GITBOOK-4360: No subject

This commit is contained in:
CPol 2024-06-14 10:12:26 +00:00 committed by gitbook-bot
parent be9d5a7ae8
commit f7d8222dcf
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
7 changed files with 66 additions and 7 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 33 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 27 KiB

View file

@ -587,7 +587,6 @@
* [Upgrade Header Smuggling](pentesting-web/h2c-smuggling.md)
* [hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md)
* [IDOR](pentesting-web/idor.md)
* [Integer Overflow](pentesting-web/integer-overflow.md)
* [JWT Vulnerabilities (Json Web Tokens)](pentesting-web/hacking-jwt-json-web-tokens.md)
* [LDAP Injection](pentesting-web/ldap-injection.md)
* [Login Bypass](pentesting-web/login-bypass/README.md)
@ -651,6 +650,7 @@
* [DOM Invader](pentesting-web/xss-cross-site-scripting/dom-invader.md)
* [DOM XSS](pentesting-web/xss-cross-site-scripting/dom-xss.md)
* [Iframes in XSS, CSP and SOP](pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md)
* [Integer Overflow](pentesting-web/xss-cross-site-scripting/integer-overflow.md)
* [JS Hoisting](pentesting-web/xss-cross-site-scripting/js-hoisting.md)
* [Misc JS Tricks & Relevant Info](pentesting-web/xss-cross-site-scripting/other-js-tricks.md)
* [PDF Injection](pentesting-web/xss-cross-site-scripting/pdf-injection.md)
@ -672,6 +672,7 @@
* [JavaScript Execution XS Leak](pentesting-web/xs-search/javascript-execution-xs-leak.md)
* [CSS Injection](pentesting-web/xs-search/css-injection/README.md)
* [CSS Injection Code](pentesting-web/xs-search/css-injection/css-injection-code.md)
* [Iframe Traps](pentesting-web/iframe-traps.md)
## ⛈️ Cloud Security

View file

@ -0,0 +1,47 @@
# Iframe Traps
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
## Basic Information
This form of abusing XSS via iframes to steal information from the user moving across the web page was originally published in these 2 post from trustedsec.com: [**here**](https://trustedsec.com/blog/persisting-xss-with-iframe-traps) **and** [**here**](https://trustedsec.com/blog/js-tap-weaponizing-javascript-for-red-teams).
The attack start in a page vulnerable to a XSS where its possible to make the **victims dont leave the XSS** by making them **navigate within an iframe** that occupies all the web application.
The XSS attack will basically load the web page in an iframe in 100% of the screen. Therefore, the victim **won't notice he is inside an iframe**. Then, if the victim navigates in the page by clicking links inside the iframe (inside the web), he will be **navigating inside the iframe** with the arbitrary JS loaded stealing information from this navigation.
Moreover, to make it more realistic, its possible to use some **listeners** to check when an iframe changes the location of the page, and update the URL of the browser with that locations the user things hes is moving pages using the browser.
<figure><img src="../.gitbook/assets/image (1248).png" alt=""><figcaption><p><a href="https://www.trustedsec.com/wp-content/uploads/2022/04/regEvents.png">https://www.trustedsec.com/wp-content/uploads/2022/04/regEvents.png</a></p></figcaption></figure>
<figure><img src="../.gitbook/assets/image (1249).png" alt=""><figcaption><p><a href="https://www.trustedsec.com/wp-content/uploads/2022/04/fakeAddress-1.png">https://www.trustedsec.com/wp-content/uploads/2022/04/fakeAddress-1.png</a></p></figcaption></figure>
Moreover, it's possible to use listeners to steal sensitive information, not only the other pages the victim is visiting, but also the data used to **filled forms** and send them (credentials?) or to **steal the local storage**...
Ofc, the main limitations are that a **victim closing the tab or putting another URL in the browser will escape the iframe**. Another way to do this would be to **refresh the page**, however, this could be partially **prevented** by disabling the right click context menu every time a new page is loaded inside the iframe or noticing when the mouse of the user leaves the iframe, potentially to click the reload button of the browser and in this case the URL of the browser is updated with the original URL vulnerable to XSS so if the user reloads it, it will get poisoned again (note that this is not very stealth).
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

View file

@ -48,6 +48,7 @@ If the Debug Extension is enabled, a `debug` tag will be available to dump the c
</pre>
```
@ -67,6 +68,7 @@ Source: [https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement]
{% endraw %}
```
## **Jinja Injection**
@ -130,6 +132,7 @@ dict.__mro__[-1]
{% endraw %}
# Not sure if this will work, but I saw it somewhere
{{ [].class.base.subclasses() }}
{{ ''.class.mro()[1].subclasses() }}
@ -213,6 +216,7 @@ http://localhost:5000/?c={{request|attr(request.args.getlist(request.args.l)|joi
{% endraw %}
```
* [**Return here for more options to access a global object**](jinja2-ssti.md#accessing-global-objects)
@ -260,6 +264,7 @@ Without **`{{`** **`.`** **`[`** **`]`** **`}}`** **`_`**
{% endraw %}
```
## Jinja Injection without **\<class 'object'>**
@ -314,10 +319,9 @@ Once you have found some functions you can recover the builtins with:
### Fuzzing WAF bypass
**Fenjing** [https://github.com/Marven11/Fenjing](https://github.com/Marven11/Fenjing) is a tool that its specialized on CTFs but can be also useful to bruteforce invalid params on a real scenario.
The tool just spray words and queries to detect filters, searching for bypasses, and also provide a interactive console.
**Fenjing** [https://github.com/Marven11/Fenjing](https://github.com/Marven11/Fenjing) is a tool that its specialized on CTFs but can be also useful to bruteforce invalid params on a real scenario. The tool just spray words and queries to detect filters, searching for bypasses, and also provide a interactive console.
English-Chinese Google translation
English-Chinese Google translation
```
webui:
@ -344,7 +348,6 @@ Read the request in the file, PAYLOADreplace it with the actual payload and subm
The request will be urlencoded by default according to the HTTP format, which can be --urlencode-payload 0turned off.
```
## References
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)

View file

@ -1166,6 +1166,14 @@ trigger()
[steal-info-js.md](steal-info-js.md)
{% endcontent-ref %}
### Iframe Trap
Make the use navigate in the page without exiting an iframe and steal of his actions (including information sent in forms):
{% content-ref url="../iframe-traps.md" %}
[iframe-traps.md](../iframe-traps.md)
{% endcontent-ref %}
### Retrieve Cookies
```javascript

View file

@ -14,8 +14,8 @@
Check:
{% content-ref url="../binary-exploitation/integer-overflow.md" %}
[integer-overflow.md](../binary-exploitation/integer-overflow.md)
{% content-ref url="../../binary-exploitation/integer-overflow.md" %}
[integer-overflow.md](../../binary-exploitation/integer-overflow.md)
{% endcontent-ref %}
<details>