XS-Search/XS-Leaks
Last updated
Last updated
Tumia **** kujenga na kujiendesha kiotomatiki kazi zinazotolewa na zana za jamii zilizoendelea zaidi duniani. Pata Ufikiaji Leo:
XS-Search ni mbinu inayotumika kwa kuchota taarifa za kuvuka mipaka kwa kutumia udhaifu wa njia za pembeni.
Vipengele muhimu vinavyohusika katika shambulio hili ni pamoja na:
Mtandao wa Udhaifu: Tovuti lengwa ambayo taarifa inakusudiwa kuchotwa.
Mtandao wa Mshambuliaji: Tovuti mbaya iliyoundwa na mshambuliaji, ambayo mwathirika anatembelea, ikihifadhi shambulio.
Mbinu ya Kujumuisha: Mbinu inayotumika kuingiza Mtandao wa Udhaifu katika Mtandao wa Mshambuliaji (mfano, window.open, iframe, fetch, tag ya HTML yenye href, nk.).
Mbinu ya Leak: Mbinu zinazotumika kubaini tofauti katika hali ya Mtandao wa Udhaifu kulingana na taarifa zilizokusanywa kupitia mbinu ya kujumuisha.
Hali: Masharti mawili yanayoweza kutokea ya Mtandao wa Udhaifu, ambayo mshambuliaji anajaribu kutofautisha.
Tofauti Zinazoweza Kugundulika: Mabadiliko yanayoweza kuonekana ambayo mshambuliaji anategemea ili kubaini hali ya Mtandao wa Udhaifu.
Vipengele kadhaa vinaweza kuchambuliwa ili kutofautisha hali za Mtandao wa Udhaifu:
Nambari ya Hali: Kutofautisha kati ya nambari mbalimbali za majibu ya HTTP kuvuka mipaka, kama vile makosa ya seva, makosa ya mteja, au makosa ya uthibitishaji.
Matumizi ya API: Kutambua matumizi ya Web APIs kati ya kurasa, ikifunua ikiwa ukurasa wa kuvuka mipaka unatumia API maalum ya JavaScript.
Mwelekeo: Kugundua mwelekeo kwenda kurasa tofauti, si tu mwelekeo wa HTTP bali pia yale yanayosababishwa na JavaScript au HTML.
Maudhui ya Ukurasa: Kuangalia mabadiliko katika mwili wa majibu ya HTTP au katika rasilimali ndogo za ukurasa, kama vile idadi ya fremu zilizojumuishwa au tofauti za ukubwa katika picha.
Header ya HTTP: Kurekodi uwepo au labda thamani ya header maalum ya majibu ya HTTP, ikiwa ni pamoja na headers kama X-Frame-Options, Content-Disposition, na Cross-Origin-Resource-Policy.
Muda: Kutambua tofauti za muda zinazofanana kati ya hali hizo mbili.
Elements za HTML: HTML inatoa vipengele mbalimbali kwa ajili ya kujumuisha rasilimali za kuvuka mipaka, kama vile stylesheets, picha, au scripts, ikilazimisha kivinjari kuomba rasilimali isiyo ya HTML. Orodha ya vipengele vya HTML vinavyoweza kutumika kwa kusudi hili inaweza kupatikana kwenye https://github.com/cure53/HTTPLeaks.
Frames: Vipengele kama iframe, object, na embed vinaweza kuingiza rasilimali za HTML moja kwa moja kwenye ukurasa wa mshambuliaji. Ikiwa ukurasa hauna ulinzi wa fremu, JavaScript inaweza kufikia kitu cha fremu kupitia mali ya contentWindow.
Pop-ups: Mbinu ya window.open inafungua rasilimali katika tab au dirisha jipya, ikitoa handle ya dirisha kwa JavaScript kuingiliana na mbinu na mali zinazofuata SOP. Pop-ups, mara nyingi hutumiwa katika uthibitishaji wa moja kwa moja, hupita vizuizi vya fremu na vidakuzi vya rasilimali lengwa. Hata hivyo, vivinjari vya kisasa vinakandamiza uundaji wa pop-up kwa vitendo fulani vya mtumiaji.
Maombi ya JavaScript: JavaScript inaruhusu maombi ya moja kwa moja kwa rasilimali lengwa kwa kutumia XMLHttpRequests au Fetch API. Mbinu hizi zinatoa udhibiti sahihi juu ya ombi, kama vile kuchagua kufuata mwelekeo wa HTTP.
Event Handler: Mbinu ya jadi ya leak katika XS-Leaks, ambapo waendeshaji wa matukio kama onload na onerror hutoa taarifa kuhusu mafanikio au kushindwa kwa upakiaji wa rasilimali.
Ujumbe wa Makosa: Makaratasi ya JavaScript au kurasa maalum za makosa zinaweza kutoa taarifa za leak moja kwa moja kutoka ujumbe wa kosa au kwa kutofautisha kati ya uwepo wake na kutokuwepo.
Mipaka ya Global: Mipaka ya kimwili ya kivinjari, kama vile uwezo wa kumbukumbu au mipaka mingine iliyowekwa na kivinjari, inaweza kuashiria wakati kigezo kinapofikiwa, ikihudumu kama mbinu ya leak.
Hali ya Global: Maingiliano yanayoweza kugundulika na hali za global za kivinjari (mfano, kiolesura cha Historia) yanaweza kutumika. Kwa mfano, idadi ya entries katika historia ya kivinjari inaweza kutoa vidokezo kuhusu kurasa za kuvuka mipaka.
Performance API: API hii inatoa maelezo ya utendaji wa ukurasa wa sasa, ikiwa ni pamoja na muda wa mtandao kwa hati na rasilimali zilizopakiwa, ikiruhusu maelezo kuhusu rasilimali zilizohitajika.
Mali Zinazoweza Kusomwa: Baadhi ya mali za HTML ni zinazoweza kusomwa kuvuka mipaka na zinaweza kutumika kama mbinu ya leak. Kwa mfano, mali ya window.frame.length inaruhusu JavaScript kuhesabu fremu zilizojumuishwa katika ukurasa wa wavuti kuvuka mipaka.
XSinator ni zana ya kiotomatiki ya kuangalia vivinjari dhidi ya XS-Leaks kadhaa zinazojulikana zilizoelezwa katika karatasi yake: https://xsinator.com/paper.pdf
Unaweza kupata zana hiyo kwenye https://xsinator.com/
XS-Leaks Zilizotengwa: Ilibidi tutenge XS-Leaks zinazotegemea wafanyakazi wa huduma kwani zingeingilia kati ya leaks nyingine katika XSinator. Zaidi ya hayo, tulichagua kutenga XS-Leaks zinazotegemea makosa ya usanidi na makosa katika programu maalum ya wavuti. Kwa mfano, makosa ya usanidi ya CrossOrigin Resource Sharing (CORS), uvujaji wa postMessage au Cross-Site Scripting. Aidha, tulitenga XS-Leaks za muda kwa sababu mara nyingi huwa na ucheleweshaji, kelele na kutokuwa sahihi.
Tumia Trickest kujenga na kujiendesha kiotomatiki kazi zinazotolewa na zana za jamii zilizoendelea zaidi duniani. Pata Ufikiaji Leo:
Baadhi ya mbinu zifuatazo zitatumia muda kama sehemu ya mchakato wa kugundua tofauti katika hali zinazowezekana za kurasa za wavuti. Kuna njia tofauti za kupima muda katika kivinjari cha wavuti.
Saa: API ya performance.now() inaruhusu wabunifu kupata vipimo vya muda vya hali ya juu. Kuna idadi kubwa ya APIs ambazo washambuliaji wanaweza kuzitumia kuunda saa zisizo za moja kwa moja: Broadcast Channel API, Message Channel API, requestAnimationFrame, setTimeout, animations za CSS, na nyingine. Kwa maelezo zaidi: https://xsleaks.dev/docs/attacks/timing-attacks/clocks.
Mbinu za Kujumuisha: Frames, Elements za HTML
Tofauti Zinazoweza Kugundulika: Nambari ya Hali
Muhtasari: ikiwa unajaribu kupakia rasilimali, matukio ya onerror/onload yanachochewa wakati rasilimali inapopakuliwa kwa mafanikio/kushindwa, inawezekana kubaini nambari ya hali.
Mfano wa kode unajaribu kupakia vitu vya scripts kutoka JS, lakini vitambulisho vingine kama vile vitu, stylesheets, picha, sauti vinaweza pia kutumika. Aidha, inawezekana pia kuingiza tag moja kwa moja na kutangaza matukio ya onload na onerror ndani ya tag (badala ya kuingiza kutoka JS).
Pia kuna toleo lisilo na script la shambulio hili:
In this case if example.com/404 is not found attacker.com/?error will be loaded.
Inclusion Methods: HTML Elements
Detectable Difference: Timing (generally due to Page Content, Status Code)
Summary: The performance.now() API can be used to measure how much time it takes to perform a request. However, other clocks could be used, such as PerformanceLongTaskTiming API which can identify tasks running for more than 50ms.
Code Example: https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events another example in:
Teknolojia hii ni kama ile ya awali, lakini mshambuliaji pia atachochea hatua fulani kuchukua muda muhimu wakati jibu ni chanya au hasi na kupima muda huo.
performance.now + Force heavy taskInclusion Methods: Frames
Detectable Difference: Timing (generally due to Page Content, Status Code)
Summary: The SharedArrayBuffer clock can be used to measure how much time it takes to perform a request. Other clocks could be used.
Muda unaochukuliwa kupata rasilimali unaweza kupimwa kwa kutumia matukio ya unload na beforeunload. Tukio la beforeunload linatokea wakati kivinjari kinakaribia kuhamia kwenye ukurasa mpya, wakati tukio la unload linatokea wakati mchakato wa kuhamia unafanyika. Tofauti ya muda kati ya matukio haya mawili inaweza kuhesabiwa ili kubaini muda ambao kivinjari kilitumia kupata rasilimali.
Inclusion Methods: Frames
Detectable Difference: Timing (generally due to Page Content, Status Code)
Summary: The performance.now() API can be used to measure how much time it takes to perform a request. Other clocks could be used.
Imethibitishwa kuwa katika ukosefu wa Framing Protections, muda unaohitajika kwa ukurasa na rasilimali zake ndogo kupakia kupitia mtandao unaweza kupimwa na mshambuliaji. Kipimo hiki kwa kawaida kinawezekana kwa sababu handler ya onload ya iframe inasababisha tu baada ya kukamilika kwa upakiaji wa rasilimali na utekelezaji wa JavaScript. Ili kupita tofauti iliyosababishwa na utekelezaji wa script, mshambuliaji anaweza kutumia sifa ya sandbox ndani ya <iframe>. Kuongeza sifa hii kunakataza kazi nyingi, hasa utekelezaji wa JavaScript, hivyo kuruhusu kipimo ambacho kinategemea zaidi utendaji wa mtandao.
Inclusion Methods: Frames
Detectable Difference: Page Content
More info:
Summary: Ikiwa unaweza kufanya ukurasa uwe na kosa wakati maudhui sahihi yanapofikiwa na kufanya upakue vizuri wakati maudhui yoyote yanapofikiwa, basi unaweza kufanya mzunguko kutoa taarifa zote bila kupima muda.
Code Example:
Suppose that you can insert the page that has the secret content inside an Iframe.
You can make the victim search for the file that contains "flag" using an Iframe (exploiting a CSRF for example). Inside the Iframe you know that the onload event will be executed always at least once. Then, you can change the URL of the iframe but changing only the content of the hash inside the URL.
For example:
URL1: www.attacker.com/xssearch#try1
URL2: www.attacker.com/xssearch#try2
If the first URL was successfully loaded, then, when changing the hash part of the URL the onload event won't be triggered again. But if the page had some kind of error when loading, then, the onload event will be triggered again.
Then, you can distinguish between a correctly loaded page or page that has an error when is accessed.
Inclusion Methods: Frames
Detectable Difference: Page Content
More info:
Summary: Ikiwa ukurasa unarudisha maudhui nyeti, au maudhui ambayo yanaweza kudhibitiwa na mtumiaji. Mtumiaji anaweza kuweka kodi halali ya JS katika kesi hasi, na kupakia kila jaribio ndani ya <script> vitambulisho, hivyo katika kesi hasi kodi za washambuliaji zinafanywa, na katika kesi za thibitisho hakuna itafanywa.
Code Example:
Inclusion Methods: HTML Elements
Detectable Difference: Status Code & Headers
Summary: Cross-Origin Read Blocking (CORB) ni kipimo cha usalama kinachozuia kurasa za wavuti kupakia rasilimali nyeti za cross-origin ili kulinda dhidi ya mashambulizi kama Spectre. Hata hivyo, washambuliaji wanaweza kutumia tabia yake ya kinga. Wakati jibu linalohusishwa na CORB linaporudisha CORB protected Content-Type na nosniff na msimbo wa hali 2xx, CORB inakata mwili wa jibu na vichwa. Washambuliaji wanaoshuhudia hili wanaweza kudhani mchanganyiko wa mwandiko wa hali (unaonyesha mafanikio au kosa) na Content-Type (inaonyesha ikiwa inprotected na CORB), ikisababisha uvujaji wa taarifa.
Code Example:
Check the more information link for more information about the attack.
Inclusion Methods: Frames
Detectable Difference: Page Content
Summary: Leak sensitive data from the id or name attribute.
It's possible to load a page inside an iframe and use the #id_value to make the page focus on the element of the iframe with indicated if, then if an onblur signal is triggered, the ID element exists.
You can perform the same attack with portal tags.
Inclusion Methods: Frames, Pop-ups
Detectable Difference: API Usage
Summary: Gather sensitive information from a postMessage or use the presence of postMessages as an oracle to know the status of the user in the page
Code Example: Any code listening for all postMessages.
Applications frequently utilize postMessage broadcasts to communicate across different origins. However, this method can inadvertently expose sensitive information if the targetOrigin parameter is not properly specified, allowing any window to receive the messages. Furthermore, the mere act of receiving a message can act as an oracle; for instance, certain messages might only be sent to users who are logged in. Therefore, the presence or absence of these messages can reveal information about the user's state or identity, such as whether they are authenticated or not.
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Access Today:
Inclusion Methods: Frames, Pop-ups
Detectable Difference: API Usage
More info: https://xsinator.com/paper.pdf (5.1)
Summary: Kupunguza kikomo cha muunganisho wa WebSocket kunavuja idadi ya muunganisho wa WebSocket wa ukurasa wa cross-origin.
It is possible to identify if, and how many, WebSocket connections a target page uses. It allows an attacker to detect application states and leak information tied to the number of WebSocket connections.
If one origin uses the maximum amount of WebSocket connection objects, regardless of their connections state, the creation of new objects will result in JavaScript exceptions. To execute this attack, the attacker website opens the target website in a pop-up or iframe and then, after the target web has been loaded, attempts to create the maximum number of WebSockets connections possible. The number of thrown exceptions is the number of WebSocket connections used by the target website window.
Inclusion Methods: Frames, Pop-ups
Detectable Difference: API Usage
More info: https://xsinator.com/paper.pdf (5.1)
Summary: Gundua Ombi la Malipo kwa sababu moja tu inaweza kuwa hai kwa wakati mmoja.
Code Example: https://xsinator.com/testing.html#Payment%20API%20Leak
This XS-Leak enables an attacker to detect when a cross-origin page initiates a payment request.
Because only one request payment can be active at the same time, if the target website is using the Payment Request API, any further attempts to show use this API will fail, and cause a JavaScript exception. The attacker can exploit this by periodically attempting to show the Payment API UI. If one attempt causes an exception, the target website is currently using it. The attacker can hide these periodical attempts by immediately closing the UI after creation.
Inclusion Methods:
Detectable Difference: Timing (generally due to Page Content, Status Code)
Summary: Pima muda wa utekelezaji wa wavuti kwa kutumia mzunguko wa tukio wa JS wa nyuzi moja.
Code Example:
JavaScript operates on a single-threaded event loop concurrency model, signifying that it can only execute one task at a time. This characteristic can be exploited to gauge how long code from a different origin takes to execute. An attacker can measure the execution time of their own code in the event loop by continuously dispatching events with fixed properties. These events will be processed when the event pool is empty. If other origins are also dispatching events to the same pool, an attacker can infer the time it takes for these external events to execute by observing delays in the execution of their own tasks. This method of monitoring the event loop for delays can reveal the execution time of code from different origins, potentially exposing sensitive information.
In an execution timing it's possible to eliminate network factors to obtain more precise measurements. For example, by loading the resources used by the page before loading it.
Inclusion Methods:
Detectable Difference: Timing (generally due to Page Content, Status Code)
Summary: Njia moja ya kupima muda wa utekelezaji wa operesheni ya wavuti inahusisha kuzuia makusanyiko ya tukio ya nyuzi moja na kisha kupima ni muda gani inachukua kwa mzunguko wa tukio kuwa upatikane tena. Kwa kuingiza operesheni ya kuzuia (kama vile hesabu ndefu au wito wa API wa synchronous) ndani ya mzunguko wa tukio, na kufuatilia muda inachukua kwa kodi inayofuata kuanza kutekelezwa, mtu anaweza kudhani muda wa kazi ambazo zilikuwa zikitekelezwa katika kipindi cha kuzuia. Mbinu hii inatumia asili ya nyuzi moja ya mzunguko wa tukio wa JavaScript, ambapo kazi zinafanywa kwa mpangilio, na inaweza kutoa maarifa kuhusu utendaji au tabia ya operesheni nyingine zinazoshiriki nyuzi hiyo hiyo.
Code Example:
A significant advantage of the technique of measuring execution time by locking the event loop is its potential to circumvent Site Isolation. Site Isolation is a security feature that separates different websites into separate processes, aiming to prevent malicious sites from directly accessing sensitive data from other sites. However, by influencing the execution timing of another origin through the shared event loop, an attacker can indirectly extract information about that origin's activities. This method does not rely on direct access to the other origin's data but rather observes the impact of that origin's activities on the shared event loop, thus evading the protective barriers established by Site Isolation.
In an execution timing it's possible to eliminate network factors to obtain more precise measurements. For example, by loading the resources used by the page before loading it.
Inclusion Methods: JavaScript Requests
Detectable Difference: Timing (generally due to Page Content, Status Code)
Summary: Mshambuliaji anaweza kufunga soketi zote isipokuwa 1, kupakia wavuti lengwa na kwa wakati mmoja kupakia ukurasa mwingine, muda hadi ukurasa wa mwisho unaanza kupakia ni muda ambao ukurasa lengwa ulitumia kupakia.
Code Example:
Browsers utilize sockets for server communication, but due to the limited resources of the operating system and hardware, browsers are compelled to impose a limit on the number of concurrent sockets. Attackers can exploit this limitation through the following steps:
Ascertain the browser's socket limit, for instance, 256 global sockets.
Occupy 255 sockets for an extended duration by initiating 255 requests to various hosts, designed to keep the connections open without completing.
Employ the 256th socket to send a request to the target page.
Attempt a 257th request to a different host. Given that all sockets are in use (as per steps 2 and 3), this request will be queued until a socket becomes available. The delay before this request proceeds provides the attacker with timing information about the network activity related to the 256th socket (the target page's socket). This inference is possible because the 255 sockets from step 2 are still engaged, implying that any newly available socket must be the one released from step 3. The time taken for the 256th socket to become available is thus directly linked to the time required for the request to the target page to complete.
For more info: https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/
Inclusion Methods: JavaScript Requests
Detectable Difference: Timing (generally due to Page Content, Status Code)
More info:
Summary: Ni kama mbinu ya awali lakini badala ya kutumia soketi zote, Google Chrome inaweka kikomo cha maombi 6 yanayoendelea kwa asili moja. Ikiwa tunaweza kuzuia 5 na kisha kuanzisha ombi la 6 tunaweza kupima na ikiwa tumeweza kufanya ukurasa wa mwathirika utume maombi zaidi kwa kiungo sawa ili kugundua hali ya ukurasa, ombio la 6 litachukua muda mrefu na tunaweza kuligundua.
The Performance API offers insights into the performance metrics of web applications, further enriched by the Resource Timing API. The Resource Timing API enables the monitoring of detailed network request timings, such as the duration of the requests. Notably, when servers include the Timing-Allow-Origin: * header in their responses, additional data like the transfer size and domain lookup time becomes available.
This wealth of data can be retrieved via methods like performance.getEntries or performance.getEntriesByName, providing a comprehensive view of performance-related information. Additionally, the API facilitates the measurement of execution times by calculating the difference between timestamps obtained from performance.now(). However, it's worth noting that for certain operations in browsers like Chrome, the precision of performance.now() may be limited to milliseconds, which could affect the granularity of timing measurements.
Beyond timing measurements, the Performance API can be leveraged for security-related insights. For instance, the presence or absence of pages in the performance object in Chrome can indicate the application of X-Frame-Options. Specifically, if a page is blocked from rendering in a frame due to X-Frame-Options, it will not be recorded in the performance object, providing a subtle clue about the page's framing policies.
Inclusion Methods: Frames, HTML Elements
Detectable Difference: Status Code
More info: https://xsinator.com/paper.pdf (5.2)
Summary: Ombi linalosababisha makosa halitaunda kipengee cha wakati wa rasilimali.
It is possible to differentiate between HTTP response status codes because requests that lead to an error do not create a performance entry.
Inclusion Methods: HTML Elements
Detectable Difference: Status Code
More info: https://xsinator.com/paper.pdf (5.2)
Summary: Kwa sababu ya hitilafu ya kivinjari, maombi yanayosababisha makosa yanapakiwa mara mbili.
In the previous technique it was also identified two cases where browser bugs in GC lead to resources being loaded twice when they fail to load. This will result in multiple entries in the Performance API and can thus be detected.
Inclusion Methods: HTML Elements
Detectable Difference: Status Code
More info: https://xsinator.com/paper.pdf (5.2)
Summary: Maombi yanayosababisha kosa hayawezi kuunganishwa.
The technique was found in a table in the mentioned paper but no description of the technique was found on it. However, you can find the source code checking for it in https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak
Inclusion Methods: Frames
Detectable Difference: Page Content
More info: https://xsinator.com/paper.pdf (5.2)
Summary: Majibu tupu hayaundai vipengee vya wakati wa rasilimali.
An attacker can detect if a request resulted in an empty HTTP response body because empty pages do not create a performance entry in some browsers.
Inclusion Methods: Frames
Detectable Difference: Page Content
More info: https://xsinator.com/paper.pdf (5.2)
Summary: Kutumia XSS Auditor katika Madai ya Usalama, washambuliaji wanaweza kugundua vipengele maalum vya ukurasa wa wavuti kwa kuangalia mabadiliko katika majibu wakati payloads zilizoundwa zinachochea mfumo wa kuchuja wa auditor.
In Security Assertions (SA), the XSS Auditor, originally intended to prevent Cross-Site Scripting (XSS) attacks, can paradoxically be exploited to leak sensitive information. Although this built-in feature was removed from Google Chrome (GC), it's still present in SA. In 2013, Braun and Heiderich demonstrated that the XSS Auditor could inadvertently block legitimate scripts, leading to false positives. Building on this, researchers developed techniques to extract information and detect specific content on cross-origin pages, a concept known as XS-Leaks, initially reported by Terada and elaborated by Heyes in a blog post. Although these techniques were specific to the XSS Auditor in GC, it was discovered that in SA, pages blocked by the XSS Auditor do not generate entries in the Performance API, revealing a method through which sensitive information might still be leaked.
Inclusion Methods: Frames
Detectable Difference: Header
Summary: Rasilimali yenye kichwa cha X-Frame-Options haiundi kipengee cha wakati wa rasilimali.
If a page is not allowed to be rendered in an iframe it does not create a performance entry. As a result, an attacker can detect the response header X-Frame-Options.
Same happens if you use an embed tag.
Inclusion Methods: Frames
Detectable Difference: Header
More info: https://xsinator.com/paper.pdf (5.2)
Summary: Upakuaji hauundi vipengee vya wakati wa rasilimali katika API ya Utendaji.
Similar, to the XS-Leak described, a resource that is downloaded because of the ContentDisposition header, also does not create a performance entry. This technique works in all major browsers.
Inclusion Methods: Frames
Detectable Difference: Redirect
More info: https://xsinator.com/paper.pdf (5.2)
Summary: Kipengee cha wakati wa rasilimali kinavuja wakati wa kuanza kwa uelekeo.
We found one XS-Leak instance that abuses the behavior of some browsers which log too much information for cross-origin requests. The standard defines a subset of attributes that should be set to zero for cross-origin resources. However, in SA it is possible to detect if the user is redirected by the target page, by querying the Performance API and checking for the redirectStart timing data.
Inclusion Methods: Fetch API
Detectable Difference: Redirect
More info: https://xsinator.com/paper.pdf (5.2)
Summary: Muda wa vipengee vya wakati ni hasi wakati uelekeo unapotokea.
In GC, the duration for requests that result in a redirect is negative and can thus be distinguished from requests that do not result in a redirect.
Inclusion Methods: Frames
Detectable Difference: Header
More info: https://xsinator.com/paper.pdf (5.2)
Summary: Rasilimali iliyo na CORP haijaunda vipengee vya wakati wa rasilimali.
In some cases, the nextHopProtocol entry can be used as a leak technique. In GC, when the CORP header is set, the nextHopProtocol will be empty. Note that SA will not create a performance entry at all for CORP-enabled resources.
Inclusion Methods: Frames
Detectable Difference: API Usage
Summary: Gundua ikiwa mfanyakazi wa huduma ameandikishwa kwa asili maalum.
Code Example:
Service workers are event-driven script contexts that run at an origin. They run in the background of a web page and can intercept, modify, and cache resources to create offline web application. If a resource cached by a service worker is accessed via iframe, the resource will be loaded from the service worker cache. To detect if the resource was loaded from the service worker cache the Performance API can be used. This could also be done with a Timing attack (check the paper for more info).
Inclusion Methods: Fetch API
Detectable Difference: Timing
Summary: Inawezekana kuangalia ikiwa rasilimali ilihifadhiwa kwenye cache.
Using the Performance API it's possible to check if a resource is cached.
Inclusion Methods: Fetch API
Detectable Difference: Page Content
Summary: Inawezekana kupata muda wa mtandao wa ombi kutoka kwa API ya performance.
Inclusion Methods: HTML Elements (Video, Audio)
Detectable Difference: Status Code
Summary: Katika Firefox inawezekana kuvuja kwa usahihi msimbo wa hali ya ombi la cross-origin.
Code Example: https://jsbin.com/nejatopusi/1/edit?html,css,js,output
The MediaError interface's message property uniquely identifies resources that load successfully with a distinct string. An attacker can exploit this feature by observing the message content, thereby deducing the response status of a cross-origin resource.
Inclusion Methods: Fetch API
Detectable Difference: Header
More info: https://xsinator.com/paper.pdf (5.3)
Summary: Katika Madai ya Usalama (SA), ujumbe wa kosa la CORS bila kukusudia unafichua URL kamili ya maombi yaliyorejelewa.
Code Example: https://xsinator.com/testing.html#CORS%20Error%20Leak
This technique enables an attacker to extract the destination of a cross-origin site's redirect by exploiting how Webkit-based browsers handle CORS requests. Specifically, when a CORS-enabled request is sent to a target site that issues a redirect based on user state and the browser subsequently denies the request, the full URL of the redirect's target is disclosed within the error message. This vulnerability not only reveals the fact of the redirect but also exposes the redirect's endpoint and any sensitive query parameters it may contain.
Inclusion Methods: Fetch API
Detectable Difference: Header
More info: https://xsinator.com/paper.pdf (5.3)
Summary: Katika Madai ya Usalama (SA), ujumbe wa kosa la CORS bila kukusudia unafichua URL kamili ya maombi yaliyorejelewa.
Code Example: https://xsinator.com/testing.html#SRI%20Error%20Leak
An attacker can exploit verbose error messages to deduce the size of cross-origin responses. This is possible due to the mechanism of Subresource Integrity (SRI), which uses the integrity attribute to validate that resources fetched, often from CDNs, haven't been tampered with. For SRI to work on cross-origin resources, these must be CORS-enabled; otherwise, they're not subject to integrity checks. In Security Assertions (SA), much like the CORS error XS-Leak, an error message can be captured after a fetch request with an integrity attribute fails. Attackers can deliberately trigger this error by assigning a bogus hash value to the integrity attribute of any request. In SA, the resulting error message inadvertently reveals the content length of the requested resource. This information leakage allows an attacker to discern variations in response size, paving the way for sophisticated XS-Leak attacks.
Inclusion Methods: Pop-ups
Detectable Difference: Status Code
Summary: Kuruhusu tovuti ya waathirika pekee katika CSP ikiwa tumeipata inajaribu kuelekeza kwenye kikoa tofauti CSP itasababisha kosa linaloweza kugundulika.
A XS-Leak can use the CSP to detect if a cross-origin site was redirected to a different origin. This leak can detect the redirect, but additionally, the domain of the redirect target leaks. The basic idea of this attack is to allow the target domain on the attacker site. Once a request is issued to the target domain, it redirects to a cross-origin domain. CSP blocks the access to it and creates a violation report used as a leak technique. Depending on the browser, this report may leak the target location of the redirect. Modern browsers won't indicate the URL it was redirected to, but you can still detect that a cross-origin redirect was triggered.
Inclusion Methods: Frames, Pop-ups
Detectable Difference: Page Content
Summary: Futa faili kutoka kwenye cache. Fungua ukurasa wa lengo angalia ikiwa faili ipo kwenye cache.
Code Example:
Browsers might use one shared cache for all websites. Regardless of their origin, it is possible to deduct whether a target page has requested a specific file.
If a page loads an image only if the user is logged in, you can invalidate the resource (so it's no longer cached if it was, see more info links), perform a request that could load that resource and try to load the resource with a bad request (e.g. using an overlong referer header). If the resource load didn't trigger any error, it's because it was cached.
Inclusion Methods: Frames
Detectable Difference: Header
Summary: Miongozo ya kichwa cha CSP inaweza kuchunguzwa kwa kutumia sifa ya iframe ya CSP, ikifichua maelezo ya sera.
Code Example: https://xsinator.com/testing.html#CSP%20Directive%20Leak
A novel feature in Google Chrome (GC) allows web pages to propose a Content Security Policy (CSP) by setting an attribute on an iframe element, with policy directives transmitted along with the HTTP request. Normally, the embedded content must authorize this via an HTTP header, or an error page is displayed. However, if the iframe is already governed by a CSP and the newly proposed policy isn't more restrictive, the page will load normally. This mechanism opens a pathway for an attacker to detect specific CSP directives of a cross-origin page by identifying the error page. Although this vulnerability was marked as fixed, our findings reveal a new leak technique capable of detecting the error page, suggesting that the underlying problem was never fully addressed.
Inclusion Methods: Fetch API
Detectable Difference: Header
Summary: Rasilimali zilizolindwa na Sera ya Rasilimali za Mipaka (CORP) zitatupa kosa wakati zinapojaribiwa kutoka kwenye asili isiyoruhusiwa.
Code Example: https://xsinator.com/testing.html#CORP%20Leak
The CORP header is a relatively new web platform security feature that when set blocks no-cors cross-origin requests to the given resource. The presence of the header can be detected, because a resource protected with CORP will throw an error when fetched.
Inclusion Methods: HTML Elements
Detectable Difference: Headers
Summary: CORB can allow attackers to detect when the nosniff header is present in the request.
Code Example: https://xsinator.com/testing.html#CORB%20Leak
Check the link for more information about the attack.
Inclusion Methods: Fetch API
Detectable Difference: Headers
Summary: Ikiwa kichwa cha Asili kinarejelewa katika kichwa Access-Control-Allow-Origin inawezekana kuangalia ikiwa rasilimali iko kwenye cache tayari.
In case the Origin header is being reflected in the header Access-Control-Allow-Origin an attacker can abuse this behaviour to try to fetch the resource in CORS mode. If an error isn't triggered, it means that it was correctly retrieved form the web, if an error is triggered, it's because it was accessed from the cache (the error appears because the cache saves a response with a CORS header allowing the original domain and not the attackers domain).
Note that if the origin isn't reflected but a wildcard is used (Access-Control-Allow-Origin: *) this won't work.
Inclusion Methods: Fetch API
Detectable Difference: Status Code
Summary: GC na SA huruhusu kuangalia aina ya majibu (opaque-redirect) baada ya kuelekeza kumalizika.
Submitting a request using the Fetch API with redirect: "manual" and other params, it's possible to read the response.type attribute and if it's equals to opaqueredirect then the response was a redirect.
Inclusion Methods: Pop-ups
Detectable Difference: Header
Summary: Kurasa zilizolindwa na Sera ya Mfunguo wa Mipaka (COOP) zinazuia ufikiaji kutoka kwa mwingiliano wa mipaka.
Code Example: https://xsinator.com/testing.html#COOP%20Leak
An attacker is capable of deducing the presence of the Cross-Origin Opener Policy (COOP) header in a cross-origin HTTP response. COOP is utilized by web applications to hinder external sites from obtaining arbitrary window references. The visibility of this header can be discerned by attempting to access the contentWindow reference. In scenarios where COOP is applied conditionally, the opener property becomes a telltale indicator: it's undefined when COOP is active, and defined in its absence.
Inclusion Methods: Fetch API, HTML Elements
Detectable Difference: Status Code / Content
Summary: Gundua tofauti katika majibu kwa sababu ya urefu wa majibu ya kuelekeza unaweza kuwa mrefu sana kiasi kwamba seva inajibu kwa kosa na tahadhari inaundwa.
If a server-side redirect uses user input inside the redirection and extra data. It's possible to detect this behaviour because usually servers has a limit request length. If the user data is that length - 1, because the redirect is using that data and adding something extra, it will trigger an error detectable via Error Events.
If you can somehow set cookies to a user, you can also perform this attack by setting enough cookies (cookie bomb) so with the response increased size of the correct response an error is triggered. In this case, remember that is you trigger this request from a same site, <script> will automatically send the cookies (so you can check for errors).
An example of the cookie bomb + XS-Search can be found in the Intended solution of this writeup: https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#intended
SameSite=None or to be in the same context is usually needed for this type of attack.
Inclusion Methods: Pop-ups
Detectable Difference: Status Code / Content
Summary: Gundua tofauti katika majibu kwa sababu ya urefu wa majibu ya kuelekeza unaweza kuwa mrefu sana kwa ombi kiasi kwamba tofauti inaweza kuonekana.
According to Chromium documentation, Chrome's maximum URL length is 2MB.
In general, the web platform does not have limits on the length of URLs (although 2^31 is a common limit). Chrome limits URLs to a maximum length of 2MB for practical reasons and to avoid causing denial-of-service problems in inter-process communication.
Therefore if the redirect URL responded is larger in one of the cases, it's possible to make it redirect with a URL larger than 2MB to hit the length limit. When this happens, Chrome shows an about:blank#blocked page.
The noticeable difference, is that if the redirect was completed, window.origin throws an error because a cross origin cannot access that info. However, if the limit was **** hit and the loaded page was about:blank#blocked the window's origin remains that of the parent, which is an accessible information.
All the extra info needed to reach the 2MB can be added via a hash in the initial URL so it will be used in the redirect.
URL Max Length - Client SideInclusion Methods: Fetch API, Frames
Detectable Difference: Status Code
Summary: Tumia kikomo cha kuelekeza cha kivinjari kubaini kuwepo kwa kuelekeza URL.
Code Example: https://xsinator.com/testing.html#Max%20Redirect%20Leak
If the max number of redirects to follow of a browser is 20, an attacker could try to load his page with 19 redirects and finally send the victim to the tested page. If an error is triggered, then the page was trying to redirect the victim.
Inclusion Methods: Frames, Pop-ups
Detectable Difference: Redirects
Summary: JavaScript code manipulates the browser history and can be accessed by the length property.
The History API allows JavaScript code to manipulate the browser history, which saves the pages visited by a user. An attacker can use the length property as an inclusion method: to detect JavaScript and HTML navigation.
Checking history.length, making a user navigate to a page, change it back to the same-origin and checking the new value of history.length.
Inclusion Methods: Frames, Pop-ups
Detectable Difference: If URL is the same as the guessed one
Summary: Inawezekana kudhani ikiwa eneo la fremu/popup liko katika URL maalum kwa kutumia urefu wa historia.
Code Example: Below
An attacker could use JavaScript code to manipulate the frame/pop-up location to a guessed one and immediately change it to about:blank. If the history length increased it means the URL was correct and it had time to increase because the URL isn't reloaded if it's the same. If it didn't increased it means it tried to load the guessed URL but because we immediately after loaded about:blank, the history length did never increase when loading the guessed url.
Inclusion Methods: Frames, Pop-ups
Detectable Difference: Page Content
Summary: Tathmini idadi ya vipengele vya iframe kwa kukagua mali ya window.length.
Code Example: https://xsinator.com/testing.html#Frame%20Count%20Leak
Kuhesabu idadi ya frames katika wavuti iliyofunguliwa kupitia iframe au window.open kunaweza kusaidia kubaini hali ya mtumiaji juu ya ukurasa huo.
Zaidi ya hayo, ikiwa ukurasa una idadi ile ile ya frames kila wakati, kuangalia kuendelea idadi ya frames kunaweza kusaidia kubaini mwelekeo ambao unaweza kuvuja taarifa.
Mfano wa mbinu hii ni kwamba katika chrome, PDF inaweza kutambuliwa kwa kuhesabu frames kwa sababu embed inatumika ndani. Kuna Open URL Parameters ambazo zinatoa udhibiti fulani juu ya maudhui kama vile zoom, view, page, toolbar ambapo mbinu hii inaweza kuwa ya kuvutia.
Inclusion Methods: HTML Elements
Detectable Difference: Page Content
Summary: Soma thamani iliyovuja ili kutofautisha kati ya hali 2 zinazowezekana
Uvujaji wa taarifa kupitia vipengele vya HTML ni wasiwasi katika usalama wa wavuti, hasa wakati faili za media za kidinamik zinaundwa kulingana na taarifa za mtumiaji, au wakati alama za maji zinaongezwa, kubadilisha ukubwa wa media. Hii inaweza kutumiwa na washambuliaji kutofautisha kati ya hali zinazowezekana kwa kuchambua taarifa zinazofichuliwa na vipengele fulani vya HTML.
HTMLMediaElement: Kipengele hiki kinaonyesha duration na buffered za media, ambazo zinaweza kufikiwa kupitia API yake. Soma zaidi kuhusu HTMLMediaElement
HTMLVideoElement: Inafichua videoHeight na videoWidth. Katika baadhi ya vivinjari, mali za ziada kama webkitVideoDecodedByteCount, webkitAudioDecodedByteCount, na webkitDecodedFrameCount zinapatikana, zikitoa taarifa zaidi kuhusu maudhui ya media. Soma zaidi kuhusu HTMLVideoElement
getVideoPlaybackQuality(): Kazi hii inatoa maelezo kuhusu ubora wa upigaji video, ikiwa ni pamoja na totalVideoFrames, ambayo inaweza kuonyesha kiasi cha data ya video iliyop processed. Soma zaidi kuhusu getVideoPlaybackQuality()
HTMLImageElement: Kipengele hiki kinavuja height na width ya picha. Hata hivyo, ikiwa picha ni batili, mali hizi zitarudisha 0, na kazi ya image.decode() itakataliwa, ikionyesha kushindwa kwa kupakia picha ipasavyo. Soma zaidi kuhusu HTMLImageElement
Inclusion Methods: HTML Elements
Detectable Difference: Page Content
Summary: Tambua tofauti katika mtindo wa wavuti zinazohusiana na hali au hadhi ya mtumiaji.
Code Example: https://xsinator.com/testing.html#CSS%20Property%20Leak
Programu za wavuti zinaweza kubadilisha mtindo wa wavuti kulingana na hali ya mtumiaji. Faili za CSS za kuvuka mipaka zinaweza kuingizwa kwenye ukurasa wa mshambuliaji kwa kutumia kipengele cha HTML link, na sheria zitatumika kwenye ukurasa wa mshambuliaji. Ikiwa ukurasa hubadilisha sheria hizi kwa kidinamik, mshambuliaji anaweza kutambua tofauti hizi kulingana na hali ya mtumiaji.
Kama mbinu ya uvujaji, mshambuliaji anaweza kutumia njia ya window.getComputedStyle kusoma mali za CSS za kipengele maalum cha HTML. Kama matokeo, mshambuliaji anaweza kusoma mali za CSS zisizo na mipaka ikiwa kipengele kilichohusika na jina la mali kinajulikana.
Inclusion Methods: HTML Elements
Detectable Difference: Page Content
Summary: Tambua ikiwa mtindo :visited umetumika kwa URL ikionyesha kuwa tayari imetembelewa
Kulingana na hii, hii haifanyi kazi katika Chrome isiyo na kichwa.
