendMessage({greeting: "hello"});
+ // do something with response here, not outside the function
+ console.log(response);
+})();
+```
+
+Sending a request from the **extension** (usually a **background script**) to a content script is similar, except that you need to specify which tab to send it to. This example demonstrates sending a message to the content script in the selected tab.
+
+```javascript
+(async () => {
+ const [tab] = await chrome.tabs.query({active: true, lastFocusedWindow: true});
+ const response = await chrome.tabs.sendMessage(tab.id, {greeting: "hello"});
+ // do something with response here, not outside the function
+ console.log(response);
+})();
+```
+
+On the **receiving end**, you need to set up an [**runtime.onMessage**](https://developer.chrome.com/docs/extensions/reference/runtime#event-onMessage) **event listener** to handle the message. This looks the same from a content script or extension page.
+
+```javascript
+chrome.runtime.onMessage.addListener(
+ function(request, sender, sendResponse) {
+ console.log(sender.tab ?
+ "from a content script:" + sender.tab.url :
+ "from the extension");
+ if (request.greeting === "hello")
+ sendResponse({farewell: "goodbye"});
+ }
+);
+```
+
+In the above example, **`sendResponse()`** was called synchronously. If you want to **asynchronously** use `sendResponse()`, add `return true;` to the `onMessage` event handler.
+
+> If multiple pages are listening for `onMessage` events, **only the first to call `sendResponse()`** for a particular event will succeed in sending the response. All other responses to that event will be ignored.
+
+For new extensions you should prefer promises over callbacks. If you're using callbacks, the `sendResponse()` callback is only valid if used synchronously, or if the event handler returns `true` to indicate that it will respond asynchronously. The `sendMessage()` function's callback will be invoked automatically if no handlers return true or if the `sendResponse()` callback is garbage-collected.
+
+## Loading an Extension in the Browser
+
+1. **Download** the Browser Extension & unzipped
+2. Go to **`chrome://extensions/`** and **enable** the `Developer Mode`
+3. Click the **`Load unpacked`** button
+
+In **Firefox** you go to **`about:debugging#/runtime/this-firefox`** and click **`Load Temporary Add-on`** button.
+
+## Getting the source code from the store
+
+From [**here**](https://gist.github.com/paulirish/78d6c1406c901be02c2d):
+
+### Option 1: Command-line download extension as zip and extract
+
+{% code overflow="wrap" %}
+```bash
+extension_id=jifpbeccnghkjeaalbbjmodiffmgedin # change this ID
+curl -L -o "$extension_id.zip" "https://clients2.google.com/service/update2/crx?response=redirect&os=mac&arch=x86-64&nacl_arch=x86-64&prod=chromecrx&prodchannel=stable&prodversion=44.0.2403.130&x=id%3D$extension_id%26uc"
+unzip -d "$extension_id-source" "$extension_id.zip"
+```
+{% endcode %}
+
+Thx to crxviewer for the [magic download URL](https://github.com/Rob--W/crxviewer/blob/6113c25e3569e1ec59365ad9a177aa97e2bcda61/src/cws\_pattern.js#L27-L74).
+
+### Option 2: Use the CRX Viewer website
+
+[https://robwu.nl/crxviewer/](https://robwu.nl/crxviewer/)
+
+### Option 3: Use the CRX Viewer extension
+
+The [Chrome extension source viewer](https://chrome.google.com/webstore/detail/chrome-extension-source-v/jifpbeccnghkjeaalbbjmodiffmgedin?hl=en) is open source ([github repo](https://github.com/Rob--W/crxviewer)) and makes this super easy.
+
+### Option 3: View source of locally installed extension
+
+1. Find your Chrome local profile directory. Open `chrome://version/` and find the "Profile Path:\` field. Open that folder up.
+2. Open the `Extensions/` subfolder
+3. All your extensions are here, with typically readable source.
+
+#### Mapping between locally installed extension IDs and names
+
+* On `about:extensions`, turn on Developer Mode and you'll see IDs under each entry
+* Inside the `Extensions/` folders, the manifest.json has a readable `name` field
+
+## Security Audit Checklist
+
+Even though Browser Extensions have a **limited attack surface**, some of them might contain **vulnerabilities** or **potential hardening improvements**. The following ones are the most common ones:
+
+* [ ] **Limit** as much as possible requested **`permissions`**
+* [ ] **Limit** as much as possible **`host_permissions`**
+* [ ] Use a **strong** **`content_security_policy`**
+* [ ] **Limit** as much as possible the **`externally_connectable`**, if none is needed and possible, do not leave it by default, specify **`{}`**
+ * [ ] If **URL vulnerable to XSS or to takeover** is mentioned here, an attacker will be able to **send messages to the background scripts directly**. Very powerful bypass.
+* [ ] **Limit** as much as possible the **`web_accessible_resources`**, even empty if possible.
+* [ ] If **`web_accessible_resources`** is not none, check for [**ClickJacking**](browext-clickjacking.md)
+* [ ] If any **communication** occurs from the **extension** to the **web page**, [**check for XSS**](browext-xss-example.md) **vulnerabilities** caused in the communication.
+ * [ ] If Post Messages are used, check for [**Post Message vulnerabilities**](../postmessage-vulnerabilities/)**.**
+ * [ ] If the **Content Script access DOM details**, check that they **aren't introducing a XSS** if they get **modified** by the web
+ * [ ] Make a special emphasis if this communication is also involved in the **Content Script -> Background script communication**
+* [ ] **Sensitive information shouldn't be stored** inside the Browser Extension **code**
+* [ ] **Sensitive information shouldn't be stored** inside the Browser Extension **memory**
+
+## Tools
+
+### [**Tarnish**](https://thehackerblog.com/tarnish/)
+
+* Pulls any Chrome extension from a provided Chrome webstore link.
+* [**manifest.json**](https://developer.chrome.com/extensions/manifest) **viewer**: simply displays a JSON-prettified version of the extension’s manifest.
+* **Fingerprint Analysis**: Detection of [web\_accessible\_resources](https://developer.chrome.com/extensions/manifest/web\_accessible\_resources) and automatic generation of Chrome extension fingerprinting JavaScript.
+* **Potential Clickjacking Analysis**: Detection of extension HTML pages with the [web\_accessible\_resources](https://developer.chrome.com/extensions/manifest/web\_accessible\_resources) directive set. These are potentially vulnerable to clickjacking depending on the purpose of the pages.
+* **Permission Warning(s) viewer**: which shows a list of all the Chrome permission prompt warnings which will be displayed upon a user attempting to install the extension.
+* **Dangerous Function(s)**: shows the location of dangerous functions which could potentially be exploited by an attacker (e.g. functions such as innerHTML, chrome.tabs.executeScript).
+* **Entry Point(s)**: shows where the extension takes in user/external input. This is useful for understanding an extension’s surface area and looking for potential points to send maliciously-crafted data to the extension.
+* Both the Dangerous Function(s) and Entry Point(s) scanners have the following for their generated alerts:
+ * Relevant code snippet and line that caused the alert.
+ * Description of the issue.
+ * A “View File” button to view the full source file containing the code.
+ * The path of the alerted file.
+ * The full Chrome extension URI of the alerted file.
+ * The type of file it is, such as a Background Page script, Content Script, Browser Action, etc.
+ * If the vulnerable line is in a JavaScript file, the paths of all of the pages where it is included as well as these page’s type, and [web\_accessible\_resource](https://developer.chrome.com/extensions/manifest/web\_accessible\_resources) status.
+* **Content Security Policy (CSP) analyzer and bypass checker**: This will point out weaknesses in your extension’s CSP and will also illuminate any potential ways to bypass your CSP due to whitelisted CDNs, etc.
+* **Known Vulnerable Libraries**: This uses [Retire.js](https://retirejs.github.io/retire.js/) to check for any usage of known-vulnerable JavaScript libraries.
+* Download extension and formatted versions.
+ * Download the original extension.
+ * Download a beautified version of the extension (auto prettified HTML and JavaScript).
+* Automatic caching of scan results, running an extension scan will take a good amount of time the first time you run it. However the second time, assuming the extension hasn’t been updated, will be almost instant due to the results being cached.
+* Linkable Report URLs, easily link someone else to an extension report generated by tarnish.
+
+### [Neto](https://github.com/elevenpaths/neto)
+
+Project Neto is a Python 3 package conceived to analyse and unravel hidden features of browser plugins and extensions for well-known browsers such as Firefox and Chrome. It automates the process of unzipping the packaged files to extract these features from relevant resources in a extension like `manifest.json`, localization folders or Javascript and HTML source files.
+
+## References
+
+* **Thanks to** [**@naivenom**](https://twitter.com/naivenom) **for the help with this methodology**
+* [https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing](https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing)
+* [https://palant.info/2022/08/10/anatomy-of-a-basic-extension/](https://palant.info/2022/08/10/anatomy-of-a-basic-extension/)
+* [https://palant.info/2022/08/24/attack-surface-of-extension-pages/](https://palant.info/2022/08/24/attack-surface-of-extension-pages/)
+* [https://palant.info/2022/08/31/when-extension-pages-are-web-accessible/](https://palant.info/2022/08/31/when-extension-pages-are-web-accessible/)
+* [https://help.passbolt.com/assets/files/PBL-02-report.pdf](https://help.passbolt.com/assets/files/PBL-02-report.pdf)
+* [https://developer.chrome.com/docs/extensions/develop/concepts/content-scripts](https://developer.chrome.com/docs/extensions/develop/concepts/content-scripts)
+* [https://developer.chrome.com/docs/extensions/mv2/background-pages](https://developer.chrome.com/docs/extensions/mv2/background-pages)
+* [https://thehackerblog.com/kicking-the-rims-a-guide-for-securely-writing-and-auditing-chrome-extensions/](https://thehackerblog.com/kicking-the-rims-a-guide-for-securely-writing-and-auditing-chrome-extensions/)
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
diff --git a/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md b/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md
new file mode 100644
index 000000000..324949841
--- /dev/null
+++ b/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md
@@ -0,0 +1,114 @@
+# BrowExt - ClickJacking
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
+
+## Basic Information
+
+This page is going to abuse a ClickJacking vulnerability in a Browser extension.\
+If you don't know what ClickJacking is check:
+
+{% content-ref url="../clickjacking.md" %}
+[clickjacking.md](../clickjacking.md)
+{% endcontent-ref %}
+
+Extensions contains the file **`manifest.json`** and that JSON file has a field `web_accessible_resources`. Here's what [the Chrome docs](https://developer.chrome.com/extensions/manifest/web\_accessible\_resources) say about it:
+
+> These resources would then be available in a webpage via the URL **`chrome-extension://[PACKAGE ID]/[PATH]`**, which can be generated with the **`extension.getURL method`**. Allowlisted resources are served with appropriate CORS headers, so they're available via mechanisms like XHR.[1](https://blog.lizzie.io/clickjacking-privacy-badger.html#fn.1)
+
+In addition to being web accessible, the resources in the **`web_accessible_resources`** run with the ambient authority of the extension: they can alter state, load other resources, and modify the browser in certain ways. If a document in `web_accessible_resources` can perform any interesting behavior, an attacker can embed it in a webpage and trick visitors into triggering it.
+
+## PrivacyBadger Example
+
+It was discovered that the extension PrivacyBadger, the contents of the directory `skin/` were `web_accessible_resources`:
+
+```json
+"web_accessible_resources": [
+ "skin/*",
+ "icons/*"
+]
+```
+
+So, by loading `skin/popup.html`, the document that gets rendered when you click the the PrivacyBadger icon in the browser, i**n an iframe we could fool the user into clicking "Disable PrivacyBadger for this Website"**, opening up the user to additional tracking and undermining the function of PrivacyBadger. **Check the ClickJacking video example in** [**https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm**](https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm)
+
+The fix was easy: **remove `/skin/*` from the `web_accessible_resources`**.
+
+### PoC
+
+```html
+
+
+
+
+ Click the button
+
+
+
+
+
+```
+
+## Metamask Example
+
+A [**blog post about a ClickJacking in metamask can be found here**](https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9). In this case, Metamask fixed the vulnerability by checking that the protocol used to access it was **`https:`** or **`http:`** (not **`chrome:`** for example):
+
+
+
+**Another ClickJacking fixed** in the Metamask extension was that users were able to **Click to whitelist** when a page was suspicious of being phishing because of `“web_accessible_resources”: [“inpage.js”, “phishing.html”]`. As that page was vulnerable to Clickjacking, an attacker could abuse it showing something normal to make the victim click to whitelist it without noticing, and then going back to the phishing page which will be whitelisted.
