Dom Clobbering
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Inawezekana kuunda vigezo vya kimataifa ndani ya muktadha wa JS kwa kutumia sifa id
na name
katika vitambulisho vya HTML.
Tu vipengele fulani vinaweza kutumia sifa ya jina kuclobber globals, ni: embed
, form
, iframe
, image
, img
na object
.
Kwa kushangaza, unapokuwa unatumia kipengele cha fomu ku clobber kiambato, utapata toString
thamani ya kipengele chenyewe: [object HTMLFormElement]
lakini kwa kiungo toString
itakuwa href
ya kiungo. Hivyo, ikiwa unaclobber kwa kutumia a
tag, unaweza kontrol thamani wakati inapot treated kama string:
Ni pia inawezekana kuharibu array na sifa za kitu:
Ili kuharibu sifa ya 3 (mfano x.y.z), unahitaji kutumia form
:
Clobbering zaidi ya sifa ni ngumu zaidi lakini bado inawezekana, kutumia iframes:
Tag ya style inatumika kutoa muda wa kutosha kwa iframe kuonyesha. Bila yake utaona arifa ya undefined.
Ili kuharibu sifa za kina, unaweza kutumia iframes zenye uandishi wa html hivi:
Ikiwa kichujio kina zunguka kupitia mali za nodi kwa kutumia kitu kama document.getElementByID('x').attributes
unaweza kuharibu mali .attributes
na kuvunja kichujio. Mali nyingine za DOM kama tagName
, nodeName
au parentNode
na zaidi pia zinaweza kuharibiwa.
window.someObject
Katika JavaScript ni kawaida kukutana na:
Kuhariri HTML kwenye ukurasa kunaruhusu kubadilisha someObject
na nodi ya DOM, ambayo inaweza kuleta udhaifu wa usalama. Kwa mfano, unaweza kubadilisha someObject
na kipengele cha kiungo kinachorejelea skripti mbaya:
Katika msimbo unaoweza kuathiriwa kama:
This method exploits the script source to execute unwanted code.
Trick: DOMPurify
allows you to use the cid:
protocol, which does not URL-encode double-quotes. This means you can inject an encoded double-quote that will be decoded at runtime. Therefore, injecting something like <a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:"onerror=alert(1)//">
will make the HTML encoded "
to be decoded on runtime and escape from the attribute value to create the onerror
event.
Another technique uses a form
element. Certain client-side libraries inspect the attributes of a newly created form element to clean them. However, by adding an input
with id=attributes
inside the form, you effectively overwrite the attributes property, preventing the sanitizer from accessing the actual attributes.
You can find an example of this type of clobbering in this CTF writeup.
According to the documentation it's possible to overwrite attributes of the document object using DOM Clobbering:
The Document interface supports named properties. The supported property names of a Document object document at any moment consist of the following, in tree order according to the element that contributed them, ignoring later duplicates, and with values from id attributes coming before values from name attributes when the same element contributes both:
- The value of the name content attribute for all exposed embed, form, iframe, img, and exposed object elements that have a non-empty name content attribute and are in a document tree with document as their root; - The value of the id content attribute for all exposed object elements that have a non-empty id content attribute and are in a document tree with document as their root; - The value of the id content attribute for all img elements that have both a non-empty id content attribute and a non-empty name content attribute, and are in a document tree with document as their root.
Using this technique you can overwrite commonly used values such as document.cookie
, document.body
, document.children
, and even methods in the Document interface like document.querySelector
.
Matokeo ya wito kwa document.getElementById()
na document.querySelector()
yanaweza kubadilishwa kwa kuingiza tagi ya <html>
au <body>
yenye sifa ya id sawa. Hapa kuna jinsi inavyoweza kufanywa:
Zaidi ya hayo, kwa kutumia mitindo kuficha hizi lebo za HTML/body zilizowekwa, kuingiliwa na maandiko mengine katika innerText
kunaweza kuzuiwa, hivyo kuboresha ufanisi wa shambulio:
Uchunguzi wa SVG ulibaini kwamba tag <body>
pia inaweza kutumika kwa ufanisi:
Ili tag ya HTML ifanye kazi ndani ya SVG katika vivinjari kama Chrome na Firefox, tag ya <foreignobject>
inahitajika:
Inawezekana kuongeza ingizo jipya ndani ya fomu kwa ku ainisha sifa ya form
ndani ya baadhi ya lebo. Unaweza kutumia hii ku ongeza thamani mpya ndani ya fomu na hata kuongeza kitufe kipya cha kutuma (clickjacking au kutumia baadhi ya msimbo wa JS .click()
):
Kwa maelezo zaidi kuhusu sifa za fomu katika button angalia hii.
Heyes, Gareth. JavaScript kwa wahacker: Jifunze kufikiri kama mhacker.
Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)