mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-04 18:40:54 +00:00
113 lines
6.4 KiB
Markdown
113 lines
6.4 KiB
Markdown
<details>
|
|
|
|
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako inayotangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
|
|
|
</details>
|
|
|
|
|
|
# Maelezo
|
|
|
|
Katika hali ambapo **mshambuliaji** anaweza **kudhibiti** hoja ya **`href`** ya lebo ya **`<a`** na sifa ya **`target="_blank" rel="opener"`** ambayo itabonyezwa na mwathirika, **mshambuliaji** anaweza **kuielekeza** **kiunga** hiki kwenye wavuti chini ya udhibiti wake (wavuti **mbaya**). Kisha, mara tu **mwathirika anapobonyeza** kiunga na kufikia wavuti ya mshambuliaji, wavuti hii **mbaya** itaweza **kudhibiti** **ukurasa** **asili** kupitia kitu cha javascript **`window.opener`**.\
|
|
Ikiwa ukurasa hauna **`rel="opener"` lakini una `target="_blank"` na hauna `rel="noopener"`** pia inaweza kuwa na udhaifu.
|
|
|
|
Njia ya kawaida ya kutumia tabia hii ni **kubadilisha eneo la wavuti asili** kupitia `window.opener.location = https://attacker.com/victim.html` kwenda kwenye wavuti inayodhibitiwa na mshambuliaji ambayo **inafanana na ile asili**, ili iweze **kuiga** **fomu ya kuingia** ya wavuti asili na kuomba sifa za mtumiaji.
|
|
|
|
Hata hivyo, kumbuka kwamba sasa **mshambuliaji anaweza kudhibiti kitu cha dirisha cha wavuti asili** anaweza kukitumia kwa njia nyingine kufanya **mashambulizi ya siri** (labda kwa kubadilisha matukio ya javascript ili kutoa habari kwa seva inayodhibitiwa na yeye?)
|
|
|
|
# Muhtasari
|
|
|
|
## Na kiunga cha nyuma
|
|
|
|
Kiunga kati ya kurasa ya mzazi na mtoto wakati sifa ya kuzuia haijatumika:
|
|
|
|
![https://owasp.org/www-community/assets/images/TABNABBING_OVERVIEW_WITH_LINK.png](https://owasp.org/www-community/assets/images/TABNABBING\_OVERVIEW\_WITH\_LINK.png)
|
|
|
|
## Bila kiunga cha nyuma
|
|
|
|
Kiunga kati ya kurasa ya mzazi na mtoto wakati sifa ya kuzuia inatumika:
|
|
|
|
![https://owasp.org/www-community/assets/images/TABNABBING_OVERVIEW_WITHOUT_LINK.png](https://owasp.org/www-community/assets/images/TABNABBING\_OVERVIEW\_WITHOUT\_LINK.png)
|
|
|
|
## Mifano <a href="#examples" id="examples"></a>
|
|
|
|
Unda kurasa zifuatazo kwenye saraka na endesha seva ya wavuti na `python3 -m http.server`\
|
|
Kisha, **fikia** `http://127.0.0.1:8000/`vulnerable.html, **bonyeza** kiunga na uone jinsi **URL** ya **wavuti asili** **inavyobadilika**.
|
|
|
|
{% code title="vulnerable.html" %}
|
|
```markup
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<body>
|
|
<h1>Victim Site</h1>
|
|
<a href="http://127.0.0.1:8000/malicious.html" target="_blank" rel="opener">Controlled by the attacker</a>
|
|
</body>
|
|
</html>
|
|
```
|
|
{% code title="malicious.html" %}
|
|
```markup
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<body>
|
|
<script>
|
|
window.opener.location = "http://127.0.0.1:8000/malicious_redir.html";
|
|
</script>
|
|
</body>
|
|
</html>
|
|
```
|
|
{% code title="malicious_redir.html" %}
|
|
```markup
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<body>
|
|
<h1>New Malicious Site</h1>
|
|
</body>
|
|
</html>
|
|
```
|
|
{% endcode %}
|
|
|
|
## Maliwazo yanayoweza kufikiwa <a href="#accessible-properties" id="accessible-properties"></a>
|
|
|
|
Katika hali ambapo ufikiaji wa **msalaba-eneo** unatokea (ufikiaji kati ya uwanja tofauti), maliwazo ya darasa la JavaScript la **window**, yanayotajwa na kumbukumbu ya kitu cha JavaScript cha **opener**, ambayo yanaweza kufikiwa na tovuti yenye nia mbaya ni mdogo kwa yafuatayo:
|
|
|
|
- **`opener.closed`**: Mali hii inatumika kuamua ikiwa dirisha limefungwa, ikirudisha thamani ya boolean.
|
|
- **`opener.frames`**: Mali hii inatoa ufikiaji kwa vipengele vyote vya iframe ndani ya dirisha la sasa.
|
|
- **`opener.length`**: Idadi ya vipengele vya iframe vilivyopo katika dirisha la sasa inarudishwa na mali hii.
|
|
- **`opener.opener`**: Kumbukumbu kwa dirisha ambalo lilifungua dirisha la sasa inaweza kupatikana kupitia mali hii.
|
|
- **`opener.parent`**: Mali hii inarudisha dirisha mama ya dirisha la sasa.
|
|
- **`opener.self`**: Ufikiaji kwa dirisha la sasa yenyewe unatolewa na mali hii.
|
|
- **`opener.top`**: Mali hii inarudisha dirisha la kivinjari cha juu kabisa.
|
|
|
|
Hata hivyo, katika hali ambapo uwanja ni sawa, tovuti yenye nia mbaya inapata ufikiaji wa mali zote zinazofichuliwa na kumbukumbu ya kitu cha JavaScript cha [**window**](https://developer.mozilla.org/en-US/docs/Web/API/Window).
|
|
|
|
# Kuzuia
|
|
|
|
Maelezo ya kuzuia yameandikwa katika [HTML5 Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTML5\_Security\_Cheat\_Sheet.html#tabnabbing).
|
|
|
|
## Marejeo
|
|
|
|
* [https://owasp.org/www-community/attacks/Reverse_Tabnabbing](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)
|
|
|
|
|
|
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako inatangazwa katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha** [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|