+
+## Steam Inventory Helper Example
+
+Check the following page to check how a **XSS** in a browser extension was chained with a **ClickJacking** vulnerability:
+
+{% content-ref url="browext-xss-example.md" %}
+[browext-xss-example.md](browext-xss-example.md)
+{% endcontent-ref %}
+
+## References
+
+* [https://blog.lizzie.io/clickjacking-privacy-badger.html](https://blog.lizzie.io/clickjacking-privacy-badger.html)
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
diff --git a/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md b/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md
new file mode 100644
index 000000000..a18cb2cfd
--- /dev/null
+++ b/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md
@@ -0,0 +1,139 @@
+# BrowExt - permissions & host\_permissions
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
+
+## Basic Information
+
+### **`permissions`**
+
+Permissions are defined in the extension's **`manifest.json`** file using the **`permissions`** property and allow access to almost anything a browser can access (Cookies or Physical Storage):
+
+The previous manifest declares that the extension requires the `storage` permission. This means that it can use [the storage API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/storage) to store its data persistently. Unlike cookies or `localStorage` APIs which give users some level of control, **extension storage can normally only be cleared by uninstalling the extension**.
+
+An extension will request the permissions indicated in its **`manifest.json`** file and After installing the extension, you can **always check its permissions in your browser**, as shown in this image:
+
+
+
+You can find the [**complete list of permissions a Chromium Browser Extension can request here**](https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions#permissions) and a [**complete list for Firefox extensions here**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#api\_permissions)**.**
+
+### `host_permissions`
+
+The optional but powerful setting **`host_permissions`** indicates with which hosts the extension is going to be able to interact via apis such as [`cookies`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies), [`webRequest`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest), and [`tabs`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs).
+
+The following `host_permissions` basically allow every web:
+
+```json
+"host_permissions": [
+ "*://*/*"
+]
+
+// Or:
+"host_permissions": [
+ "http://*/*",
+ "https://*/*"
+]
+
+// Or:
+"host_permissions": [
+ ""
+]
+```
+
+These are the hosts that the browser extension can access freely. This is because when a browser extension calls **`fetch("https://gmail.com/")`** it's not restricted by CORS.
+
+## Abusing `permissions` and `host_permissions`
+
+### Tabs
+
+Moreover, **`host_permissions`** also unlock “advanced” [**tabs API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs) **functionality.** They allow the extension to call [tabs.query()](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/query) and not only get a **list of user’s browser tabs** back but also learn which **web page (meaning address and title) is loaded**.
+
+{% hint style="danger" %}
+Not only that, listeners like [**tabs.onUpdated**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/onUpdated) **become way more useful as well**. These will be notified whenever a new page loads into a tab.
+{% endhint %}
+
+### Running content scripts
+
+Content scripts aren’t necessarily written statically into the extension manifest. Given sufficient **`host_permissions`**, **extensions can also load them dynamically by calling** [**tabs.executeScript()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/executeScript) **or** [**scripting.executeScript()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/scripting/executeScript).
+
+Both APIs allow executing not merely files contained in the extensions as content scripts but also **arbitrary cod**e. The former allows passing in JavaScript code as a string while the latter expects a JavaScript function which is less prone to injection vulnerabilities. Still, both APIs will wreak havoc if misused.
+
+{% hint style="danger" %}
+In addition to the capabilities above, content scripts could for example **intercept credentials** as these are entered into web pages. Another classic way to abuse them is **injecting advertising** on each an every website. Adding **scam messages** to abuse credibility of news websites is also possible. Finally, they could **manipulate banking** websites to reroute money transfers.
+{% endhint %}
+
+### Implicit privileges
+
+Some extension privileges **don’t have to be explicitly declared**. One example is the [tabs API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs): its basic functionality is accessible without any privileges whatsoever. Any extension can be notified when you open and close tabs, it merely won’t know which website these tabs correspond with.
+
+Sounds too harmless? The [tabs.create() API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/create) is somewhat less so. It can be used to **create a new tab**, essentially the same as [window.open()](https://developer.mozilla.org/en-US/docs/Web/API/Window/open) which can be called by any website. Yet while `window.open()` is subject to the **pop-up blocker, `tabs.create()` isn’t**.
+
+{% hint style="danger" %}
+An extension can create any number of tabs whenever it wants.
+{% endhint %}
+
+If you look through possible `tabs.create()` parameters, you’ll also notice that its capabilities go way beyond what `window.open()` is allowed to control. And while Firefox doesn’t allow `data:` URIs to be used with this API, Chrome has no such protection. **Use of such URIs on the top level has been** [**banned due to being abused for phishing**](https://bugzilla.mozilla.org/show\_bug.cgi?id=1331351)**.**
+
+[**tabs.update()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/update) is very similar to `tabs.create()` but will **modify an existing tab**. So a malicious extension can for example arbitrarily load an advertising page into one of your tabs, and it can activate the corresponding tab as well.
+
+### Webcam, geolocation and friends
+
+You probably know that websites can request special permissions, e.g. in order to access your webcam (video conferencing tools) or geographical location (maps). It’s features with considerable potential for abuse, so users each time have to confirm that they still want this.
+
+{% hint style="danger" %}
+Not so with browser extensions. **If a browser extension** [**wants access to your webcam or microphone**](https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getUserMedia)**, it only needs to ask for permission once**
+{% endhint %}
+
+Typically, an extension will do so immediately after being installed. Once this prompt is accepted, **webcam access is possible at any time**, even if the user isn’t interacting with the extension at this point. Yes, a user will only accept this prompt if the extension really needs webcam access. But after that they have to trust the extension not to record anything secretly.
+
+With access to [your exact geographical location](https://developer.mozilla.org/en-US/docs/Web/API/Geolocation) or [contents of your clipboard](https://developer.mozilla.org/en-US/docs/Web/API/Clipboard\_API), granting permission explicitly is unnecessary altogether. **An extension simply adds `geolocation` or `clipboard` to the** [**permissions entry**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions) **of its manifest**. These access privileges are then granted implicitly when the extension is installed. So a malicious or compromised extension with these privileges can create your movement profile or monitor your clipboard for copied passwords without you noticing anything.
+
+Adding the **`history`** keyword to the [permissions entry](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions) of the extension manifest grants **access to the** [**history API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/history). It allows retrieving the user’s entire browsing history all at once, without waiting for the user to visit these websites again.
+
+The **`bookmarks`** **permission** has similar abuse potential, this one allows **reading out all bookmarks via the** [**bookmarks API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/bookmarks).
+
+### Storage permission
+
+The extension storage is merely a key-value collection, very similar to [localStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage) that any website could use. So no sensitive information should be stored here.
+
+However, advertising companies could also abuse this storage.
+
+### More permissions
+
+You can find the [**complete list of permissions a Chromium Browser Extension can request here**](https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions#permissions) and a [**complete list for Firefox extensions here**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#api\_permissions)**.**
+
+## Prevention
+
+Google’s developer policies [explicitly prohibit](https://developer.chrome.com/docs/webstore/program\_policies/#permissions) requesting more privileges that necessary for the extension to function. In my experience this rule in fact works. I can only think of one case where a browser extension [requested too many privileges](https://palant.info/2020/01/13/pwning-avast-secure-browser-for-fun-and-profit/#selecting-a-target), and this particular extension was being distributed with the browser rather than via some add-on store.
+
+In some cases browsers could do better to **limit the abuse potential** of extension privileges. For example, Chrome allows screen recording via [tabCapture](https://developer.chrome.com/docs/extensions/reference/tabCapture/) or [desktopCapture](https://developer.chrome.com/docs/extensions/reference/desktopCapture/) APIs. The abuse potential is low because the former can only be started as a **response to a user action** (typically clicking the extension icon) whereas the latter brings up a prompt to select the application window to be recorded. Both are sufficient to prevent extensions from silently starting to record in the background.
+
+Such security improvements have the tendency to make extensions **less flexible and less user-friendly** however. A good example here is the [activeTab permission](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#activetab\_permission). Its purpose is to make requesting host privileges for the entire internet unnecessary. Instead, the **extension can access the current tab when the extension is explicitly activated**, typically by clicking its icon.
+
+That approach works well for some extensions, particularly those where the user needs to explicitly trigger an action. It **doesn’t work in scenarios where extensions have to perform their work automatically** however (meaning being more convenient for the user) or where the extension action cannot be executed immediately and requires preparation.
+
+## **References**
+
+* [https://palant.info/2022/08/17/impact-of-extension-privileges/](https://palant.info/2022/08/17/impact-of-extension-privileges/)
+* [https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing](https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing)
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
diff --git a/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md b/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md
new file mode 100644
index 000000000..e19f607c2
--- /dev/null
+++ b/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md
@@ -0,0 +1,145 @@
+# BrowExt - XSS Example
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
+
+## XSS on Iframe
+
+**Content script** creates an Iframe indicating an **URL in the parameters of the iFrame source**:
+
+```javascript
+chrome.storage.local.get("message", result =>
+{
+ frame.src = chrome.runtime.getURL("message.html") +
+ "?message=" + encodeURIComponent(result.message) +
+ "&url=https://example.net/explanation";
+});
+```
+
+A exposed html page: **`message.html`**, accesible from the **browser**, contains a code such as:
+
+```java
+$(() =>
+{
+ let params = new URLSearchParams(location.search);
+ $(document.body).append(params.get("message") + " ");
+ $("body > button").click(() =>
+ {
+ chrome.tabs.create({ url: params.get("url") });
+ });
+});
+```
+
+The malicious page execute a script like the following to change the message for a **XSS payload**:
+
+```javascript
+setTimeout(() =>
+{
+ let frame = document.querySelector("iframe:last-child");
+ let src = frame.src;
+
+ // Remove existing query parameters
+ src = src.replace(/\?.*/, "");
+
+ // Add malicious query parameters
+ src += "?message=" + encodeURIComponent("");
+
+ // Load into frame
+ frame.src = src;
+}, 1000);
+```
+
+A permissive Content Security Policy like
+
+```json
+"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"
+```
+
+will allow the execution of the JS code.
+
+Another way to trigger the XSS at will is running:
+
+```javascript
+let frame = document.createElement("iframe");
+frame.src = "chrome-extension://abcdefghijklmnopabcdefghijklmnop/message.html?message="
+ + encodeURIComponent("");
+document.body.appendChild(frame);
+```
+
+## DOM-based XSS + ClickJacking
+
+The first vulnerability is the DOM-based Cross-site Scripting (XSS) vulnerability in **`/html/bookmarks.html`**, the following is the vulnerable JavaScript from the included **`bookmarks.js`**:
+
+```javascript
+$('#btAdd').click(function() {
+ var btname = $('#txtName').val();
+ if ($('.custom-button .name').filter(function() {
+ return $(this).text() === btname;
+ }).length) return false;
+
+ var span = $('');
+ span.html('' + btname + '');
+ span.append('x');
+ span.attr('title', btname);
+ span.data('id', (new Date().getTime()));
+ $('div.custom-buttons .existing').append(span);
+ save_options();
+});
+```
+
+The above JavaScript takes the **value** of the **`txtName`** text box and uses **string concatenation to build HTML** which is appended to the DOM via jQuery’s [“append()”](https://api.jquery.com/append/) function.
+
+Normally, Chrome extension Content Security Policy (CSP) should prevent this vulnerability from being exploited. However, due to the **loosening of this policy via** [**‘unsafe-eval’**](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src) and the use of jQuery’s DOM APIs, this was still able to be **exploited**. This is due to much of jQuery’s DOM APIs making use of [“globalEval()”](https://api.jquery.com/jquery.globaleval/), which automatically passes scripts to [“eval()”](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global\_Objects/eval) upon appending to the DOM.
+
+While this is a serious vulnerability, on its own exploitation is fairly limited due to the **user-interaction required to exploit it**. The victim would have to open the page, paste a Cross-site Scripting (XSS) payload into the field, and click the “Add” button to exploit it.
+
+In order to better weaponize this vulnerability we make use of a separate vulnerability (**clickjacking**) in order to bolster the attack.
+
+The following is an excerpt from the Chrome extension’s manifest:
+
+```json
+...trimmed for brevity...
+"web_accessible_resources": [
+ "_locales/*",
+ "bundle/*",
+ "dist/*",
+ "assets/*",
+ "font/*",
+ "html/bookmarks.html",
+ "css/*.css",
+ "js/*.js",
+ "js/jquery/*.js",
+ "js/lang/*"
+],
+...trimmed for brevity...
+```
+
+The above section demonstrates that the extension casts a wide net with its **`web_accessible_resources`** policy.
+
+The **`/html/bookmarks.html`** page is also able to be **framed** and thus **exploited** via **clickjacking**. We abuse this to iframe this page in our web page, and **overlay the frame with DOM elements to redress the layout**. This makes it so that the victim is unaware that they are **actually interacting with the extension below**. The following animation demonstrates this effect (check the animation in the [**original post writeup**](https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/)).
+
+## References
+
+* [https://palant.info/2022/08/31/when-extension-pages-are-web-accessible/](https://palant.info/2022/08/31/when-extension-pages-are-web-accessible/)
+* [https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/](https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/)
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
diff --git a/pentesting-web/cache-deception.md b/pentesting-web/cache-deception.md
index d670ad96a..12e664ecd 100644
--- a/pentesting-web/cache-deception.md
+++ b/pentesting-web/cache-deception.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -125,7 +125,7 @@ The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vul
Example usage: `wcvs -u example.com`
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -232,7 +232,7 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S
* [https://youst.in/posts/cache-poisoning-at-scale/](https://youst.in/posts/cache-poisoning-at-scale/)
* [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/clickjacking.md b/pentesting-web/clickjacking.md
index 99e9b3a9c..e84cabece 100644
--- a/pentesting-web/clickjacking.md
+++ b/pentesting-web/clickjacking.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -177,7 +177,7 @@ See the following documentation for further details and more complex examples:
* [**https://portswigger.net/web-security/clickjacking**](https://portswigger.net/web-security/clickjacking)
* [**https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/command-injection.md b/pentesting-web/command-injection.md
index 892badaf7..50046894c 100644
--- a/pentesting-web/command-injection.md
+++ b/pentesting-web/command-injection.md
@@ -12,7 +12,7 @@
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
@@ -168,7 +168,7 @@ powershell C:**2\n??e*d.*? # notepad
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/crlf-0d-0a.md b/pentesting-web/crlf-0d-0a.md
index 6fa821a6e..faa6d15ff 100644
--- a/pentesting-web/crlf-0d-0a.md
+++ b/pentesting-web/crlf-0d-0a.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -250,7 +250,7 @@ The best prevention technique is to not use users input directly inside response
* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
* [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
index 2f0ee4823..5dc7e0e2f 100644
--- a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
+++ b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -237,7 +237,7 @@ out of band request with the current username
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
* [**https://blog.blacklanternsecurity.com/p/introducing-badsecrets**](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/domain-subdomain-takeover.md b/pentesting-web/domain-subdomain-takeover.md
index 1bf109a49..681989754 100644
--- a/pentesting-web/domain-subdomain-takeover.md
+++ b/pentesting-web/domain-subdomain-takeover.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -89,7 +89,7 @@ All of them vulnerable to subdomain takeover. All of them were big brands. Talki
Nevertheless, recent phishing campaigns host content on domains with long domain names that include name of the brand (see [Apple example](https://www.phishtank.com/target\_search.php?target\_id=183\&valid=y\&active=All\&Search=Search)). Having valid SSL certificate (more on that below), keyword in domain name and website which mimics the website of targeted brand, people tend to fall into these attacks. Think about chances with a legitimate subdomain of this brand.
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -183,7 +183,7 @@ Until next time!
[Patrik](https://twitter.com/0xpatrik)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/email-injections.md b/pentesting-web/email-injections.md
index fb49a2fb7..cba724bb3 100644
--- a/pentesting-web/email-injections.md
+++ b/pentesting-web/email-injections.md
@@ -1,6 +1,6 @@
# Email Injections
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -165,7 +165,7 @@ So, if you are able to **send mails (maybe invitations) from the web application
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/file-inclusion/phar-deserialization.md b/pentesting-web/file-inclusion/phar-deserialization.md
index e477956d6..9c8c38cac 100644
--- a/pentesting-web/file-inclusion/phar-deserialization.md
+++ b/pentesting-web/file-inclusion/phar-deserialization.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -89,7 +89,7 @@ php vuln.php
{% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/nosql-injection.md b/pentesting-web/nosql-injection.md
index 1c08a077d..e4fb6659a 100644
--- a/pentesting-web/nosql-injection.md
+++ b/pentesting-web/nosql-injection.md
@@ -1,6 +1,6 @@
# NoSQL injection
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -137,7 +137,7 @@ It's possible to use [**$lookup**](https://www.mongodb.com/docs/manual/reference
]
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -282,7 +282,7 @@ for u in get_usernames():
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/postmessage-vulnerabilities/README.md b/pentesting-web/postmessage-vulnerabilities/README.md
index 70406137e..3915f9471 100644
--- a/pentesting-web/postmessage-vulnerabilities/README.md
+++ b/pentesting-web/postmessage-vulnerabilities/README.md
@@ -99,11 +99,23 @@ In order to **find event listeners** in the current page you can:
* Use a **browser extension** like [**https://github.com/benso-io/posta**](https://github.com/benso-io/posta) or [https://github.com/fransr/postMessage-tracker](https://github.com/fransr/postMessage-tracker). This browser extensions will **intercept all the messages** and show them to you.
-### check origin basic bypasses
+### Origin check bypasses
-* If **`indexOf()`** is used to **check** the **origin** of the PostMessage event, remember that it can be easily bypassed like in the following example: `("https://app-sj17.marketo.com").indexOf("https://app-sj17.ma")`\\
-* If **`search()`** is used to **validate** the **origin** could be insecure. According to the docs of `String.prototype.search()`, the method **takes a regular repression** object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp.\
- In regular expression, **a dot (.) is treated as a wildcard**. An attacker can take advantage of it and **use** a **special domain** instead of the official one to bypass the validation, like in: `"https://www.safedomain.com".search("www.s.fedomain.com")`.\\
+* **`event.isTrusted`** is True when the event was generated by a user action. Not really bypasseable if correctly in place, but worth mentioning.
+* If **`indexOf()`** is used to **check** the **origin** of the PostMessage event, remember that it can be easily bypassed like in the following example:
+
+```javascript
+("https://app-sj17.marketo.com").indexOf("https://app-sj17.ma")
+```
+
+* If **`search()`** is used to **validate** the **origin** could be insecure. According to the docs of `String.prototype.search()`, the method **takes a regular repression** object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regex.\
+ In regular expression, **a dot (.) is treated as a wildcard**. An attacker can take advantage of it and **use** a **special domain** instead of the official one to bypass the validation, like in:
+
+```javascript
+"https://www.safedomain.com".search("www.s.fedomain.com")
+```
+
+* Just like in the previous example, **`match()`** also checks a **regex**, so if the regex is malformed it could be **bypasseable**.
* If **`escapeHtml`** function is used, the function does not create a `new` escaped object, instead it **overwrites properties** of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
```javascript
@@ -119,7 +131,7 @@ result.message; // "'"\"
`File` object is perfect for this exploit as it has a read-only `name` property which is used by our template and will bypass `escapeHtml` function.
-### Bypassing e.origin == window.origin
+### e.origin == window.origin bypass
When a page is embedded in a **sandboxed iframe** via `
 (1).png)
 (1) (1).png)
 (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1).png)
 (1) (1) (1).png)
.png)
 (1).png)
 (1) (1).png)
 (1) (1) (1).png)
 (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -231,7 +231,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
- (1) (1).png)
 (1) (1) (1).png)
 (2).png)
 (2) (2).png)
 (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1).png)
.png)
 (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1).png)
 (1) (1).png)
.png)
 (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1).png)
 (1).png)
 (1) (1).png)
.png)
 (3).png)
 (1).png)
.png)
 (1).png)
 (1).png)
 (1) (3).png)
.png)
 (1).png)
 (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -60,7 +60,7 @@ Content-Length: 267
* `port:15672 http`
- (1) (1).png)
 (1) (1) (1).png)
 (1) (3).png)
 (1) (3) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -40,7 +40,7 @@ You can expose **management servlets** via the following paths within JBoss (dep
inurl:status EJInvokerServlet
```
-
.png)
.png)
.png)
.png)
.png)
.png)
.png)