maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

update xss

Browse Source
This commit is contained in:
Carlos Polop 2025-02-04 19:24:15 +01:00
parent 6d132e187e
commit a01d953303
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/pentesting-web/domain-subdomain-takeover.md
View File

@ -51,6 +51,22 @@ SSL certificates, if generated by attackers via services like [_Let's Encrypt_](
Browser transparency also extends to cookie security, governed by policies like the [Same-origin policy](https://en.wikipedia.org/wiki/Same-origin_policy). Cookies, often used to manage sessions and store login tokens, can be exploited through subdomain takeover. Attackers can **gather session cookies** simply by directing users to a compromised subdomain, endangering user data and privacy.
### CORS Bypass
It might be possible that every subdomain is allowed to access CORS resources from the main domain or other subdomains. This could be exploited by an attacker to **access sensitive information** abusing CORS requests.
### CSRF - Same-Site Cookies bypass
It could be possible that the subdomain is allowed to send cookies to the domain or other subdomains which was prevented by the `Same-Site` attribute of the cookies. However, note that anti-CSRF tokens will still prevent this attack if they are properly implemented.
### OAuth tokens redirect
It might be possible that the compromised subdomain is allowed to be used in the `redirect_uri` URL of an OAuth flow. This could be exploited by an attacker to **steal the OAuth token**.
### CSP Bypass
It might be possible that the compromised subdomain (or eveyr subdomain) is allowed to be used for example the `script-src` of the CSP. This could be exploited by an attacker to **inject malicious scripts** and abuse potential XSS vulnerabilities.
### **Emails and Subdomain Takeover**
Another aspect of subdomain takeover involves email services. Attackers can manipulate **MX records** to receive or send emails from a legitimate subdomain, enhancing the efficacy of phishing attacks.
@ -77,6 +93,7 @@ For cloud providers, verifying domain ownership is crucial to prevent subdomain
- [https://0xpatrik.com/subdomain-takeover/](https://0xpatrik.com/subdomain-takeover/)
- [https://www.stratussecurity.com/post/subdomain-takeover-guide](https://www.stratussecurity.com/post/subdomain-takeover-guide)
- [https://www.hackerone.com/blog/guide-subdomain-takeovers-20](https://www.hackerone.com/blog/guide-subdomain-takeovers-20)
{{#include ../banners/hacktricks-training.md}}

30
src/pentesting-web/hacking-with-cookies/README.md
View File

@ -189,10 +189,38 @@ RENDER_TEXT="hello world; JSESSIONID=13371337; ASDF=end";
This vulnerability is particularly dangerous in web applications relying on cookie-based CSRF protection, as it allows attackers to inject spoofed CSRF-token cookies, potentially bypassing security measures. The issue is exacerbated by Python's handling of duplicate cookie names, where the last occurrence overrides earlier ones. It also raises concerns for `__Secure-` and `__Host-` cookies in insecure contexts and could lead to authorization bypasses when cookies are passed to back-end servers susceptible to spoofing.
### Cookies $version and WAF bypasses
### Cookies $version
#### WAF Bypass
According to [**this blogpost**](https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie), it might be possible to use the cookie attribute **`$Version=1`** to make the backend use an old logic to parse the cookie due to the **RFC2109**. Moreover, other values just as **`$Domain`** and **`$Path`** can be used to modify the behaviour of the backend with the cookie.
#### Cookie Sandwich Attack
According to [**this blogpost**](https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique) it's possible to use the cookie sandwich technique to steal HttpOnly cookies. These are the requirements and steps:
- Find a place were an apparent useless **cookie is refected in the response**
- **Create a cookie called `$Version`** with value `1` (ou can do this in a XSS attack from JS) with a more specific path so it gets the initial possition (some frameworks like python dont need this step)
- **Create the cookie that is reflected** with a value that leaves an **open double quotes** and with a specific path so its positioned in the cookie db after the previous one (`$Version`)
- Then, the legit cookie will go next in the order
- **Create a dummy cookie that closes the double quotse** inside its value
This way the victim cookie gets trapped inside the new cookie version 1 and will get reflected whenever its reflected.
e.g. from the post:
```javascript
document.cookie = `$Version=1;`;
document.cookie = `param1="start`;
// any cookies inside the sandwich will be placed into param1 value server-side
document.cookie = `param2=end";`;
```
### WAF bypasses
#### Cookies $version
Check the previous section.
#### Bypassing value analysis with quoted-string encoding
This parsing indicate to unescape escaped values inside the cookies, so "\a" becomes "a". This can be useful to bypass WAFS as: