mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
301 lines
21 KiB
Markdown
301 lines
21 KiB
Markdown
# DOM XSS
|
|
|
|
{{#include ../../banners/hacktricks-training.md}}
|
|
|
|
## DOM Vulnerabilities
|
|
|
|
Vulnerabilities za DOM hutokea wakati data kutoka kwa **vyanzo** vinavyodhibitiwa na mshambuliaji (kama `location.search`, `document.referrer`, au `document.cookie`) inahamishwa kwa usalama kwenda **sinks**. Sinks ni kazi au vitu (k.m., `eval()`, `document.body.innerHTML`) ambavyo vinaweza kutekeleza au kuonyesha maudhui hatari ikiwa vitapewa data mbaya.
|
|
|
|
- **Vyanzo** ni ingizo ambalo linaweza kubadilishwa na washambuliaji, ikiwa ni pamoja na URLs, cookies, na ujumbe wa wavuti.
|
|
- **Sinks** ni maeneo hatari ambapo data mbaya inaweza kusababisha madhara, kama vile utekelezaji wa script.
|
|
|
|
Hatari inatokea wakati data inatiririka kutoka chanzo hadi sink bila uthibitisho au usafi sahihi, ikiruhusu mashambulizi kama XSS.
|
|
|
|
> [!NOTE]
|
|
> **Unaweza kupata orodha iliyo na taarifa zaidi ya vyanzo na sinks katika** [**https://github.com/wisec/domxsswiki/wiki**](https://github.com/wisec/domxsswiki/wiki)
|
|
|
|
**Vyanzo vya kawaida:**
|
|
```javascript
|
|
document.URL
|
|
document.documentURI
|
|
document.URLUnencoded
|
|
document.baseURI
|
|
location
|
|
document.cookie
|
|
document.referrer
|
|
window.name
|
|
history.pushState
|
|
history.replaceState
|
|
localStorage
|
|
sessionStorage
|
|
IndexedDB(mozIndexedDB, webkitIndexedDB, msIndexedDB)
|
|
Database
|
|
```
|
|
**Vyanzo vya Kawaida:**
|
|
|
|
| [**Open Redirect**](dom-xss.md#open-redirect) | [**Javascript Injection**](dom-xss.md#javascript-injection) | [**DOM-data manipulation**](dom-xss.md#dom-data-manipulation) | **jQuery** |
|
|
| -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | ------------------------------------------------------------- | ---------------------------------------------------------------------- |
|
|
| `location` | `eval()` | `scriptElement.src` | `add()` |
|
|
| `location.host` | `Function() constructor` | `scriptElement.text` | `after()` |
|
|
| `location.hostname` | `setTimeout()` | `scriptElement.textContent` | `append()` |
|
|
| `location.href` | `setInterval()` | `scriptElement.innerText` | `animate()` |
|
|
| `location.pathname` | `setImmediate()` | `someDOMElement.setAttribute()` | `insertAfter()` |
|
|
| `location.search` | `execCommand()` | `someDOMElement.search` | `insertBefore()` |
|
|
| `location.protocol` | `execScript()` | `someDOMElement.text` | `before()` |
|
|
| `location.assign()` | `msSetImmediate()` | `someDOMElement.textContent` | `html()` |
|
|
| `location.replace()` | `range.createContextualFragment()` | `someDOMElement.innerText` | `prepend()` |
|
|
| `open()` | `crypto.generateCRMFRequest()` | `someDOMElement.outerText` | `replaceAll()` |
|
|
| `domElem.srcdoc` | **\`\`**[**Local file-path manipulation**](dom-xss.md#local-file-path-manipulation) | `someDOMElement.value` | `replaceWith()` |
|
|
| `XMLHttpRequest.open()` | `FileReader.readAsArrayBuffer()` | `someDOMElement.name` | `wrap()` |
|
|
| `XMLHttpRequest.send()` | `FileReader.readAsBinaryString()` | `someDOMElement.target` | `wrapInner()` |
|
|
| `jQuery.ajax()` | `FileReader.readAsDataURL()` | `someDOMElement.method` | `wrapAll()` |
|
|
| `$.ajax()` | `FileReader.readAsText()` | `someDOMElement.type` | `has()` |
|
|
| **\`\`**[**Ajax request manipulation**](dom-xss.md#ajax-request-manipulation) | `FileReader.readAsFile()` | `someDOMElement.backgroundImage` | `constructor()` |
|
|
| `XMLHttpRequest.setRequestHeader()` | `FileReader.root.getFile()` | `someDOMElement.cssText` | `init()` |
|
|
| `XMLHttpRequest.open()` | `FileReader.root.getFile()` | `someDOMElement.codebase` | `index()` |
|
|
| `XMLHttpRequest.send()` | [**Link manipulation**](dom-xss.md#link-manipulation) | `someDOMElement.innerHTML` | `jQuery.parseHTML()` |
|
|
| `jQuery.globalEval()` | `someDOMElement.href` | `someDOMElement.outerHTML` | `$.parseHTML()` |
|
|
| `$.globalEval()` | `someDOMElement.src` | `someDOMElement.insertAdjacentHTML` | [**Client-side JSON injection**](dom-xss.md#client-side-sql-injection) |
|
|
| **\`\`**[**HTML5-storage manipulation**](dom-xss.md#html-5-storage-manipulation) | `someDOMElement.action` | `someDOMElement.onevent` | `JSON.parse()` |
|
|
| `sessionStorage.setItem()` | [**XPath injection**](dom-xss.md#xpath-injection) | `document.write()` | `jQuery.parseJSON()` |
|
|
| `localStorage.setItem()` | `document.evaluate()` | `document.writeln()` | `$.parseJSON()` |
|
|
| **``**[**`Denial of Service`**](dom-xss.md#denial-of-service)**``** | `someDOMElement.evaluate()` | `document.title` | **\`\`**[**Cookie manipulation**](dom-xss.md#cookie-manipulation) |
|
|
| `requestFileSystem()` | **\`\`**[**Document-domain manipulation**](dom-xss.md#document-domain-manipulation) | `document.implementation.createHTMLDocument()` | `document.cookie` |
|
|
| `RegExp()` | `document.domain` | `history.pushState()` | [**WebSocket-URL poisoning**](dom-xss.md#websocket-url-poisoning) |
|
|
| [**Client-Side SQl injection**](dom-xss.md#client-side-sql-injection) | [**Web-message manipulation**](dom-xss.md#web-message-manipulation) | `history.replaceState()` | `WebSocket` |
|
|
| `executeSql()` | `postMessage()` | \`\` | \`\` |
|
|
|
|
The **`innerHTML`** sink doesn't accept `script` elements on any modern browser, nor will `svg onload` events fire. This means you will need to use alternative elements like `img` or `iframe`.
|
|
|
|
Hali hii ya XSS huenda ni **ngumu zaidi kupatikana**, kwani unahitaji kuangalia ndani ya msimbo wa JS, kuona kama inatumia kitu chochote ambacho **thamani yake unadhibiti**, na katika hali hiyo, kuona kama kuna **njia yoyote ya kutumia** ili kutekeleza JS isiyo ya kawaida.
|
|
|
|
## Zana za kuzipata
|
|
|
|
- [https://github.com/mozilla/eslint-plugin-no-unsanitized](https://github.com/mozilla/eslint-plugin-no-unsanitized)
|
|
- Kiendelezi cha kivinjari kuangalia kila data inayofikia vyanzo vya uwezekano: [https://github.com/kevin-mizu/domloggerpp](https://github.com/kevin-mizu/domloggerpp)
|
|
|
|
## Mifano
|
|
|
|
### Open Redirect
|
|
|
|
Kutoka: [https://portswigger.net/web-security/dom-based/open-redirection](https://portswigger.net/web-security/dom-based/open-redirection)
|
|
|
|
**Vikosi vya kuhamasisha vya Open redirect katika DOM** vinatokea wakati skripti inaandika data, ambayo mshambuliaji anaweza kudhibiti, kwenye sink inayoweza kuanzisha urambazaji kati ya maeneo tofauti.
|
|
|
|
Ni muhimu kuelewa kwamba kutekeleza msimbo wa kawaida, kama **`javascript:alert(1)`**, kunawezekana ikiwa unadhibiti mwanzo wa URL ambapo uhamasishaji unafanyika.
|
|
|
|
Vyanzo:
|
|
```javascript
|
|
location
|
|
location.host
|
|
location.hostname
|
|
location.href
|
|
location.pathname
|
|
location.search
|
|
location.protocol
|
|
location.assign()
|
|
location.replace()
|
|
open()
|
|
domElem.srcdoc
|
|
XMLHttpRequest.open()
|
|
XMLHttpRequest.send()
|
|
jQuery.ajax()
|
|
$.ajax()
|
|
```
|
|
### Cookie manipulation
|
|
|
|
From: [https://portswigger.net/web-security/dom-based/cookie-manipulation](https://portswigger.net/web-security/dom-based/cookie-manipulation)
|
|
|
|
Vikosi vya uendeshaji wa cookie vinavyotokana na DOM vinatokea wakati script inajumuisha data, ambayo inaweza kudhibitiwa na mshambuliaji, katika thamani ya cookie. Uthibitisho huu unaweza kusababisha tabia isiyotarajiwa ya ukurasa wa wavuti ikiwa cookie itatumika ndani ya tovuti. Zaidi ya hayo, inaweza kutumika kutekeleza shambulio la fixation ya kikao ikiwa cookie inahusishwa na kufuatilia vikao vya watumiaji. Kichimbaji kikuu kinachohusishwa na uthibitisho huu ni:
|
|
|
|
Sinks:
|
|
```javascript
|
|
document.cookie
|
|
```
|
|
### JavaScript Injection
|
|
|
|
From: [https://portswigger.net/web-security/dom-based/javascript-injection](https://portswigger.net/web-security/dom-based/javascript-injection)
|
|
|
|
Vikosi vya kuingiza JavaScript vinavyotokana na DOM vinaundwa wakati script inapoendesha data, ambayo inaweza kudhibitiwa na mshambuliaji, kama msimbo wa JavaScript.
|
|
|
|
Sinks:
|
|
```javascript
|
|
eval()
|
|
Function() constructor
|
|
setTimeout()
|
|
setInterval()
|
|
setImmediate()
|
|
execCommand()
|
|
execScript()
|
|
msSetImmediate()
|
|
range.createContextualFragment()
|
|
crypto.generateCRMFRequest()
|
|
```
|
|
### Document-domain manipulation
|
|
|
|
From: [https://portswigger.net/web-security/dom-based/document-domain-manipulation](https://portswigger.net/web-security/dom-based/document-domain-manipulation)
|
|
|
|
**Document-domain manipulation vulnerabilities** hutokea wakati script inapoweka mali ya `document.domain` kwa kutumia data ambayo mshambuliaji anaweza kudhibiti.
|
|
|
|
Mali ya `document.domain` ina **jukumu muhimu** katika **kuimarisha** **sera ya asili sawa** na vivinjari. Wakati kurasa mbili kutoka asili tofauti zinapoweka `document.domain` yao kwa **thamani sawa**, zinaweza kuingiliana bila vizuizi. Ingawa vivinjari vinaweka **mipaka** fulani kwenye thamani zinazoweza kuwekwa kwa `document.domain`, kuzuia uwekaji wa thamani zisizo na uhusiano kabisa na asili halisi ya ukurasa, kuna visamaha. Kawaida, vivinjari vinaruhusu matumizi ya **domeni za watoto** au **domeni za wazazi**.
|
|
|
|
Sinks:
|
|
```javascript
|
|
document.domain
|
|
```
|
|
### WebSocket-URL poisoning
|
|
|
|
From: [https://portswigger.net/web-security/dom-based/websocket-url-poisoning](https://portswigger.net/web-security/dom-based/websocket-url-poisoning)
|
|
|
|
**WebSocket-URL poisoning** hutokea wakati script inatumia **data zinazoweza kudhibitiwa kama URL ya lengo** kwa ajili ya muunganisho wa WebSocket.
|
|
|
|
Sinks:
|
|
|
|
Mjenzi wa `WebSocket` unaweza kusababisha udhaifu wa WebSocket-URL poisoning.
|
|
|
|
### Link manipulation
|
|
|
|
From: [https://portswigger.net/web-security/dom-based/link-manipulation](https://portswigger.net/web-security/dom-based/link-manipulation)
|
|
|
|
**Udhaifu wa DOM-based link-manipulation** unatokea wakati script inaandika **data zinazoweza kudhibitiwa na mshambuliaji kwenye lengo la urambazaji** ndani ya ukurasa wa sasa, kama vile kiungo kinachoweza kubofywaji au URL ya kuwasilisha ya fomu.
|
|
|
|
Sinks:
|
|
```javascript
|
|
someDOMElement.href
|
|
someDOMElement.src
|
|
someDOMElement.action
|
|
```
|
|
### Ajax request manipulation
|
|
|
|
From: [https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation](https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation)
|
|
|
|
**Vulnerabilities za uendeshaji wa ombi la Ajax** zinatokea wakati script inaandika **data inayoweza kudhibitiwa na mshambuliaji katika ombi la Ajax** ambalo linatolewa kwa kutumia `XmlHttpRequest` object.
|
|
|
|
Sinks:
|
|
```javascript
|
|
XMLHttpRequest.setRequestHeader()
|
|
XMLHttpRequest.open()
|
|
XMLHttpRequest.send()
|
|
jQuery.globalEval()
|
|
$.globalEval()
|
|
```
|
|
### Local file-path manipulation
|
|
|
|
From: [https://portswigger.net/web-security/dom-based/local-file-path-manipulation](https://portswigger.net/web-security/dom-based/local-file-path-manipulation)
|
|
|
|
**Vulnerabilities za usimamizi wa njia za faili za ndani** zinatokea wakati script inapopita **data inayoweza kudhibitiwa na mshambuliaji kwa API ya usimamizi wa faili** kama parameter ya `filename`. Uthibitisho huu unaweza kutumiwa na mshambuliaji kuunda URL ambayo, ikiwa itatembelewa na mtumiaji mwingine, inaweza kusababisha **kufungua au kuandika faili ya ndani isiyo na mpangilio kwenye kivinjari cha mtumiaji**.
|
|
|
|
Sinks:
|
|
```javascript
|
|
FileReader.readAsArrayBuffer()
|
|
FileReader.readAsBinaryString()
|
|
FileReader.readAsDataURL()
|
|
FileReader.readAsText()
|
|
FileReader.readAsFile()
|
|
FileReader.root.getFile()
|
|
FileReader.root.getFile()
|
|
```
|
|
### Client-Side SQl injection
|
|
|
|
From: [https://portswigger.net/web-security/dom-based/client-side-sql-injection](https://portswigger.net/web-security/dom-based/client-side-sql-injection)
|
|
|
|
**Vikosi vya SQL-injection upande wa mteja** hutokea wakati script inajumuisha **data inayoweza kudhibitiwa na mshambuliaji katika ombi la SQL upande wa mteja kwa njia isiyo salama**.
|
|
|
|
Sinks:
|
|
```javascript
|
|
executeSql()
|
|
```
|
|
### HTML5-storage manipulation
|
|
|
|
From: [https://portswigger.net/web-security/dom-based/html5-storage-manipulation](https://portswigger.net/web-security/dom-based/html5-storage-manipulation)
|
|
|
|
**Vulnerabilities za HTML5-storage manipulation** zinatokea wakati script **inaweka data inayoweza kudhibitiwa na mshambuliaji katika hifadhi ya HTML5 ya kivinjari cha wavuti** (`localStorage` au `sessionStorage`). Ingawa hatua hii si kasoro ya usalama kwa asili, inakuwa tatizo ikiwa programu itasoma **data iliyohifadhiwa na kuiprocess kwa njia isiyo salama**. Hii inaweza kumruhusu mshambuliaji kutumia mekanizma ya hifadhi kufanya mashambulizi mengine ya msingi wa DOM, kama vile cross-site scripting na JavaScript injection.
|
|
|
|
Sinks:
|
|
```javascript
|
|
sessionStorage.setItem()
|
|
localStorage.setItem()
|
|
```
|
|
### XPath injection
|
|
|
|
From: [https://portswigger.net/web-security/dom-based/client-side-xpath-injection](https://portswigger.net/web-security/dom-based/client-side-xpath-injection)
|
|
|
|
**Vikosi vya XPath-injection vinavyotokana na DOM** hutokea wakati script inajumuisha **data inayoweza kudhibitiwa na mshambuliaji katika uchunguzi wa XPath**.
|
|
|
|
Sinks:
|
|
```javascript
|
|
document.evaluate()
|
|
someDOMElement.evaluate()
|
|
```
|
|
### Client-side JSON injection
|
|
|
|
From: [https://portswigger.net/web-security/dom-based/client-side-json-injection](https://portswigger.net/web-security/dom-based/client-side-json-injection)
|
|
|
|
**Vikosi vya JSON-injection vinavyotokana na DOM** hutokea wakati script inajumuisha **data inayoweza kudhibitiwa na mshambuliaji katika mfuatano ambao unachambuliwa kama muundo wa data wa JSON na kisha kushughulikiwa na programu**.
|
|
|
|
Sinks:
|
|
```javascript
|
|
JSON.parse()
|
|
jQuery.parseJSON()
|
|
$.parseJSON()
|
|
```
|
|
### Web-message manipulation
|
|
|
|
From: [https://portswigger.net/web-security/dom-based/web-message-manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation)
|
|
|
|
**Uthibitisho wa ujumbe wa wavuti** unatokea wakati script inatuma **data inayoweza kudhibitiwa na mshambuliaji kama ujumbe wa wavuti kwa hati nyingine** ndani ya kivinjari. **Mfano** wa udhaifu wa uthibitisho wa ujumbe wa wavuti unaweza kupatikana katika [PortSwigger's Web Security Academy](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source).
|
|
|
|
Sinks:
|
|
|
|
Njia ya `postMessage()` ya kutuma ujumbe wa wavuti inaweza kusababisha udhaifu ikiwa msikilizaji wa tukio la kupokea ujumbe unashughulikia data inayokuja kwa njia isiyo salama.
|
|
|
|
### DOM-data manipulation
|
|
|
|
From: [https://portswigger.net/web-security/dom-based/dom-data-manipulation](https://portswigger.net/web-security/dom-based/dom-data-manipulation)
|
|
|
|
**Uthibitisho wa usimamizi wa data ya DOM** unatokea wakati script inaandika **data inayoweza kudhibitiwa na mshambuliaji kwenye uwanja ndani ya DOM** ambayo inatumika ndani ya UI inayoonekana au mantiki ya upande wa mteja. Udhaifu huu unaweza kutumiwa na mshambuliaji kuunda URL ambayo, ikiwa itatembelewa na mtumiaji mwingine, inaweza kubadilisha muonekano au tabia ya UI ya upande wa mteja.
|
|
|
|
Sinks:
|
|
```javascript
|
|
scriptElement.src
|
|
scriptElement.text
|
|
scriptElement.textContent
|
|
scriptElement.innerText
|
|
someDOMElement.setAttribute()
|
|
someDOMElement.search
|
|
someDOMElement.text
|
|
someDOMElement.textContent
|
|
someDOMElement.innerText
|
|
someDOMElement.outerText
|
|
someDOMElement.value
|
|
someDOMElement.name
|
|
someDOMElement.target
|
|
someDOMElement.method
|
|
someDOMElement.type
|
|
someDOMElement.backgroundImage
|
|
someDOMElement.cssText
|
|
someDOMElement.codebase
|
|
document.title
|
|
document.implementation.createHTMLDocument()
|
|
history.pushState()
|
|
history.replaceState()
|
|
```
|
|
### Denial of Service
|
|
|
|
From: [https://portswigger.net/web-security/dom-based/denial-of-service](https://portswigger.net/web-security/dom-based/denial-of-service)
|
|
|
|
**Vulnerabilities za denial-of-service zinazotokana na DOM** hutokea wakati script inapopita **data inayoweza kudhibitiwa na mshambuliaji kwa njia isiyo salama kwa API ya jukwaa yenye matatizo**. Hii inajumuisha APIs ambazo, zinapoitwa, zinaweza kusababisha kompyuta ya mtumiaji kutumia **kiasi kikubwa cha CPU au nafasi ya diski**. Vulnerabilities kama hizi zinaweza kuwa na athari kubwa, kama vile kivinjari kuzuia utendaji wa tovuti kwa kukataa juhudi za kuhifadhi data katika `localStorage` au kumaliza scripts zinazofanya kazi.
|
|
|
|
Sinks:
|
|
```javascript
|
|
requestFileSystem()
|
|
RegExp()
|
|
```
|
|
## Dom Clobbering
|
|
|
|
{{#ref}}
|
|
dom-clobbering.md
|
|
{{#endref}}
|
|
|
|
{{#include ../../banners/hacktricks-training.md}}
|