From a01d953303ca10b5ce1be080ae988efd7855a55b Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Tue, 4 Feb 2025 19:24:15 +0100 Subject: [PATCH] update xss --- .../domain-subdomain-takeover.md | 17 +++++++++++ .../hacking-with-cookies/README.md | 30 ++++++++++++++++++- 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/src/pentesting-web/domain-subdomain-takeover.md b/src/pentesting-web/domain-subdomain-takeover.md index b4bca5b9d..c2755ccbf 100644 --- a/src/pentesting-web/domain-subdomain-takeover.md +++ b/src/pentesting-web/domain-subdomain-takeover.md @@ -51,6 +51,22 @@ SSL certificates, if generated by attackers via services like [_Let's Encrypt_]( Browser transparency also extends to cookie security, governed by policies like the [Same-origin policy](https://en.wikipedia.org/wiki/Same-origin_policy). Cookies, often used to manage sessions and store login tokens, can be exploited through subdomain takeover. Attackers can **gather session cookies** simply by directing users to a compromised subdomain, endangering user data and privacy. +### CORS Bypass + +It might be possible that every subdomain is allowed to access CORS resources from the main domain or other subdomains. This could be exploited by an attacker to **access sensitive information** abusing CORS requests. + +### CSRF - Same-Site Cookies bypass + +It could be possible that the subdomain is allowed to send cookies to the domain or other subdomains which was prevented by the `Same-Site` attribute of the cookies. However, note that anti-CSRF tokens will still prevent this attack if they are properly implemented. + +### OAuth tokens redirect + +It might be possible that the compromised subdomain is allowed to be used in the `redirect_uri` URL of an OAuth flow. This could be exploited by an attacker to **steal the OAuth token**. + +### CSP Bypass + +It might be possible that the compromised subdomain (or eveyr subdomain) is allowed to be used for example the `script-src` of the CSP. This could be exploited by an attacker to **inject malicious scripts** and abuse potential XSS vulnerabilities. + ### **Emails and Subdomain Takeover** Another aspect of subdomain takeover involves email services. Attackers can manipulate **MX records** to receive or send emails from a legitimate subdomain, enhancing the efficacy of phishing attacks. @@ -77,6 +93,7 @@ For cloud providers, verifying domain ownership is crucial to prevent subdomain - [https://0xpatrik.com/subdomain-takeover/](https://0xpatrik.com/subdomain-takeover/) - [https://www.stratussecurity.com/post/subdomain-takeover-guide](https://www.stratussecurity.com/post/subdomain-takeover-guide) +- [https://www.hackerone.com/blog/guide-subdomain-takeovers-20](https://www.hackerone.com/blog/guide-subdomain-takeovers-20) {{#include ../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/hacking-with-cookies/README.md b/src/pentesting-web/hacking-with-cookies/README.md index 5e4e09254..0a5e6524d 100644 --- a/src/pentesting-web/hacking-with-cookies/README.md +++ b/src/pentesting-web/hacking-with-cookies/README.md @@ -189,10 +189,38 @@ RENDER_TEXT="hello world; JSESSIONID=13371337; ASDF=end"; This vulnerability is particularly dangerous in web applications relying on cookie-based CSRF protection, as it allows attackers to inject spoofed CSRF-token cookies, potentially bypassing security measures. The issue is exacerbated by Python's handling of duplicate cookie names, where the last occurrence overrides earlier ones. It also raises concerns for `__Secure-` and `__Host-` cookies in insecure contexts and could lead to authorization bypasses when cookies are passed to back-end servers susceptible to spoofing. -### Cookies $version and WAF bypasses +### Cookies $version + +#### WAF Bypass According to [**this blogpost**](https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie), it might be possible to use the cookie attribute **`$Version=1`** to make the backend use an old logic to parse the cookie due to the **RFC2109**. Moreover, other values just as **`$Domain`** and **`$Path`** can be used to modify the behaviour of the backend with the cookie. +#### Cookie Sandwich Attack + +According to [**this blogpost**](https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique) it's possible to use the cookie sandwich technique to steal HttpOnly cookies. These are the requirements and steps: + +- Find a place were an apparent useless **cookie is refected in the response** +- **Create a cookie called `$Version`** with value `1` (ou can do this in a XSS attack from JS) with a more specific path so it gets the initial possition (some frameworks like python don’t need this step) +- **Create the cookie that is reflected** with a value that leaves an **open double quotes** and with a specific path so it’s positioned in the cookie db after the previous one (`$Version`) +- Then, the legit cookie will go next in the order +- **Create a dummy cookie that closes the double quotse** inside its value + +This way the victim cookie gets trapped inside the new cookie version 1 and will get reflected whenever it’s reflected. +e.g. from the post: + +```javascript +document.cookie = `$Version=1;`; +document.cookie = `param1="start`; +// any cookies inside the sandwich will be placed into param1 value server-side +document.cookie = `param2=end";`; +``` + +### WAF bypasses + +#### Cookies $version + +Check the previous section. + #### Bypassing value analysis with quoted-string encoding This parsing indicate to unescape escaped values inside the cookies, so "\a" becomes "a". This can be useful to bypass WAFS as: