mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GITBOOK-4360: No subject
This commit is contained in:
parent
be9d5a7ae8
commit
f7d8222dcf
7 changed files with 66 additions and 7 deletions
BIN
.gitbook/assets/image (1248).png
Normal file
BIN
.gitbook/assets/image (1248).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 33 KiB |
BIN
.gitbook/assets/image (1249).png
Normal file
BIN
.gitbook/assets/image (1249).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 27 KiB |
|
@ -587,7 +587,6 @@
|
||||||
* [Upgrade Header Smuggling](pentesting-web/h2c-smuggling.md)
|
* [Upgrade Header Smuggling](pentesting-web/h2c-smuggling.md)
|
||||||
* [hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md)
|
* [hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md)
|
||||||
* [IDOR](pentesting-web/idor.md)
|
* [IDOR](pentesting-web/idor.md)
|
||||||
* [Integer Overflow](pentesting-web/integer-overflow.md)
|
|
||||||
* [JWT Vulnerabilities (Json Web Tokens)](pentesting-web/hacking-jwt-json-web-tokens.md)
|
* [JWT Vulnerabilities (Json Web Tokens)](pentesting-web/hacking-jwt-json-web-tokens.md)
|
||||||
* [LDAP Injection](pentesting-web/ldap-injection.md)
|
* [LDAP Injection](pentesting-web/ldap-injection.md)
|
||||||
* [Login Bypass](pentesting-web/login-bypass/README.md)
|
* [Login Bypass](pentesting-web/login-bypass/README.md)
|
||||||
|
@ -651,6 +650,7 @@
|
||||||
* [DOM Invader](pentesting-web/xss-cross-site-scripting/dom-invader.md)
|
* [DOM Invader](pentesting-web/xss-cross-site-scripting/dom-invader.md)
|
||||||
* [DOM XSS](pentesting-web/xss-cross-site-scripting/dom-xss.md)
|
* [DOM XSS](pentesting-web/xss-cross-site-scripting/dom-xss.md)
|
||||||
* [Iframes in XSS, CSP and SOP](pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md)
|
* [Iframes in XSS, CSP and SOP](pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md)
|
||||||
|
* [Integer Overflow](pentesting-web/xss-cross-site-scripting/integer-overflow.md)
|
||||||
* [JS Hoisting](pentesting-web/xss-cross-site-scripting/js-hoisting.md)
|
* [JS Hoisting](pentesting-web/xss-cross-site-scripting/js-hoisting.md)
|
||||||
* [Misc JS Tricks & Relevant Info](pentesting-web/xss-cross-site-scripting/other-js-tricks.md)
|
* [Misc JS Tricks & Relevant Info](pentesting-web/xss-cross-site-scripting/other-js-tricks.md)
|
||||||
* [PDF Injection](pentesting-web/xss-cross-site-scripting/pdf-injection.md)
|
* [PDF Injection](pentesting-web/xss-cross-site-scripting/pdf-injection.md)
|
||||||
|
@ -672,6 +672,7 @@
|
||||||
* [JavaScript Execution XS Leak](pentesting-web/xs-search/javascript-execution-xs-leak.md)
|
* [JavaScript Execution XS Leak](pentesting-web/xs-search/javascript-execution-xs-leak.md)
|
||||||
* [CSS Injection](pentesting-web/xs-search/css-injection/README.md)
|
* [CSS Injection](pentesting-web/xs-search/css-injection/README.md)
|
||||||
* [CSS Injection Code](pentesting-web/xs-search/css-injection/css-injection-code.md)
|
* [CSS Injection Code](pentesting-web/xs-search/css-injection/css-injection-code.md)
|
||||||
|
* [Iframe Traps](pentesting-web/iframe-traps.md)
|
||||||
|
|
||||||
## ⛈️ Cloud Security
|
## ⛈️ Cloud Security
|
||||||
|
|
||||||
|
|
47
pentesting-web/iframe-traps.md
Normal file
47
pentesting-web/iframe-traps.md
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
# Iframe Traps
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## Basic Information
|
||||||
|
|
||||||
|
This form of abusing XSS via iframes to steal information from the user moving across the web page was originally published in these 2 post from trustedsec.com: [**here**](https://trustedsec.com/blog/persisting-xss-with-iframe-traps) **and** [**here**](https://trustedsec.com/blog/js-tap-weaponizing-javascript-for-red-teams).
|
||||||
|
|
||||||
|
The attack start in a page vulnerable to a XSS where it’s possible to make the **victims don’t leave the XSS** by making them **navigate within an iframe** that occupies all the web application.
|
||||||
|
|
||||||
|
The XSS attack will basically load the web page in an iframe in 100% of the screen. Therefore, the victim **won't notice he is inside an iframe**. Then, if the victim navigates in the page by clicking links inside the iframe (inside the web), he will be **navigating inside the iframe** with the arbitrary JS loaded stealing information from this navigation.
|
||||||
|
|
||||||
|
Moreover, to make it more realistic, it’s possible to use some **listeners** to check when an iframe changes the location of the page, and update the URL of the browser with that locations the user things he’s is moving pages using the browser.
