mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
vuejs
This commit is contained in:
parent
53c38613c0
commit
940d1b5623
@ -393,8 +393,6 @@
|
||||
- [Electron contextIsolation RCE via Electron internal code](network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md)
|
||||
- [Electron contextIsolation RCE via IPC](network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.md)
|
||||
- [Flask](network-services-pentesting/pentesting-web/flask.md)
|
||||
- [NextJS](network-services-pentesting/pentesting-web/nextjs.md)
|
||||
- [NodeJS Express](network-services-pentesting/pentesting-web/nodejs-express.md)
|
||||
- [Git](network-services-pentesting/pentesting-web/git.md)
|
||||
- [Golang](network-services-pentesting/pentesting-web/golang.md)
|
||||
- [GWT - Google Web Toolkit](network-services-pentesting/pentesting-web/gwt-google-web-toolkit.md)
|
||||
@ -409,8 +407,9 @@
|
||||
- [JSP](network-services-pentesting/pentesting-web/jsp.md)
|
||||
- [Laravel](network-services-pentesting/pentesting-web/laravel.md)
|
||||
- [Moodle](network-services-pentesting/pentesting-web/moodle.md)
|
||||
- [NextJS](network-services-pentesting/pentesting-web/nextjs.md)
|
||||
- [Nginx](network-services-pentesting/pentesting-web/nginx.md)
|
||||
- [NextJS](network-services-pentesting/pentesting-web/nextjs-1.md)
|
||||
- [NodeJS Express](network-services-pentesting/pentesting-web/nodejs-express.md)
|
||||
- [PHP Tricks](network-services-pentesting/pentesting-web/php-tricks-esp/README.md)
|
||||
- [PHP - Useful Functions & disable_functions/open_basedir bypass](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md)
|
||||
- [disable_functions bypass - php-fpm/FastCGI](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md)
|
||||
@ -439,6 +438,7 @@
|
||||
- [Symfony](network-services-pentesting/pentesting-web/symphony.md)
|
||||
- [Tomcat](network-services-pentesting/pentesting-web/tomcat/README.md)
|
||||
- [Uncovering CloudFlare](network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
|
||||
- [Vuejs](network-services-pentesting/pentesting-web/vuejs.md)
|
||||
- [VMWare (ESX, VCenter...)](network-services-pentesting/pentesting-web/vmware-esx-vcenter....md)
|
||||
- [Web API Pentesting](network-services-pentesting/pentesting-web/web-api-pentesting.md)
|
||||
- [WebDav](network-services-pentesting/pentesting-web/put-method-webdav.md)
|
||||
|
@ -1,8 +0,0 @@
|
||||
# NextJS
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
154
src/network-services-pentesting/pentesting-web/vuejs.md
Normal file
154
src/network-services-pentesting/pentesting-web/vuejs.md
Normal file
@ -0,0 +1,154 @@
|
||||
# Vue.js
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
## XSS Sinks in Vue.js
|
||||
|
||||
### v-html Directive
|
||||
The `v-html` directive renders **raw** HTML, so any `<script>` (or an attribute like `onerror`) embedded in unsanitised user input executes immediately.
|
||||
|
||||
```html
|
||||
<div id="app">
|
||||
<div v-html="htmlContent"></div>
|
||||
</div>
|
||||
<script>
|
||||
new Vue({
|
||||
el: '#app',
|
||||
data: {
|
||||
htmlContent: '<img src=x onerror=alert(1)>'
|
||||
}
|
||||
})
|
||||
</script>
|
||||
```
|
||||
|
||||
### v-bind with src or href
|
||||
Binding a user string to URL-bearing attributes (`href`, `src`, `xlink:href`, `formaction` …) lets payloads such as `javascript:alert(1)` run when the link is followed.
|
||||
|
||||
```html
|
||||
<div id="app">
|
||||
<a v-bind:href="userInput">Click me</a>
|
||||
</div>
|
||||
<script>
|
||||
new Vue({
|
||||
el: '#app',
|
||||
data: {
|
||||
userInput: 'javascript:alert(1)'
|
||||
}
|
||||
})
|
||||
</script>
|
||||
```
|
||||
|
||||
### v-on with user-controlled handlers
|
||||
`v-on` compiles its value with `new Function`; if that value comes from the user, you hand them code-execution on a plate.
|
||||
|
||||
```html
|
||||
<div id="app">
|
||||
<button v-on:click="malicious">Click me</button>
|
||||
</div>
|
||||
<script>
|
||||
new Vue({
|
||||
el: '#app',
|
||||
data: { malicious: 'alert(1)' }
|
||||
})
|
||||
</script>
|
||||
```
|
||||
|
||||
### Dynamic attribute / event names
|
||||
User-supplied names in `v-bind:[attr]` or `v-on:[event]` let attackers create any attribute or event handler, bypassing static analysis and many CSP rules.
|
||||
|
||||
```html
|
||||
<img v-bind:[userAttr]="payload">
|
||||
<!-- userAttr = 'onerror', payload = 'alert(1)' -->
|
||||
```
|
||||
|
||||
### Dynamic component (`<component :is>`)
|
||||
Allowing user strings in `:is` can mount arbitrary components or inline templates—dangerous in the browser and catastrophic in SSR.
|
||||
|
||||
```html
|
||||
<component :is="userChoice"></component>
|
||||
<!-- userChoice = '<script>alert(1)</script>' -->
|
||||
```
|
||||
|
||||
### Untrusted templates in SSR
|
||||
During server-side rendering, the template runs **on your server**; injecting user HTML can escalate XSS to full Remote Code Execution (RCE). CVEs in `vue-template-compiler` prove the risk.
|
||||
|
||||
```js
|
||||
// DANGER – never do this
|
||||
const app = createSSRApp({ template: userProvidedHtml })
|
||||
```
|
||||
|
||||
### Filters / render functions that eval
|
||||
Legacy filters that build render strings or call `eval`/`new Function` on user data are another XSS vector—replace them with computed properties.
|
||||
|
||||
```js
|
||||
Vue.filter('run', code => eval(code)) // DANGER
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Other Common Vulnerabilities in Vue Projects
|
||||
|
||||
### Prototype pollution in plugins
|
||||
Deep-merge helpers in some plugins (e.g., **vue-i18n**) have allowed attackers to write to `Object.prototype`.
|
||||
|
||||
```js
|
||||
import merge from 'deepmerge'
|
||||
merge({}, JSON.parse('{ "__proto__": { "polluted": true } }'))
|
||||
```
|
||||
|
||||
### Open redirects with vue-router
|
||||
Passing unchecked user URLs to `router.push` or `<router-link>` can redirect to `javascript:` URIs or phishing domains.
|
||||
|
||||
```js
|
||||
this.$router.push(this.$route.query.next) // DANGER
|
||||
```
|
||||
|
||||
### CSRF in Axios / fetch
|
||||
SPAs still need server-side CSRF tokens; SameSite cookies alone can’t block auto-submitted cross-origin POSTs.
|
||||
|
||||
```js
|
||||
axios.post('/api/transfer', data, {
|
||||
headers: { 'X-CSRF-TOKEN': token }
|
||||
})
|
||||
```
|
||||
|
||||
### Click-jacking
|
||||
Vue apps are frameable unless you send both `X-Frame-Options: DENY` and `Content-Security-Policy: frame-ancestors 'none'`.
|
||||
|
||||
```http
|
||||
X-Frame-Options: DENY
|
||||
Content-Security-Policy: frame-ancestors 'none';
|
||||
```
|
||||
|
||||
### Content-Security-Policy pitfalls
|
||||
The full Vue build needs `unsafe-eval`; switch to the runtime build or pre-compiled templates so you can drop that dangerous source.
|
||||
|
||||
```http
|
||||
Content-Security-Policy: default-src 'self'; script-src 'self';
|
||||
```
|
||||
|
||||
### Supply-chain attacks (node-ipc – March 2022)
|
||||
The sabotage of **node-ipc**—pulled by Vue CLI—showed how a transitive dependency can run arbitrary code on dev machines. Pin versions and audit often.
|
||||
|
||||
```shell
|
||||
npm ci --ignore-scripts # safer install
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Hardening Checklist
|
||||
|
||||
1. **Sanitise** every string before it hits `v-html` (DOMPurify).
|
||||
2. **Whitelist** allowed schemes, attributes, components, and events.
|
||||
3. **Avoid `eval`** and dynamic templates altogether.
|
||||
4. **Patch dependencies weekly** and monitor advisories.
|
||||
5. **Send strong HTTP headers** (CSP, HSTS, XFO, CSRF).
|
||||
6. **Lock your supply chain** with audits, lockfiles, and signed commits.
|
||||
|
||||
## References
|
||||
|
||||
- [https://www.stackhawk.com/blog/vue-xss-guide-examples-and-prevention/](https://www.stackhawk.com/blog/vue-xss-guide-examples-and-prevention/)
|
||||
- [https://medium.com/@isaacwangethi30/vue-js-security-6e246a7613da](https://medium.com/@isaacwangethi30/vue-js-security-6e246a7613da)
|
||||
- [https://vuejs.org/guide/best-practices/security](https://vuejs.org/guide/best-practices/security)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
Loading…
x
Reference in New Issue
Block a user