Mchaguo wa CSS :visited unatumika kubadilisha mtindo wa URLs tofauti ikiwa tayari zimetembelewa na mtumiaji. Katika siku za nyuma, njia ya getComputedStyle() inaweza kutumika kutambua tofauti hizi za mtindo. Hata hivyo, vivinjari vya kisasa vimeanzisha hatua za usalama ili kuzuia njia hii kufichua hali ya kiungo. Hatua hizi ni pamoja na kurudisha kila wakati mtindo uliohesabiwa kana kwamba kiungo kimetembelewa na kuzuia mitindo inayoweza kutumika na mchaguo :visited.
Licha ya vizuizi hivi, inawezekana kutambua hali ya kutembelewa ya kiungo kwa njia isiyo ya moja kwa moja. Mbinu moja inahusisha kumdanganya mtumiaji kuingiliana na eneo lililoathiriwa na CSS, hasa kutumia mali ya mix-blend-mode. Mali hii inaruhusu kuchanganya vipengele na mandharinyuma yao, ikifichua hali ya kutembelewa kulingana na mwingiliano wa mtumiaji.
Zaidi ya hayo, kutambua kunaweza kufanywa bila mwingiliano wa mtumiaji kwa kutumia muda wa uwasilishaji wa viungo. Kwa kuwa vivinjari vinaweza kuwasilisha viungo vilivyotembelewa na visivyotembelewa tofauti, hii inaweza kuleta tofauti ya muda inayoweza kupimwa katika uwasilishaji. Ushahidi wa dhana (PoC) ulitajwa katika ripoti ya hitilafu ya Chromium, ikionyesha mbinu hii kwa kutumia viungo vingi ili kuongeza tofauti ya muda, hivyo kufanya hali ya kutembelewa iweze kutambuliwa kupitia uchambuzi wa muda.
Kwa maelezo zaidi kuhusu mali hizi na mbinu, tembelea kurasa zao za hati:
:visited: MDN Documentation
getComputedStyle(): MDN Documentation
mix-blend-mode: MDN Documentation
Inclusion Methods: Frames
Detectable Difference: Headers
Summary: Katika Google Chrome, ukurasa maalum wa makosa unaonyeshwa wakati ukurasa umezuiwa kuingizwa kwenye tovuti ya kuvuka mipaka kutokana na vizuizi vya X-Frame-Options.
Katika Chrome, ikiwa ukurasa wenye kichwa cha X-Frame-Options kimewekwa kuwa "deny" au "same-origin" umeingizwa kama kitu, ukurasa wa makosa unaonekana. Chrome inarudisha kipekee hati tupu ya hati (badala ya null) kwa mali ya contentDocument ya kitu hiki, tofauti na katika iframes au vivinjari vingine. Washambuliaji wanaweza kutumia hii kwa kutambua hati tupu, ambayo inaweza kufichua taarifa kuhusu hali ya mtumiaji, hasa ikiwa wabunifu wanaweka kichwa cha X-Frame-Options kwa kutokuweka sawa, mara nyingi wakisahau kurasa za makosa. Ufahamu na matumizi ya mara kwa mara ya vichwa vya usalama ni muhimu kwa kuzuia uvujaji kama huu.
Inclusion Methods: Frames, Pop-ups
Detectable Difference: Headers
Summary: Mshambuliaji anaweza kutambua upakuaji wa faili kwa kutumia iframes; upatikanaji wa kuendelea wa iframe unaashiria upakuaji wa faili uliofanikiwa.
Kichwa cha Content-Disposition, hasa Content-Disposition: attachment, kinaelekeza kivinjari kupakua maudhui badala ya kuyonyesha ndani. Tabia hii inaweza kutumiwa kugundua ikiwa mtumiaji ana ufikiaji wa ukurasa unaosababisha upakuaji wa faili. Katika vivinjari vya msingi vya Chromium, kuna mbinu chache za kutambua tabia hii ya upakuaji:
Ufuatiliaji wa Upakuaji Bar:
Wakati faili inapopakuliwa katika vivinjari vya msingi vya Chromium, upakuaji bar inaonekana chini ya dirisha la kivinjari.
Kwa kufuatilia mabadiliko katika urefu wa dirisha, washambuliaji wanaweza kudhani kuonekana kwa upakuaji bar, ikionyesha kuwa upakuaji umeanzishwa.
Upakuaji wa Navigesheni kwa Iframes:
Wakati ukurasa unaposababisha upakuaji wa faili kwa kutumia kichwa cha Content-Disposition: attachment, haileti tukio la navigesheni.
Kwa kupakia maudhui katika iframe na kufuatilia matukio ya navigesheni, inawezekana kuangalia ikiwa usambazaji wa maudhui unasababisha upakuaji wa faili (hakuna navigesheni) au la.
Upakuaji wa Navigesheni bila Iframes:
Kama ilivyo katika mbinu ya iframe, njia hii inahusisha kutumia window.open badala ya iframe.
Kufuatilia matukio ya navigesheni katika dirisha lililofunguliwa jipya kunaweza kufichua ikiwa upakuaji wa faili ulianzishwa (hakuna navigesheni) au ikiwa maudhui yanaonyeshwa ndani (navigesheni inatokea).
Katika hali ambapo ni watumiaji walioingia tu wanaoweza kuanzisha upakuaji kama huu, mbinu hizi zinaweza kutumika kwa njia isiyo ya moja kwa moja kudhani hali ya uthibitisho wa mtumiaji kulingana na majibu ya kivinjari kwa ombi la upakuaji.
Inclusion Methods: Pop-ups
Detectable Difference: Timing
Summary: Mshambuliaji anaweza kutambua upakuaji wa faili kwa kutumia iframes; upatikanaji wa kuendelea wa iframe unaashiria upakuaji wa faili uliofanikiwa.
Hii ndiyo sababu mbinu hii ni ya kuvutia: Chrome sasa ina cache partitioning, na funguo ya cache ya ukurasa uliofunguliwa mpya ni: (https://actf.co, https://actf.co, https://sustenance.web.actf.co/?m =xxx), lakini ikiwa nitafungua ukurasa wa ngrok na kutumia fetch ndani yake, funguo ya cache itakuwa: (https://myip.ngrok.io, https://myip.ngrok.io, https://sustenance.web.actf.co/?m=xxx), funguo ya cache ni tofauti, hivyo cache haiwezi kushirikiwa. Unaweza kupata maelezo zaidi hapa: Gaining security and privacy by partitioning the cache
(Comment kutoka hapa)
Ikiwa tovuti example.com inajumuisha rasilimali kutoka *.example.com/resource basi rasilimali hiyo itakuwa na funguo sawa ya caching kama rasilimali ilivyoombwa moja kwa moja kupitia navigesheni ya ngazi ya juu. Hii ni kwa sababu funguo ya caching inajumuisha ngazi ya juu eTLD+1 na frame eTLD+1.
Kwa sababu ufikiaji wa cache ni wa haraka zaidi kuliko kupakia rasilimali, inawezekana kujaribu kubadilisha eneo la ukurasa na kuifuta 20ms (kwa mfano) baada ya hapo. Ikiwa asili ilibadilishwa baada ya kusitisha, inamaanisha kuwa rasilimali ilihifadhiwa. Au inaweza tu kutuma baadhi ya fetch kwa ukurasa ambao unaweza kuhifadhiwa na kupima muda inachukua.
Inclusion Methods: Fetch API
Detectable Difference: Redirects
Summary: Inawezekana kugundua ikiwa jibu la ombi la fetch ni uelekeo
Code Example:
Inclusion Methods: Fetch API
Detectable Difference: Timing
Summary: Inawezekana kujaribu kupakia rasilimali na kuacha kabla ya kupakiwa, ikiwa ni pamoja na ikiwa kosa linatokea, rasilimali ilikuwa au haikuwa imehifadhiwa.
Tumia fetch na setTimeout na AbortController kugundua ikiwa rasilimali imehifadhiwa na kuondoa rasilimali maalum kutoka kwenye cache ya kivinjari. Zaidi ya hayo, mchakato huu unafanyika bila kuhifadhi maudhui mapya.
Inclusion Methods: HTML Elements (script)
Detectable Difference: Page Content
Summary: Inawezekana kufuta kazi zilizojengwa ndani na kusoma hoja zao hata kutoka script ya kuvuka mipaka (ambayo haiwezi kusomwa moja kwa moja), hii inaweza kuvuja taarifa muhimu.
Inclusion Methods: Pop-ups
Detectable Difference: Page Content
Summary: Pima muda wa utekelezaji wa wavuti kwa kutumia huduma za wafanyakazi.
Code Example:
Katika hali iliyotolewa, mshambuliaji anachukua hatua ya kujiandikisha mshauri wa huduma ndani ya moja ya maeneo yao, hasa "attacker.com". Kisha, mshambuliaji anafungua dirisha jipya katika tovuti lengwa kutoka kwa hati kuu na kuagiza mshauri wa huduma kuanzisha kipima muda. Wakati dirisha jipya linaanza kupakia, mshambuliaji anapeleka rejeleo lililopatikana katika hatua ya awali kwenye ukurasa unaosimamiwa na mshauri wa huduma.
Pale ombi lililoanzishwa katika hatua ya awali linapofika, mshauri wa huduma unajibu kwa msimbo wa hali 204 (No Content), kwa ufanisi ukimaliza mchakato wa navigesheni. Wakati huu, mshauri wa huduma anachukua kipimo kutoka kwa kipima muda kilichozinduliwa mapema katika hatua ya pili. Kipimo hiki kinategemea muda wa JavaScript unaosababisha ucheleweshaji katika mchakato wa navigesheni.
Katika muda wa utekelezaji inawezekana kuondoa vigezo vya mtandao ili kupata vipimo sahihi zaidi. Kwa mfano, kwa kupakia rasilimali zinazotumiwa na ukurasa kabla ya kuupakia.
Inclusion Methods: Fetch API
Detectable Difference: Timing (kwa ujumla kutokana na Maudhui ya Ukurasa, Msimbo wa Hali)
Summary: Tumia performance.now() kupima muda inachukua kufanya ombi. Saa nyingine zinaweza kutumika.
Inclusion Methods: Pop-ups
Detectable Difference: Timing (kwa ujumla kutokana na Maudhui ya Ukurasa, Msimbo wa Hali)
Summary: Tumia performance.now() kupima muda inachukua kufanya ombi kwa kutumia window.open. Saa nyingine zinaweza kutumika.
Tumia Trickest kujenga na kujiendesha kazi kwa urahisi kwa kutumia zana za jamii za kisasa zaidi. Pata Ufikiaji Leo:
Hapa unaweza kupata mbinu za kutoa taarifa kutoka kwa HTML ya kuvuka mipaka kuingiza maudhui ya HTML. Mbinu hizi ni za kuvutia katika kesi ambapo kwa sababu yoyote unaweza kuingiza HTML lakini huwezi kuingiza msimbo wa JS.
Ikiwa unahitaji kuondoa maudhui na unaweza kuongeza HTML kabla ya siri unapaswa kuangalia mbinu za kawaida za dangling markup. Hata hivyo, ikiwa kwa sababu yoyote unapaswa kufanya hivyo karakteri kwa karakteri (labda mawasiliano ni kupitia hit ya cache) unaweza kutumia hila hii.
Picha katika HTML ina sifa ya "loading" ambayo thamani yake inaweza kuwa "lazy". Katika kesi hiyo, picha itapakiwa wakati inapoonekana na si wakati ukurasa unapoendelea kupakia:
Kwa hivyo, kile unachoweza kufanya ni kuongeza herufi nyingi za takataka (Kwa mfano maelfu ya "W"s) ili kujaza ukurasa wa wavuti kabla ya siri au kuongeza kitu kama <br><canvas height="1850px"></canvas><br>.
Kisha ikiwa kwa mfano kuingiza kwetu kunaonekana kabla ya bendera, picha itakuwa imepakiwa, lakini ikiwa inaonekana baada ya bendera, bendera + takataka it azuie kupakiwa (utahitaji kucheza na ni kiasi gani cha takataka kuweka). Hii ndiyo ilitokea katika hii andiko.
Chaguo lingine lingekuwa kutumia scroll-to-text-fragment ikiwa inaruhusiwa:
Hata hivyo, unafanya bot kuingia kwenye ukurasa na kitu kama
Hivyo ukurasa wa wavuti utakuwa kama: https://victim.com/post.html#:~:text=SECR
Ambapo post.html ina wahusika wa junk wa mshambuliaji na picha ya kupakia polepole na kisha siri ya roboti inaongezwa.
Kile hiki kitatenda ni kumfanya roboti kufikia maandiko yoyote kwenye ukurasa ambayo yana maandiko SECR. Kwa kuwa maandiko hayo ni siri na yako tu chini ya picha, picha itapakia tu ikiwa siri iliyokisiwa ni sahihi. Hivyo unayo oracle yako ili kuondoa siri hiyo kwa wahusika mmoja mmoja.
Mfano wa msimbo wa kutumia hii: https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e
Ikiwa haiwezekani kupakia picha ya nje ambayo inaweza kumwonyesha mshambuliaji kwamba picha imepakiwa, chaguo jingine litakuwa kujaribu kukisia wahusika mara kadhaa na kupima hilo. Ikiwa picha imepakiwa, maombi yote yatakuwa na muda mrefu zaidi kuliko ikiwa picha haijapakiwa. Hii ndiyo iliyotumika katika ufumbuzi wa andiko hili iliyofupishwa hapa:
Event Loop Blocking + Lazy imagesIkiwa jQuery(location.hash) inatumika, inawezekana kugundua kupitia wakati ikiwa maudhui ya HTML yapo, hii ni kwa sababu ikiwa mteuzi main[id='site-main'] hauendani, haitahitaji kuangalia sehemu nyingine za mteuzi:
Kuna mipango ya kupunguza hatari inayopendekezwa katika https://xsinator.com/paper.pdf pia katika kila sehemu ya wiki https://xsleaks.dev/. Angalia huko kwa maelezo zaidi kuhusu jinsi ya kujilinda dhidi ya mbinu hizi.
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Access Today:
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
