Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 14:08:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-4038: change request with no subject merged in GitBook

Browse source
This commit is contained in:
CPol 2023-08-16 08:24:17 +00:00 committed by gitbook-bot
parent 0d38db90ea
commit 9047909444
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
5 changed files with 135 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
SUMMARY.md
View file

@ -643,7 +643,9 @@
* [Misc JS Tricks & Relevant Info](pentesting-web/xss-cross-site-scripting/other-js-tricks.md)
* [PDF Injection](pentesting-web/xss-cross-site-scripting/pdf-injection.md)
* [Server Side XSS (Dynamic PDF)](pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
* [Shadow DOM](pentesting-web/xss-cross-site-scripting/shadow-dom.md)
* [SOME - Same Origin Method Execution](pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md)
* [Sniff Leak](pentesting-web/xss-cross-site-scripting/sniff-leak.md)
* [Steal Info JS](pentesting-web/xss-cross-site-scripting/steal-info-js.md)
* [XSS in Markdown](pentesting-web/xss-cross-site-scripting/xss-in-markdown.md)
* [XSS Tools](pentesting-web/xss-cross-site-scripting/xss-tools.md)

11
pentesting-web/xs-search.md
View file

@ -904,7 +904,12 @@ However, if for whatever reason you **MUST** do it **char by char** (maybe the c
<img src=/something loading=lazy >
```
Therefore, what you can do is to **add a lot of junk chars** (For example **thousands of "W"s**) to **fill the web page before the secret**. We do this so the image is not loaded at the beginning.
Therefore, what you can do is to **add a lot of junk chars** (For example **thousands of "W"s**) to **fill the web page before the secret or add something like** `<br><canvas height="1850px"></canvas><br>.`\
Then if for example our **injection appear before the flag**, the **image** would be **loaded**, but if appears **after** the **flag**, the flag + the junk will **prevent it from being loaded** (you will need to play with how much junk to place). This is what happened in [**this writeup**](https://blog.huli.tw/2022/10/08/en/sekaictf2022-safelist-and-connection/).
Another option would be to use the **scroll-to-text-fragment** if allowed:
#### Scroll-to-text-fragment
However, you make the **bot access the page** with something like
@ -920,7 +925,9 @@ What this text will do is to make the bot access any text in the page that conta
Some code example to exploit this: [https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e](https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e)
Find **another example using lazy loading** here:
### Image Lazy Loading Time Based
If it's **not possible to load an external image** that could indicate the attacker that the image was loaded, another option would be to try to **guess the char several times and measure that**. If the image is loaded all the requests would take longer that if the image isn't loaded. This is what was used in the [**solution of this writeup**](https://blog.huli.tw/2022/10/08/en/sekaictf2022-safelist-and-connection/) **sumarized here:**
{% content-ref url="xs-search/event-loop-blocking-+-lazy-images.md" %}
[event-loop-blocking-+-lazy-images.md](xs-search/event-loop-blocking-+-lazy-images.md)

6
pentesting-web/xss-cross-site-scripting/README.md
View file

@ -1381,6 +1381,12 @@ function handleResponse() {
[abusing-service-workers.md](abusing-service-workers.md)
{% endcontent-ref %}
### Accessing Shadow DOM
{% content-ref url="shadow-dom.md" %}
[shadow-dom.md](shadow-dom.md)
{% endcontent-ref %}
### Polyglots
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt" %}

85
pentesting-web/xss-cross-site-scripting/shadow-dom.md Normal file
View file

@ -0,0 +1,85 @@
# Shadow DOM
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>
## Basic Information
Shadow DOM is part of the [Web Components](https://developer.mozilla.org/en-US/docs/Web/Web\_Components) feature suite, which aims to allow JS developers to create reusable custom elements with their functionality encapsulated away from the rest of the website code.
Essentially, you can use the Shadow DOM to **isolate your component's HTML and CSS from the rest of the webpage**. For example, if you create element IDs in a shadow DOM, they **will not conflict with element IDs in the parent DOM**. Any CSS selectors you utilize in your shadow DOM will only apply within the shadow DOM and not to the parent DOM, and any selectors you utilize in the parent will not penetrate within the shadow DOM.
```js