|
||||||
|
|
||||||
|
<figure><img src="../.gitbook/assets/image (1248).png" alt=""><figcaption><p><a href="https://www.trustedsec.com/wp-content/uploads/2022/04/regEvents.png">https://www.trustedsec.com/wp-content/uploads/2022/04/regEvents.png</a></p></figcaption></figure>
|
||||||
|
|
||||||
|
<figure><img src="../.gitbook/assets/image (1249).png" alt=""><figcaption><p><a href="https://www.trustedsec.com/wp-content/uploads/2022/04/fakeAddress-1.png">https://www.trustedsec.com/wp-content/uploads/2022/04/fakeAddress-1.png</a></p></figcaption></figure>
|
||||||
|
|
||||||
|
Moreover, it's possible to use listeners to steal sensitive information, not only the other pages the victim is visiting, but also the data used to **filled forms** and send them (credentials?) or to **steal the local storage**...
|
||||||
|
|
||||||
|
Ofc, the main limitations are that a **victim closing the tab or putting another URL in the browser will escape the iframe**. Another way to do this would be to **refresh the page**, however, this could be partially **prevented** by disabling the right click context menu every time a new page is loaded inside the iframe or noticing when the mouse of the user leaves the iframe, potentially to click the reload button of the browser and in this case the URL of the browser is updated with the original URL vulnerable to XSS so if the user reloads it, it will get poisoned again (note that this is not very stealth).
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
|
@ -48,6 +48,7 @@ If the Debug Extension is enabled, a `debug` tag will be available to dump the c
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</pre>
|
</pre>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -67,6 +68,7 @@ Source: [https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement]
|
||||||
{% endraw %}
|
{% endraw %}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## **Jinja Injection**
|
## **Jinja Injection**
|
||||||
|
@ -130,6 +132,7 @@ dict.__mro__[-1]
|
||||||
{% endraw %}
|
{% endraw %}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Not sure if this will work, but I saw it somewhere
|
# Not sure if this will work, but I saw it somewhere
|
||||||
{{ [].class.base.subclasses() }}
|
{{ [].class.base.subclasses() }}
|
||||||
{{ ''.class.mro()[1].subclasses() }}
|
{{ ''.class.mro()[1].subclasses() }}
|
||||||
|
@ -213,6 +216,7 @@ http://localhost:5000/?c={{request|attr(request.args.getlist(request.args.l)|joi
|
||||||
{% endraw %}
|
{% endraw %}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
* [**Return here for more options to access a global object**](jinja2-ssti.md#accessing-global-objects)
|
* [**Return here for more options to access a global object**](jinja2-ssti.md#accessing-global-objects)
|
||||||
|
@ -260,6 +264,7 @@ Without **`{{`** **`.`** **`[`** **`]`** **`}}`** **`_`**
|
||||||
{% endraw %}
|
{% endraw %}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## Jinja Injection without **\<class 'object'>**
|
## Jinja Injection without **\<class 'object'>**
|
||||||
|
@ -314,10 +319,9 @@ Once you have found some functions you can recover the builtins with:
|
||||||
|
|
||||||
### Fuzzing WAF bypass
|
### Fuzzing WAF bypass
|
||||||
|
|
||||||
**Fenjing** [https://github.com/Marven11/Fenjing](https://github.com/Marven11/Fenjing) is a tool that its specialized on CTFs but can be also useful to bruteforce invalid params on a real scenario.
|
**Fenjing** [https://github.com/Marven11/Fenjing](https://github.com/Marven11/Fenjing) is a tool that its specialized on CTFs but can be also useful to bruteforce invalid params on a real scenario. The tool just spray words and queries to detect filters, searching for bypasses, and also provide a interactive console.
|
||||||
The tool just spray words and queries to detect filters, searching for bypasses, and also provide a interactive console.
|
|
||||||
|
|
||||||
English-Chinese Google translation
|
English-Chinese Google translation
|
||||||
|
|
||||||
```
|
```
|
||||||
webui:
|
webui:
|
||||||
|
@ -344,7 +348,6 @@ Read the request in the file, PAYLOADreplace it with the actual payload and subm
|
||||||
The request will be urlencoded by default according to the HTTP format, which can be --urlencode-payload 0turned off.
|
The request will be urlencoded by default according to the HTTP format, which can be --urlencode-payload 0turned off.
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)
|
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)
|
||||||
|
|
|
@ -1166,6 +1166,14 @@ trigger()
|
||||||
[steal-info-js.md](steal-info-js.md)
|
[steal-info-js.md](steal-info-js.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
### Iframe Trap
|
||||||
|
|
||||||
|
Make the use navigate in the page without exiting an iframe and steal of his actions (including information sent in forms):
|
||||||
|
|
||||||
|
{% content-ref url="../iframe-traps.md" %}
|
||||||
|
[iframe-traps.md](../iframe-traps.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### Retrieve Cookies
|
### Retrieve Cookies
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
|
|
|
@ -14,8 +14,8 @@
|
||||||
|
|
||||||
Check:
|
Check:
|
||||||
|
|
||||||
{% content-ref url="../binary-exploitation/integer-overflow.md" %}
|
{% content-ref url="../../binary-exploitation/integer-overflow.md" %}
|
||||||
[integer-overflow.md](../binary-exploitation/integer-overflow.md)
|
[integer-overflow.md](../../binary-exploitation/integer-overflow.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
<details>
|
<details>
|
Loading…
Reference in a new issue