mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-21 20:23:18 +00:00
GitBook: [master] 3 pages and 6 assets modified
This commit is contained in:
parent
bed47c9c72
commit
e741d404a9
6 changed files with 15 additions and 7 deletions
Before Width: | Height: | Size: 740 KiB After Width: | Height: | Size: 740 KiB |
Before Width: | Height: | Size: 740 KiB After Width: | Height: | Size: 740 KiB |
Before Width: | Height: | Size: 15 KiB After Width: | Height: | Size: 15 KiB |
|
@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
|
|||
* Signed using the **device identity certificate \(from APNS\)**
|
||||
* **Certificate chain** includes expired **Apple iPhone Device CA**
|
||||
|
||||
![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
||||
![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
||||
|
||||
### Step 6: Profile Installation
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ This is done by **making a logged in user** in the victim platform access an att
|
|||
|
||||
In order to be able to abuse a CSRF vulnerability you first need to **find a relevant action to abuse** \(change password or email, make the victim follow you on a social network, give you more privileges...\). The **session must rely only on cookies or HTTP Basic Authentication header**, any other header can't be used to handle the session. An finally, there **shouldn't be unpredictable parameters** on the request.
|
||||
|
||||
Several **counter-measures** could be in place to avoid this vulnerability.
|
||||
Several **counter-measures** could be in place to avoid this vulnerability.
|
||||
|
||||
### **Common defenses**
|
||||
|
||||
|
@ -73,7 +73,7 @@ In this situation, the attacker can again perform a CSRF **attack if the web sit
|
|||
|
||||
### Content-Type change
|
||||
|
||||
According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), n order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values:
|
||||
According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), in order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values:
|
||||
|
||||
* **`application/x-www-form-urlencoded`**
|
||||
* **`multipart/form-data`**
|
||||
|
@ -81,6 +81,14 @@ According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#s
|
|||
|
||||
However, note that the **severs logic may vary** depending on the **Content-Type** used so you should try the values mentioned and others like **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._
|
||||
|
||||
### application/json preflight request bypass
|
||||
|
||||
As you already know, you cannot sent a POST request with the Content-Type **`application/json`** via HTML form, and if you try to do so via **`XMLHttpRequest`** a **preflight** request is sent first.
|
||||
However, you could try to send the JSON data using the content types **`text/plain` and `application/x-www-form-urlencoded`** just to check if the backend is using the data independently of the Content-Type.
|
||||
You can send a form using `Content-Type: text/plain` setting **`enctype="text/plain"`**
|
||||
|
||||
You could also try to **bypass** this restriction by using a **SWF flash file**. More more information [**read this post**](https://anonymousyogi.medium.com/json-csrf-csrf-that-none-talks-about-c2bf9a480937).
|
||||
|
||||
### Referrer / Origin check bypass
|
||||
|
||||
#### Avoid Referrer header
|
||||
|
@ -109,14 +117,14 @@ https://hahwul.com/.white_domain_com (X)
|
|||
|
||||
## **Exploit Examples**
|
||||
|
||||
### **Ex-filtrating CSRF Token**
|
||||
### **Exfiltrating CSRF Token**
|
||||
|
||||
If a **CSRF token** is being used as **defence** you could try to **ex-filtrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability.
|
||||
If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability.
|
||||
|
||||
### **GET using HTML tags**
|
||||
|
||||
```markup
|
||||
<img src=http://google.es?param=VALUE style="display:none" />
|
||||
<img src="http://google.es?param=VALUE" style="display:none" />
|
||||
<h1>404 - Page not found</h1>
|
||||
The URL you are requesting is no longer available
|
||||
```
|
||||
|
|
|
@ -66,7 +66,7 @@ In order to **find event listeners** in the current page you can:
|
|||
* **Search** the JS code for ****`window.addEventListener` and `$(window).on` \(_JQuery version_\)
|
||||
* **Execute** in the developer tools console: `getEventListeners(window)`
|
||||
|
||||
![](../.gitbook/assets/image%20%28616%29.png)
|
||||
![](../.gitbook/assets/image%20%28618%29.png)
|
||||
|
||||
* **Go to** _Elements --> Event Listeners_ in the developer tools of the browser
|
||||
|
||||
|
|
Loading…
Reference in a new issue