diff --git a/src/SUMMARY.md b/src/SUMMARY.md index f0af43e7a..0fee1721f 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -393,8 +393,6 @@ - [Electron contextIsolation RCE via Electron internal code](network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md) - [Electron contextIsolation RCE via IPC](network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.md) - [Flask](network-services-pentesting/pentesting-web/flask.md) - - [NextJS](network-services-pentesting/pentesting-web/nextjs.md) - - [NodeJS Express](network-services-pentesting/pentesting-web/nodejs-express.md) - [Git](network-services-pentesting/pentesting-web/git.md) - [Golang](network-services-pentesting/pentesting-web/golang.md) - [GWT - Google Web Toolkit](network-services-pentesting/pentesting-web/gwt-google-web-toolkit.md) @@ -409,8 +407,9 @@ - [JSP](network-services-pentesting/pentesting-web/jsp.md) - [Laravel](network-services-pentesting/pentesting-web/laravel.md) - [Moodle](network-services-pentesting/pentesting-web/moodle.md) + - [NextJS](network-services-pentesting/pentesting-web/nextjs.md) - [Nginx](network-services-pentesting/pentesting-web/nginx.md) - - [NextJS](network-services-pentesting/pentesting-web/nextjs-1.md) + - [NodeJS Express](network-services-pentesting/pentesting-web/nodejs-express.md) - [PHP Tricks](network-services-pentesting/pentesting-web/php-tricks-esp/README.md) - [PHP - Useful Functions & disable_functions/open_basedir bypass](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md) - [disable_functions bypass - php-fpm/FastCGI](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md) @@ -439,6 +438,7 @@ - [Symfony](network-services-pentesting/pentesting-web/symphony.md) - [Tomcat](network-services-pentesting/pentesting-web/tomcat/README.md) - [Uncovering CloudFlare](network-services-pentesting/pentesting-web/uncovering-cloudflare.md) + - [Vuejs](network-services-pentesting/pentesting-web/vuejs.md) - [VMWare (ESX, VCenter...)](network-services-pentesting/pentesting-web/vmware-esx-vcenter....md) - [Web API Pentesting](network-services-pentesting/pentesting-web/web-api-pentesting.md) - [WebDav](network-services-pentesting/pentesting-web/put-method-webdav.md) diff --git a/src/network-services-pentesting/pentesting-web/nextjs-1.md b/src/network-services-pentesting/pentesting-web/nextjs-1.md deleted file mode 100644 index 5bfc6fbea..000000000 --- a/src/network-services-pentesting/pentesting-web/nextjs-1.md +++ /dev/null @@ -1,5 +0,0 @@ -# NextJS - -{{#include ../../banners/hacktricks-training.md}} - -{{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-web/vuejs.md b/src/network-services-pentesting/pentesting-web/vuejs.md new file mode 100644 index 000000000..ce3b18eb9 --- /dev/null +++ b/src/network-services-pentesting/pentesting-web/vuejs.md @@ -0,0 +1,128 @@ +# Vue.js + +{{#include ../../banners/hacktricks-training.md}} + +## XSS Sinks in Vue.js + +### v-html Direktief +Die `v-html` direktief render **rou** HTML, so enige ` +``` +### v-bind met src of href +Binding 'n gebruikersstring aan URL-draende eienskappe (`href`, `src`, `xlink:href`, `formaction` …) laat payloads soos `javascript:alert(1)` toe om te loop wanneer die skakel gevolg word. +```html +
+Click me +
+ +``` +### v-on met gebruikersbeheerde handlers +`v-on` kompileer sy waarde met `new Function`; as daardie waarde van die gebruiker kom, gee jy vir hulle kode-uitvoering op 'n skinkbord. +```html +
+ +
+ +``` +### Dinamiese attribuut / gebeurtenis name +Gebruiker-geleverde name in `v-bind:[attr]` of `v-on:[event]` laat aanvallers toe om enige attribuut of gebeurtenis handler te skep, wat statiese analise en baie CSP-reëls omseil. +```html + + +``` +### Dinamiese komponent (``) +Die toelaat van gebruikersstringe in `:is` kan arbitrêre komponente of inline-sjablone monteer—gevaarlik in die blaaiers en katastrofies in SSR. +```html + + +``` +### Onbetroubare sjablone in SSR +Tydens bediener-kant weergawe, loop die sjabloon **op jou bediener**; die invoeging van gebruikers-HTML kan XSS tot volle Afgeleë Kode Uitvoering (RCE) opgradeer. CVE's in `vue-template-compiler` bewys die risiko. +```js +// DANGER – never do this +const app = createSSRApp({ template: userProvidedHtml }) +``` +### Filters / render functions that eval +Erfgoedfilters wat render stringe bou of `eval`/`new Function` op gebruikersdata aanroep, is 'n ander XSS-vak—vervang hulle met berekende eienskappe. +```js +Vue.filter('run', code => eval(code)) // DANGER +``` +--- + +## Ander Algemene Kw vulnerabilities in Vue Projekte + +### Prototipe besoedeling in plugins +Deep-merge helpers in sommige plugins (bv., **vue-i18n**) het aanvallers toegelaat om na `Object.prototype` te skryf. +```js +import merge from 'deepmerge' +merge({}, JSON.parse('{ "__proto__": { "polluted": true } }')) +``` +### Oop redirects met vue-router +Om ongekontroleerde gebruikers-URL's na `router.push` of `` te stuur, kan lei na `javascript:` URI's of phishing-domeine. +```js +this.$router.push(this.$route.query.next) // DANGER +``` +### CSRF in Axios / fetch +SPAs benodig steeds bediener-kant CSRF tokens; SameSite koekies alleen kan nie outomaties ingediende kruis-oorsprong POSTs blokkeer nie. +```js +axios.post('/api/transfer', data, { +headers: { 'X-CSRF-TOKEN': token } +}) +``` +### Click-jacking +Vue-apps kan in rame geplaas word tensy jy beide `X-Frame-Options: DENY` en `Content-Security-Policy: frame-ancestors 'none'` stuur. +```http +X-Frame-Options: DENY +Content-Security-Policy: frame-ancestors 'none'; +``` +### Content-Security-Policy valkuils +Die volle Vue-bou benodig `unsafe-eval`; skakel oor na die runtime-bou of vooraf-gecompileerde sjablone sodat jy daardie gevaarlike bron kan laat vaar. +```http +Content-Security-Policy: default-src 'self'; script-src 'self'; +``` +### Verskaffingsketting-aanvalle (node-ipc – Maart 2022) +Die sabotasie van **node-ipc**—getrek deur Vue CLI—het gewys hoe 'n transitive afhanklikheid arbitrêre kode op ontwikkelingsmasjiene kan uitvoer. Pin weergawes en oudit gereeld. +```shell +npm ci --ignore-scripts # safer install +``` +--- + +## Versterking Kontrolelys + +1. **Sanitiseer** elke string voordat dit `v-html` bereik (DOMPurify). +2. **Whitelist** toegelate skemas, eienskappe, komponente, en gebeurtenisse. +3. **Vermy `eval`** en dinamiese templates heeltemal. +4. **Patching afhanklikhede weekliks** en monitor advies. +5. **Stuur sterk HTTP koppe** (CSP, HSTS, XFO, CSRF). +6. **Vergrendel jou voorsieningsketting** met oudit, slotlêers, en ondertekende verbintenisse. + +## Verwysings + +- [https://www.stackhawk.com/blog/vue-xss-guide-examples-and-prevention/](https://www.stackhawk.com/blog/vue-xss-guide-examples-and-prevention/) +- [https://medium.com/@isaacwangethi30/vue-js-security-6e246a7613da](https://medium.com/@isaacwangethi30/vue-js-security-6e246a7613da) +- [https://vuejs.org/guide/best-practices/security](https://vuejs.org/guide/best-practices/security) + +{{#include ../../banners/hacktricks-training.md}} diff --git a/theme/ai.js b/theme/ai.js index bae463b88..bb8af53b7 100644 --- a/theme/ai.js +++ b/theme/ai.js @@ -1,108 +1,259 @@ /** - * HackTricks AI Chat Widget v1.14 – animated typing indicator + * HackTricks AI Chat Widget v1.15 – Markdown rendering + sanitised * ------------------------------------------------------------------------ - * • Replaces the static “…” placeholder with a three‑dot **bouncing** loader - * while waiting for the assistant’s response. + * • Replaces the static “…” placeholder with a three-dot **bouncing** loader + * • Renders assistant replies as Markdown while purging any unsafe HTML + * (XSS-safe via DOMPurify) * ------------------------------------------------------------------------ */ (function () { - const LOG = "[HackTricks-AI]"; - - /* ---------------- User‑tunable constants ---------------- */ - const MAX_CONTEXT = 3000; // highlighted‑text char limit - const MAX_QUESTION = 500; // question char limit - const TOOLTIP_TEXT = - "💡 Highlight any text on the page,\nthen click to ask HackTricks AI about it"; - - const API_BASE = "https://www.hacktricks.ai/api/assistants/threads"; - const BRAND_RED = "#b31328"; // HackTricks brand - - /* ------------------------------ State ------------------------------ */ - let threadId = null; - let isRunning = false; - - const $ = (sel, ctx = document) => ctx.querySelector(sel); - if (document.getElementById("ht-ai-btn")) { console.warn(`${LOG} Widget already injected.`); return; } - (document.readyState === "loading" ? document.addEventListener("DOMContentLoaded", init) : init()); - - /* ==================================================================== */ - async function init() { - console.log(`${LOG} Injecting widget… v1.14`); - await ensureThreadId(); - injectStyles(); - - const btn = createFloatingButton(); - createTooltip(btn); - const panel = createSidebar(); - const chatLog = $("#ht-ai-chat"); - const sendBtn = $("#ht-ai-send"); - const inputBox = $("#ht-ai-question"); - const resetBtn = $("#ht-ai-reset"); - const closeBtn = $("#ht-ai-close"); - - /* ------------------- Selection snapshot ------------------- */ - let savedSelection = ""; - btn.addEventListener("pointerdown", () => { savedSelection = window.getSelection().toString().trim(); }); - - /* ------------------- Helpers ------------------------------ */ - function addMsg(text, cls) { - const b = document.createElement("div"); - b.className = `ht-msg ${cls}`; - b.textContent = text; - chatLog.appendChild(b); - chatLog.scrollTop = chatLog.scrollHeight; - return b; - } - const LOADER_HTML = ''; - - function setInputDisabled(d) { inputBox.disabled = d; sendBtn.disabled = d; } - function clearThreadCookie() { document.cookie = "threadId=; Path=/; Max-Age=0"; threadId = null; } - function resetConversation() { chatLog.innerHTML=""; clearThreadCookie(); panel.classList.remove("open"); } - - /* ------------------- Panel open / close ------------------- */ - btn.addEventListener("click", () => { - if (!savedSelection) { alert("Please highlight some text first to then ask Hacktricks AI about it."); return; } - if (savedSelection.length > MAX_CONTEXT) { alert(`Highlighted text is too long (${savedSelection.length} chars). Max allowed: ${MAX_CONTEXT}.`); return; } - chatLog.innerHTML=""; addMsg(savedSelection, "ht-context"); panel.classList.add("open"); inputBox.focus(); - }); - closeBtn.addEventListener("click", resetConversation); - resetBtn.addEventListener("click", resetConversation); - - /* --------------------------- Messaging --------------------------- */ - async function sendMessage(question, context=null) { - if (!threadId) await ensureThreadId(); - if (isRunning) { addMsg("Please wait until the current operation completes.", "ht-ai"); return; } - - isRunning = true; setInputDisabled(true); - const loadingBubble = addMsg("", "ht-ai"); - loadingBubble.innerHTML = LOADER_HTML; - - const content = context ? `### Context:\n${context}\n\n### Question to answer:\n${question}` : question; - try { - const res = await fetch(`${API_BASE}/${threadId}/messages`, { method:"POST", credentials:"include", headers:{"Content-Type":"application/json"}, body:JSON.stringify({content}) }); - if (!res.ok) { - let err=`Unknown error: ${res.status}`; - try { const e=await res.json(); if(e.error) err=`Error: ${e.error}`; else if(res.status===429) err="Rate limit exceeded. Please try again later."; } catch(_){} - loadingBubble.textContent = err; return; } - const data = await res.json(); - loadingBubble.remove(); - if (Array.isArray(data.response)) data.response.forEach(p=>{ addMsg( p.type==="text"&&p.text&&p.text.value ? p.text.value : JSON.stringify(p), "ht-ai"); }); - else if (typeof data.response === "string") addMsg(data.response, "ht-ai"); - else addMsg(JSON.stringify(data,null,2), "ht-ai"); - } catch (e) { console.error("Error sending message:",e); loadingBubble.textContent="An unexpected error occurred."; } - finally { isRunning=false; setInputDisabled(false); chatLog.scrollTop=chatLog.scrollHeight; } - } - - async function handleSend(){ const q=inputBox.value.trim(); if(!q)return; if(q.length>MAX_QUESTION){alert(`Your question is too long (${q.length} chars). Max allowed: ${MAX_QUESTION}.`); return;} inputBox.value=""; addMsg(q,"ht-user"); await sendMessage(q,savedSelection||null);} - sendBtn.addEventListener("click", handleSend); - inputBox.addEventListener("keydown", e=>{ if(e.key==="Enter"&&!e.shiftKey){ e.preventDefault(); handleSend(); } }); + const LOG = "[HackTricks-AI]"; + + /* ---------------- User-tunable constants ---------------- */ + const MAX_CONTEXT = 3000; // highlighted-text char limit + const MAX_QUESTION = 500; // question char limit + const TOOLTIP_TEXT = + "💡 Highlight any text on the page,\nthen click to ask HackTricks AI about it"; + + const API_BASE = "https://www.hacktricks.ai/api/assistants/threads"; + const BRAND_RED = "#b31328"; // HackTricks brand + + /* ------------------------------ State ------------------------------ */ + let threadId = null; + let isRunning = false; + + const $ = (sel, ctx = document) => ctx.querySelector(sel); + if (document.getElementById("ht-ai-btn")) { + console.warn(`${LOG} Widget already injected.`); + return; + } + (document.readyState === "loading" + ? document.addEventListener("DOMContentLoaded", init) + : init()); + + /* ==================================================================== */ + /* 🔗 1. 3rd-party libs → Markdown & sanitiser */ + /* ==================================================================== */ + function loadScript(src) { + return new Promise((resolve, reject) => { + const s = document.createElement("script"); + s.src = src; + s.onload = resolve; + s.onerror = () => reject(new Error(`Failed to load ${src}`)); + document.head.appendChild(s); + }); + } + + async function ensureDeps() { + const deps = []; + if (typeof marked === "undefined") { + deps.push(loadScript("https://cdn.jsdelivr.net/npm/marked/marked.min.js")); } - - /* ==================================================================== */ - async function ensureThreadId(){ const m=document.cookie.match(/threadId=([^;]+)/); if(m&&m[1]){threadId=m[1];return;} try{ const r=await fetch(API_BASE,{method:"POST",credentials:"include"}); const d=await r.json(); if(!r.ok||!d.threadId) throw new Error(`${r.status} ${r.statusText}`); threadId=d.threadId; document.cookie=`threadId=${threadId}; Path=/; Secure; SameSite=Strict; Max-Age=7200`; }catch(e){ console.error("Error creating threadId:",e); alert("Failed to initialise the conversation. Please refresh and try again."); throw e; }} - - /* ==================================================================== */ - function injectStyles(){ const css=` + if (typeof DOMPurify === "undefined") { + deps.push( + loadScript( + "https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.2.5/purify.min.js" + ) + ); + } + if (deps.length) await Promise.all(deps); + } + + function mdToSafeHTML(md) { + // 1️⃣ Markdown → raw HTML + const raw = marked.parse(md, { mangle: false, headerIds: false }); + // 2️⃣ Purify + return DOMPurify.sanitize(raw, { USE_PROFILES: { html: true } }); + } + + /* ==================================================================== */ + async function