hacktricks/pentesting-web/xss-cross-site-scripting/dom-xss.md
2024-02-11 02:13:58 +00:00

320 lines
24 KiB
Markdown

# DOM XSS
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Je, ungependa kuona **kampuni yako ikionekana katika HackTricks**? Au ungependa kupata ufikiaji wa **toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **nifuatilie** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**repo ya hacktricks**](https://github.com/carlospolop/hacktricks) **na** [**repo ya hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
</details>
## Udhaifu wa DOM
Udhaifu wa DOM hutokea wakati data kutoka kwenye **vyanzo** vinavyodhibitiwa na mshambuliaji (kama vile `location.search`, `document.referrer`, au `document.cookie`) inahamishwa kwa **sinks** bila usalama. Sinks ni kazi au vitu (kwa mfano, `eval()`, `document.body.innerHTML`) ambavyo vinaweza kutekeleza au kuonyesha maudhui hatari ikiwa inapewa data yenye nia mbaya.
- **Vyanzo** ni pembejeo ambazo zinaweza kudhibitiwa na wadukuzi, ikiwa ni pamoja na URL, vidakuzi, na ujumbe wa wavuti.
- **Sinks** ni hatima hatari ambapo data yenye nia mbaya inaweza kusababisha athari mbaya, kama vile utekelezaji wa script.
Hatari inatokea wakati data inatiririka kutoka chanzo hadi sink bila ukaguzi au usafi sahihi, kuruhusu mashambulizi kama XSS.
{% hint style="info" %}
**Unaweza kupata orodha iliyosasishwa zaidi ya vyanzo na sinks katika** [**https://github.com/wisec/domxsswiki/wiki**](https://github.com/wisec/domxsswiki/wiki)
{% endhint %}
**Vyanzo vya kawaida:**
```javascript
document.URL
document.documentURI
document.URLUnencoded
document.baseURI
location
document.cookie
document.referrer
window.name
history.pushState
history.replaceState
localStorage
sessionStorage
IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)
Database
```
**Mifereji Maarufu:**
| [**Uelekezaji Wazi**](dom-xss.md#open-redirect) | [**Uingizaji wa Javascript**](dom-xss.md#javascript-injection) | [**Ubadilishaji wa Data wa DOM**](dom-xss.md#dom-data-manipulation) | **jQuery** |
| -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | ------------------------------------------------------------- | ---------------------------------------------------------------------- |
| `location` | `eval()` | `scriptElement.src` | `add()` |
| `location.host` | `Function() constructor` | `scriptElement.text` | `after()` |
| `location.hostname` | `setTimeout()` | `scriptElement.textContent` | `append()` |
| `location.href` | `setInterval()` | `scriptElement.innerText` | `animate()` |
| `location.pathname` | `setImmediate()` | `someDOMElement.setAttribute()` | `insertAfter()` |
| `location.search` | `execCommand()` | `someDOMElement.search` | `insertBefore()` |
| `location.protocol` | `execScript()` | `someDOMElement.text` | `before()` |
| `location.assign()` | `msSetImmediate()` | `someDOMElement.textContent` | `html()` |
| `location.replace()` | `range.createContextualFragment()` | `someDOMElement.innerText` | `prepend()` |
| `open()` | `crypto.generateCRMFRequest()` | `someDOMElement.outerText` | `replaceAll()` |
| `domElem.srcdoc` | **\`\`**[**Ubadilishaji wa Njia ya Faili ya Ndani**](dom-xss.md#local-file-path-manipulation) | `someDOMElement.value` | `replaceWith()` |