// creating a shadow DOM
let $element = document.createElement("div");
$shadowDomRef = $element.attachShadow({ mode: "open" }); // open or closed
```
Normally, when you attach an **"open" shadow DOM to an element**, you can obtain a reference to the shadow DOM with **`$element.shadowRoot`**. However, if the shadow DOM is attached under **"closed"** mode, you **can't obtain a reference** to it this way. Even after reading all developer documentation I could find, I'm still slightly unclear about the purpose of closed mode. [According to Google](https://developers.google.com/web/fundamentals/web-components/shadowdom):
> There's another flavour of shadow DOM called "closed" mode. When you create a **closed** shadow tree, **outside JavaScript won't be able to access the internal DOM of your component**. This is similar to how native elements like `<video>` work. JavaScript cannot access the shadow DOM of `<video>` because the browser implements it using a closed-mode shadow root.
However, they also state:
> Closed shadow roots are not very useful. Some developers will see closed mode as an **artificial security feature**. But let's be clear, it's **not** a security feature.
## Accessing the Shadow DOM
### window.find() and text selections <a href="#introducing-windowfind-and-text-selections" id="introducing-windowfind-and-text-selections"></a>
The function **`window.find("search_text")` penetrates within a shadow DOM**. This function effectively has the same functionality as ctrl-F on a webpage.
It's possible to call **`document.execCommand("SelectAll")`** to expand the selection as **much as possible** and then call **`window.getSelection()`** to **return the contents** of selected text inside the shadow DOM.
In **firefox** you can use `getSelection()` which returns a [Selection](https://developer.mozilla.org/en-US/docs/Web/API/Selection) object, where `anchorElement` is a **reference to an element in the shadow DOM**. So, we can exfiltrate contents of the shadow DOM as follows:
```js
getSelection().anchorNode.parentNode.parentNode.parentNode.innerHTML
```
But this doesn't work in Chromium.
### contenteditable or CSS injection <a href="#contenteditable-or-css-injection" id="contenteditable-or-css-injection"></a>
One way we might be able to interact with the shadow DOM is if we have an **HTML or JS injection inside of it**. There are some interesting situations where you can obtain injection within a shadow DOM where you wouldn't be able to on a normal crossorigin page.
One example, is if you have any **elements with the `contenteditable` attribute**. This is a deprecated and little used HTML attribute that declares the **content of that element to be user-editable**. We can use selections along with the **`document.execCommand`** API to interact with a contenteditable element and obtain an HTML injection!
```js
find('selection within contenteditable');
document.execCommand('insertHTML',false,'<svg/onload=console.log(this.parentElement.outerHTML)>')
```
Perhaps even more interestingly, **`contenteditable`** can be declared on any element in chromium by applying a deprecated **CSS property: `-webkit-user-modify:read-write`**
This allows us to **elevate a CSS/style injection into an HTML injection**, by adding the CSS property to an element, and then utilizing the `insertHTML` command.
## CTF
Check this writeup where this technique was used as a CTF challenge: [https://github.com/Super-Guesser/ctf/blob/master/2022/dicectf/shadow.md](https://github.com/Super-Guesser/ctf/blob/master/2022/dicectf/shadow.md)
## References
* [https://blog.ankursundara.com/shadow-dom/](https://blog.ankursundara.com/shadow-dom/)
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>

33
pentesting-web/xss-cross-site-scripting/sniff-leak.md Normal file
View file

@ -0,0 +1,33 @@
# Sniff Leak
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>
## Leak script content by converting it to UTF16
[**This writeup**](https://blog.huli.tw/2022/08/01/en/uiuctf-2022-writeup/#modernism21-solves) leaks a text/plain because there is no `X-Content-Type-Options: nosniff` header by adding some initial characters that will make javascript think that the content is in UTF-16 so th script doesn't breaks.
## Leak script content by treating it as an ICO
[**The next writeup**](https://blog.huli.tw/2022/08/01/en/uiuctf-2022-writeup/#precisionism3-solves) leaks the script content by loading it as if it was an ICO image accessing the `width` parameter.
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>