init() { + /* ----- make sure marked & DOMPurify are ready before anything else */ + try { + await ensureDeps(); + } catch (e) { + console.error(`${LOG} Could not load dependencies`, e); + return; + } + + console.log(`${LOG} Injecting widget… v1.15`); + + await ensureThreadId(); + injectStyles(); + + const btn = createFloatingButton(); + createTooltip(btn); + const panel = createSidebar(); + const chatLog = $("#ht-ai-chat"); + const sendBtn = $("#ht-ai-send"); + const inputBox = $("#ht-ai-question"); + const resetBtn = $("#ht-ai-reset"); + const closeBtn = $("#ht-ai-close"); + + /* ------------------- Selection snapshot ------------------- */ + let savedSelection = ""; + btn.addEventListener("pointerdown", () => { + savedSelection = window.getSelection().toString().trim(); + }); + + /* ------------------- Helpers ------------------------------ */ + function addMsg(text, cls) { + const b = document.createElement("div"); + b.className = `ht-msg ${cls}`; + + // ✨ assistant replies rendered as Markdown + sanitised + if (cls === "ht-ai") { + b.innerHTML = mdToSafeHTML(text); + } else { + // user / context bubbles stay plain-text + b.textContent = text; + } + + chatLog.appendChild(b); + chatLog.scrollTop = chatLog.scrollHeight; + return b; + } + const LOADER_HTML = + ''; + + function setInputDisabled(d) { + inputBox.disabled = d; + sendBtn.disabled = d; + } + function clearThreadCookie() { + document.cookie = "threadId=; Path=/; Max-Age=0"; + threadId = null; + } + function resetConversation() { + chatLog.innerHTML = ""; + clearThreadCookie(); + panel.classList.remove("open"); + } + + /* ------------------- Panel open / close ------------------- */ + btn.addEventListener("click", () => { + if (!savedSelection) { + alert("Please highlight some text first to then ask HackTricks AI about it."); + return; + } + if (savedSelection.length > MAX_CONTEXT) { + alert( + `Highlighted text is too long (${savedSelection.length} chars). Max allowed: ${MAX_CONTEXT}.` + ); + return; + } + chatLog.innerHTML = ""; + addMsg(savedSelection, "ht-context"); + panel.classList.add("open"); + inputBox.focus(); + }); + closeBtn.addEventListener("click", resetConversation); + resetBtn.addEventListener("click", resetConversation); + + /* --------------------------- Messaging --------------------------- */ + async function sendMessage(question, context = null) { + if (!threadId) await ensureThreadId(); + if (isRunning) { + addMsg("Please wait until the current operation completes.", "ht-ai"); + return; + } + + isRunning = true; + setInputDisabled(true); + const loadingBubble = addMsg("", "ht-ai"); + loadingBubble.innerHTML = LOADER_HTML; + + const content = context + ? `### Context:\n${context}\n\n### Question to answer:\n${question}` + : question; + try { + const res = await fetch(`${API_BASE}/${threadId}/messages`, { + method: "POST", + credentials: "include", + headers: { "Content-Type": "application/json" }, + body: JSON.stringify({ content }) + }); + if (!res.ok) { + let err = `Unknown error: ${res.status}`; + try { + const e = await res.json(); + if (e.error) err = `Error: ${e.error}`; + else if (res.status === 429) + err = "Rate limit exceeded. Please try again later."; + } catch (_) {} + loadingBubble.textContent = err; + return; + } + const data = await res.json(); + loadingBubble.remove(); + if (Array.isArray(data.response)) + data.response.forEach((p) => { + addMsg( + p.type === "text" && p.text && p.text.value + ? p.text.value + : JSON.stringify(p), + "ht-ai" + ); + }); + else if (typeof data.response === "string") + addMsg(data.response, "ht-ai"); + else addMsg(JSON.stringify(data, null, 2), "ht-ai"); + } catch (e) { + console.error("Error sending message:", e); + loadingBubble.textContent = "An unexpected error occurred."; + } finally { + isRunning = false; + setInputDisabled(false); + chatLog.scrollTop = chatLog.scrollHeight; + } + } + + async function handleSend() { + const q = inputBox.value.trim(); + if (!q) return; + if (q.length > MAX_QUESTION) { + alert( + `Your question is too long (${q.length} chars). Max allowed: ${MAX_QUESTION}.