| `XMLHttpRequest.open()` | `FileReader.readAsArrayBuffer()` | `someDOMElement.name` | `wrap()` |
| `XMLHttpRequest.send()` | `FileReader.readAsBinaryString()` | `someDOMElement.target` | `wrapInner()` |
| `jQuery.ajax()` | `FileReader.readAsDataURL()` | `someDOMElement.method` | `wrapAll()` |
| `$.ajax()` | `FileReader.readAsText()` | `someDOMElement.type` | `has()` |
| **\`\`**[**Ubadilishaji wa Ombi la Ajax**](dom-xss.md#ajax-request-manipulation) | `FileReader.readAsFile()` | `someDOMElement.backgroundImage` | `constructor()` |
| `XMLHttpRequest.setRequestHeader()` | `FileReader.root.getFile()` | `someDOMElement.cssText` | `init()` |
| `XMLHttpRequest.open()` | `FileReader.root.getFile()` | `someDOMElement.codebase` | `index()` |
| `XMLHttpRequest.send()` | [**Ubadilishaji wa Kiungo**](dom-xss.md#link-manipulation) | `someDOMElement.innerHTML` | `jQuery.parseHTML()` |
| `jQuery.globalEval()` | `someDOMElement.href` | `someDOMElement.outerHTML` | `$.parseHTML()` |
| `$.globalEval()` | `someDOMElement.src` | `someDOMElement.insertAdjacentHTML` | [**Uingizaji wa JSON kwenye upande wa Mteja**](dom-xss.md#client-side-sql-injection) |
| **\`\`**[**Ubadilishaji wa Uhifadhi wa HTML5**](dom-xss.md#html-5-storage-manipulation) | `someDOMElement.action` | `someDOMElement.onevent` | `JSON.parse()` |
| `sessionStorage.setItem()` | [**Uingizaji wa XPath**](dom-xss.md#xpath-injection) | `document.write()` | `jQuery.parseJSON()` |
| `localStorage.setItem()` | `document.evaluate()` | `document.writeln()` | `$.parseJSON()` |
| **``**[**`Kukataa Huduma`**](dom-xss.md#denial-of-service)**``** | `someDOMElement.evaluate()` | `document.title` | **\`\`**[**Ubadilishaji wa Kidakuzi**](dom-xss.md#cookie-manipulation) |
| `requestFileSystem()` | **\`\`**[**Ubadilishaji wa Kikoa cha Hati**](dom-xss.md#document-domain-manipulation) | `document.implementation.createHTMLDocument()` | `document.cookie` |
| `RegExp()` | `document.domain` | `history.pushState()` | [**Uharibifu wa URL wa WebSocket**](dom-xss.md#websocket-url-poisoning) |
| [**Uingizaji wa SQL kwenye upande wa Mteja**](dom-xss.md#client-side-sql-injection) | [**Ubadilishaji wa Ujumbe wa Wavuti**](dom-xss.md#web-message-manipulation) | `history.replaceState()` | `WebSocket` |
| `executeSql()` | `postMessage()` | \`\` | \`\` |
Mfereji wa **`innerHTML`** haupokei vipengele vya `script` kwenye kivinjari chochote cha kisasa, wala haifanyi matukio ya `svg onload`. Hii inamaanisha kuwa utahitaji kutumia vipengele mbadala kama `img` au `iframe`.
Aina hii ya XSS inawezekana kuwa **ngumu zaidi kupata**, kwani unahitaji kutazama ndani ya msimbo wa JS, kuona ikiwa **inatumia** kitu chochote ambacho **thamani yake unadhibiti**, na katika kesi hiyo, kuona ikiwa kuna **njia yoyote ya kuitumia** kutekeleza JS ya kiholela.
## Zana za kuzipata
* [https://github.com/mozilla/eslint-plugin-no-unsanitized](https://github.com/mozilla/eslint-plugin-no-unsanitized)
Mifano
### Uelekezaji Wazi
Kutoka: [https://portswigger.net/web-security/dom-based/open-redirection](https://portswigger.net/web-security/dom-based/open-redirection)
**Udhaifu wa uelekezaji wazi katika DOM** hutokea wakati skripti inaandika data, ambayo mshambuliaji anaweza kuidhibiti, katika mfereji ambao unaweza kuanzisha uelekezaji kati ya vikoa.
Ni muhimu kuelewa kuwa kutekeleza msimbo wa kiholela, kama vile **`javascript:alert(1)`**, inawezekana ikiwa una udhibiti juu ya mwanzo wa URL ambapo uelekezaji unatokea.
Mifereji:
```javascript
location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
domElem.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()
```
### Ubadilishaji wa Cookie
Kutoka: [https://portswigger.net/web-security/dom-based/cookie-manipulation](https://portswigger.net/web-security/dom-based/cookie-manipulation)
Udhaifu wa udhibiti wa cookie unaotegemea DOM hutokea wakati script inajumuisha data, ambayo inaweza kudhibitiwa na mshambuliaji, katika thamani ya cookie. Udhaifu huu unaweza kusababisha tabia isiyotarajiwa ya ukurasa ikiwa cookie inatumika ndani ya tovuti. Zaidi ya hayo, inaweza kutumiwa kutekeleza shambulio la kufikia kikao ikiwa cookie inahusishwa na kufuatilia vikao vya watumiaji. Sink kuu inayohusiana na udhaifu huu ni:
Sink:
```javascript
document.cookie
```
### Uingizaji wa JavaScript
Kutoka: [https://portswigger.net/web-security/dom-based/javascript-injection](https://portswigger.net/web-security/dom-based/javascript-injection)
Mazingira ya uingizaji wa JavaScript yanayotegemea DOM hutokea wakati script inatekeleza data, ambayo inaweza kudhibitiwa na mshambuliaji, kama nambari ya JavaScript.
Mifereji:
```javascript
eval()
Function() constructor
setTimeout()
setInterval()
setImmediate()
execCommand()
execScript()
msSetImmediate()
range.createContextualFragment()
crypto.generateCRMFRequest()
```
### Kubadilisha kikoa cha hati
Kutoka: [https://portswigger.net/web-security/dom-based/document-domain-manipulation](https://portswigger.net/web-security/dom-based/document-domain-manipulation)
**Mambo yanayoweza kusababisha kushughulikia kikoa cha hati** hutokea wakati script inaweka mali ya `document.domain` kwa kutumia data ambayo mshambuliaji anaweza kudhibiti.
Mali ya `document.domain` inacheza **jukumu muhimu** katika **utekelezaji** wa **sera ya asili sawa** na vivinjari. Wakati kurasa mbili kutoka asili tofauti zinaweka `document.domain` yao kwa **thamani sawa**, zinaweza kuingiliana bila vizuizi. Ingawa vivinjari hawaruhusu thamani zote zinazoweza kuwekwa kwa `document.domain`, kuzuia kuweka thamani zisizohusiana kabisa na asili halisi ya ukurasa, kuna ubaguzi. Kwa kawaida, vivinjari huruhusu matumizi ya **vikoa vya watoto** au **vikoa vya wazazi**.
Mifereji:
```javascript
document.domain
```
### Kuharibu URL ya WebSocket
Kutoka: [https://portswigger.net/web-security/dom-based/websocket-url-poisoning](https://portswigger.net/web-security/dom-based/websocket-url-poisoning)
**Kuharibu URL ya WebSocket** hutokea wakati script inatumia **data inayoweza kudhibitiwa kama URL ya lengo** kwa uhusiano wa WebSocket.
Mifereji:
Mjenzi wa `WebSocket` inaweza kusababisha udhaifu wa kuharibu URL ya WebSocket.
### Ubadilishaji wa Viungo
Kutoka: [https://portswigger.net/web-security/dom-based/link-manipulation](https://portswigger.net/web-security/dom-based/link-manipulation)
**Udhaifu wa ubadilishaji wa viungo kulingana na DOM** hutokea wakati script inaandika **data inayoweza kudhibitiwa na mshambuliaji kwenye lengo la urambazaji** ndani ya ukurasa wa sasa, kama kiungo kinachoweza bonyezwa au URL ya kuwasilisha fomu.
Mifereji:
```javascript
someDOMElement.href
someDOMElement.src
someDOMElement.action
```
### Ubadilishaji wa Ombi la Ajax
Kutoka: [https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation](https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation)
**Udhaifu wa ubadilishaji wa ombi la Ajax** unatokea wakati script inaandika **data inayoweza kudhibitiwa na mshambuliaji katika ombi la Ajax** ambalo linatolewa kwa kutumia kitu cha `XmlHttpRequest`.
Mifereji:
```javascript
XMLHttpRequest.setRequestHeader()
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.globalEval()
$.globalEval()
```
### Ubadilishaji wa njia ya faili ya ndani
Kutoka: [https://portswigger.net/web-security/dom-based/local-file-path-manipulation](https://portswigger.net/web-security/dom-based/local-file-path-manipulation)
**Udhaifu wa ubadilishaji wa njia ya faili ya ndani** unatokea wakati script inapitisha **data inayoweza kudhibitiwa na mshambuliaji kwa API ya kushughulikia faili** kama parameter ya `filename`. Udhaifu huu unaweza kutumiwa na mshambuliaji kuunda URL ambayo, ikiwa inatembelewa na mtumiaji mwingine, inaweza kusababisha **kivinjari cha mtumiaji kufungua au kuandika faili ya ndani isiyo na kikomo**.
Mifereji:
```javascript
FileReader.readAsArrayBuffer()
FileReader.readAsBinaryString()
FileReader.readAsDataURL()
FileReader.readAsText()
FileReader.readAsFile()
FileReader.root.getFile()
FileReader.root.getFile()
```
### Uingizaji wa SQL Upande wa Mteja
Kutoka: [https://portswigger.net/web-security/dom-based/client-side-sql-injection](https://portswigger.net/web-security/dom-based/client-side-sql-injection)
**Udhaifu wa uingizaji wa SQL upande wa mteja** hutokea wakati script inajumuisha **data inayoweza kudhibitiwa na mshambuliaji katika swali la SQL upande wa mteja kwa njia isiyokuwa salama**.
Mifereji:
```javascript
executeSql()
```
### Kubadilisha HTML5-storage
Kutoka: [https://portswigger.net/web-security/dom-based/html5-storage-manipulation](https://portswigger.net/web-security/dom-based/html5-storage-manipulation)
**Makosa ya kubadilisha HTML5-storage** yanatokea wakati script **inahifadhi data inayoweza kudhibitiwa na mshambuliaji katika kuhifadhi ya HTML5 ya kivinjari cha wavuti** (`localStorage` au `sessionStorage`). Ingawa hatua hii haileti hatari ya usalama kwa asili, inakuwa tatizo ikiwa programu inasoma data iliyohifadhiwa na kuitumia bila usalama. Hii inaweza kuruhusu mshambuliaji kutumia mfumo wa kuhifadhi kufanya mashambulizi mengine yanayohusiana na DOM, kama vile udukuzi wa tovuti na uingizaji wa JavaScript.
Mifereji:
```javascript
sessionStorage.setItem()
localStorage.setItem()
```
### Uingizaji wa XPath
Kutoka: [https://portswigger.net/web-security/dom-based/client-side-xpath-injection](https://portswigger.net/web-security/dom-based/client-side-xpath-injection)
**Mazingira ya XPath-injection ya DOM-based** hutokea wakati script inajumuisha **data inayoweza kudhibitiwa na mshambuliaji katika ombi la XPath**.
