Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-17 06:28:27 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md

56 lines
4.2 KiB
Markdown
Raw Blame History

# Blocking main page to steal postmessage
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Winning RCs with Iframes
Kulingana na hii [**Terjanq writeup**](https://gist.github.com/terjanq/7c1a71b83db5e02253c218765f96a710) hati, nyaraka zilizoundwa kutoka kwa asili za null zimewekwa mbali kwa faida za usalama, ambayo inamaanisha kwamba ikiwa utaendelea kuifanya ukurasa mkuu kuwa na shughuli, ukurasa wa iframe utaanzishwa.
Kimsingi katika changamoto hiyo **iframe iliyotengwa inatekelezwa** na mara **baada** ya **kupakuliwa** ukurasa wa **mzazi** uta **tuma ujumbe wa post** na **bendera**.\
Hata hivyo, mawasiliano ya postmessage hiyo ni **hatari kwa XSS** (**iframe** inaweza kutekeleza msimbo wa JS).
Kwa hivyo, lengo la mshambuliaji ni **kuruhusu mzazi kuunda iframe**, lakini **kabla** ya kuruhusu ukurasa wa **mzazi** **kutuma** data nyeti (**bendera**) **uweke busy** na kutuma **payload kwa iframe**. Wakati **mzazi yuko busy** **iframe inatekeleza payload** ambayo itakuwa baadhi ya JS itakayokuwa inasikiliza ujumbe wa **postmessage wa mzazi na kuvuja bendera**.\
Hatimaye, iframe imekamilisha payload na ukurasa wa mzazi unakoma kuwa na shughuli, hivyo inatuma bendera na payload inavuja.
Lakini ungeweza vipi kufanya mzazi kuwa **busy mara tu baada ya kuunda iframe na wakati tu inasubiri iframe iwe tayari kutuma data nyeti?** Kimsingi, unahitaji kutafuta **kitendo** cha **async** ambacho unaweza kufanya mzazi **atekeleze**. Kwa mfano, katika changamoto hiyo mzazi alikuwa **akisikiliza** **postmessages** kama hii:
```javascript
window.addEventListener('message', (e) => {
if (e.data == 'blob loaded') {
$("#previewModal").modal();
}
});
```
hivyo ilikuwa inawezekana kutuma **nambari kubwa katika postmessage** ambayo itakuwa **imebadilishwa kuwa mfuatano** katika kulinganisha hiyo, ambayo itachukua muda:
```bash
const buffer = new Uint8Array(1e7);
win?.postMessage(buffer, '*', [buffer.buffer]);
```
Na ili kuwa sahihi na **kutuma** hiyo **postmessage** mara tu **iframe** inaundwa lakini **kabla** haijawa **tayari** kupokea data kutoka kwa mzazi, utahitaji **kucheza na milisekunde za `setTimeout`**.
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Reference in a new issue View git blame Copy permalink