` + ); + return; + } + inputBox.value = ""; + addMsg(q, "ht-user"); + await sendMessage(q, savedSelection || null); + } + sendBtn.addEventListener("click", handleSend); + inputBox.addEventListener("keydown", (e) => { + if (e.key === "Enter" && !e.shiftKey) { + e.preventDefault(); + handleSend(); + } + }); + } + + /* ==================================================================== */ + async function ensureThreadId() { + const m = document.cookie.match(/threadId=([^;]+)/); + if (m && m[1]) { + threadId = m[1]; + return; + } + try { + const r = await fetch(API_BASE, { method: "POST", credentials: "include" }); + const d = await r.json(); + if (!r.ok || !d.threadId) throw new Error(`${r.status} ${r.statusText}`); + threadId = d.threadId; + document.cookie = + `threadId=${threadId}; Path=/; Secure; SameSite=Strict; Max-Age=7200`; + } catch (e) { + console.error("Error creating threadId:", e); + alert("Failed to initialise the conversation. Please refresh and try again."); + throw e; + } + } + + /* ==================================================================== */ + function injectStyles() { + const css = ` #ht-ai-btn{position:fixed;bottom:20px;left:50%;transform:translateX(-50%);width:60px;height:60px;border-radius:50%;background:#1e1e1e;color:#fff;font-size:28px;display:flex;align-items:center;justify-content:center;cursor:pointer;z-index:99999;box-shadow:0 2px 8px rgba(0,0,0,.4);transition:opacity .2s} #ht-ai-btn:hover{opacity:.85} @media(max-width:768px){#ht-ai-btn{display:none}} @@ -132,10 +283,50 @@ @keyframes ht-bounce{0%,80%,100%{transform:scale(0);}40%{transform:scale(1);} } ::selection{background:#ffeb3b;color:#000} ::-moz-selection{background:#ffeb3b;color:#000}`; - const s=document.createElement("style"); s.id="ht-ai-style"; s.textContent=css; document.head.appendChild(s);} - - function createFloatingButton(){ const d=document.createElement("div"); d.id="ht-ai-btn"; d.textContent="🤖"; document.body.appendChild(d); return d; } - function createTooltip(btn){ const t=document.createElement("div"); t.id="ht-ai-tooltip"; t.textContent=TOOLTIP_TEXT; document.body.appendChild(t); btn.addEventListener("mouseenter",()=>{const r=btn.getBoundingClientRect(); t.style.left=`${r.left+r.width/2}px`; t.style.top=`${r.top}px`; t.classList.add("show");}); btn.addEventListener("mouseleave",()=>t.classList.remove("show")); } - function createSidebar(){ const p=document.createElement("div"); p.id="ht-ai-panel"; p.innerHTML=`
HackTricksAI Chat
`; document.body.appendChild(p); return p; } - })(); - \ No newline at end of file + const s = document.createElement("style"); + s.id = "ht-ai-style"; + s.textContent = css; + document.head.appendChild(s); + } + + function createFloatingButton() { + const d = document.createElement("div"); + d.id = "ht-ai-btn"; + d.textContent = "🤖"; + document.body.appendChild(d); + return d; + } + + function createTooltip(btn) { + const t = document.createElement("div"); + t.id = "ht-ai-tooltip"; + t.textContent = TOOLTIP_TEXT; + document.body.appendChild(t); + btn.addEventListener("mouseenter", () => { + const r = btn.getBoundingClientRect(); + t.style.left = `${r.left + r.width / 2}px`; + t.style.top = `${r.top}px`; + t.classList.add("show"); + }); + btn.addEventListener("mouseleave", () => t.classList.remove("show")); + } + + function createSidebar() { + const p = document.createElement("div"); + p.id = "ht-ai-panel"; + p.innerHTML = ` +
HackTricks AI Chat +
+ + +
+
+
+
+ + +
`; + document.body.appendChild(p); + return p; + } +})();