Mifereji:
```javascript
document.evaluate()
someDOMElement.evaluate()
```
### Uingizaji wa JSON upande wa Mteja
Kutoka: [https://portswigger.net/web-security/dom-based/client-side-json-injection](https://portswigger.net/web-security/dom-based/client-side-json-injection)
**Mazingira hatarishi ya uingizaji wa JSON upande wa DOM** hutokea wakati script inajumuisha **data inayoweza kudhibitiwa na mshambuliaji katika string ambayo inachambuliwa kama muundo wa data wa JSON na kisha kusindika na programu**.
Mifereji:
```javascript
JSON.parse()
jQuery.parseJSON()
$.parseJSON()
```
### Ubadilishaji wa Ujumbe wa Wavuti
Kutoka: [https://portswigger.net/web-security/dom-based/web-message-manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation)
**Mambo hatarishi ya ujumbe wa wavuti** yanatokea wakati script inatuma **data inayoweza kudhibitiwa na mshambuliaji kama ujumbe wa wavuti kwenda hati nyingine** ndani ya kivinjari. **Mfano** wa udhaifu wa ubadilishaji wa ujumbe wa wavuti unaweza kupatikana kwenye [PortSwigger's Web Security Academy](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source).
Mifereji:
Mbinu ya `postMessage()` ya kutuma ujumbe wa wavuti inaweza kusababisha udhaifu ikiwa msikilizaji wa tukio la kupokea ujumbe unashughulikia data inayopokelewa kwa njia isiyokuwa salama.
### Ubadilishaji wa Data ya DOM
Kutoka: [https://portswigger.net/web-security/dom-based/dom-data-manipulation](https://portswigger.net/web-security/dom-based/dom-data-manipulation)
**Mambo hatarishi ya ubadilishaji wa data ya DOM** yanatokea wakati script inaandika **data inayoweza kudhibitiwa na mshambuliaji kwenye uga ndani ya DOM** ambao hutumiwa katika UI inayoonekana au mantiki ya upande wa mteja. Udhaifu huu unaweza kutumiwa na mshambuliaji kuunda URL ambayo, ikiwa inatembelewa na mtumiaji mwingine, inaweza kubadilisha muonekano au tabia ya UI ya upande wa mteja.
Mifereji:
```javascript
scriptElement.src
scriptElement.text
scriptElement.textContent
scriptElement.innerText
someDOMElement.setAttribute()
someDOMElement.search
someDOMElement.text
someDOMElement.textContent
someDOMElement.innerText
someDOMElement.outerText
someDOMElement.value
someDOMElement.name
someDOMElement.target
someDOMElement.method
someDOMElement.type
someDOMElement.backgroundImage
someDOMElement.cssText
someDOMElement.codebase
document.title
document.implementation.createHTMLDocument()
history.pushState()
history.replaceState()
```
### Kukataa Huduma
Kutoka: [https://portswigger.net/web-security/dom-based/denial-of-service](https://portswigger.net/web-security/dom-based/denial-of-service)
**Makosa ya kukataa huduma yanayotokana na DOM** hutokea wakati script inapitisha **data inayoweza kudhibitiwa na mshambuliaji kwa njia isiyokuwa salama kwa API ya jukwaa lenye shida**. Hii ni pamoja na API ambazo, zinapoitwa, zinaweza kusababisha kompyuta ya mtumiaji kutumia **kiwango kikubwa cha CPU au nafasi ya diski**. Makosa kama haya yanaweza kuwa na athari kubwa, kama vile kivinjari kuzuia utendaji wa tovuti kwa kukataa jaribio la kuhifadhi data katika `localStorage` au kusitisha script zinazofanya kazi.
Mifereji:
```javascript
requestFileSystem()
RegExp()
```
## Dom Clobbering
{% content-ref url="dom-clobbering.md" %}
[dom-clobbering.md](dom-clobbering.md)
{% endcontent-ref %}
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Je, ungependa kuona **kampuni yako ikionekana katika HackTricks**? Au ungependa kupata ufikiaji wa **toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **nifuate** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**repo ya hacktricks**](https://github.com/carlospolop/hacktricks) **na** [**repo ya hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
</details>