HackTricksDOM XSS
Reading time: 11 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
DOM Vulnerabilities
Vulnerabilities za DOM hutokea wakati data kutoka kwa vyanzo vinavyodhibitiwa na mshambuliaji (kama location.search, document.referrer, au document.cookie) inahamishwa kwa usalama kwenda sinks. Sinks ni kazi au vitu (k.m., eval(), document.body.innerHTML) ambavyo vinaweza kutekeleza au kuonyesha maudhui hatari ikiwa vitapewa data mbaya.
- Vyanzo ni ingizo ambalo linaweza kubadilishwa na washambuliaji, ikiwa ni pamoja na URLs, cookies, na ujumbe wa wavuti.
- Sinks ni maeneo hatari ambapo data mbaya inaweza kusababisha madhara, kama vile utekelezaji wa script.
Hatari inatokea wakati data inatiririka kutoka chanzo hadi sink bila uthibitisho au usafi mzuri, ikiruhusu mashambulizi kama XSS.
tip
You can find a more updated list of sources and sinks in https://github.com/wisec/domxsswiki/wiki
Vyanzo vya kawaida:
document.URL
document.documentURI
document.URLUnencoded
document.baseURI
location
document.cookie
document.referrer
window.name
history.pushState
history.replaceState
localStorage
sessionStorage
IndexedDB(mozIndexedDB, webkitIndexedDB, msIndexedDB)
Database
Vyanzo vya Kawaida:
| Mwelekeo wa Wazi | Uingizaji wa Javascript | Manipulasi ya data ya DOM | jQuery |
|---|---|---|---|
location | eval() | scriptElement.src | add() |
location.host | Function() constructor | scriptElement.text | after() |
location.hostname | setTimeout() | scriptElement.textContent | append() |
location.href | setInterval() | scriptElement.innerText | animate() |
location.pathname | setImmediate() | someDOMElement.setAttribute() | insertAfter() |
location.search | execCommand() | someDOMElement.search | insertBefore() |
location.protocol | execScript() | someDOMElement.text | before() |
location.assign() | msSetImmediate() | someDOMElement.textContent | html() |
location.replace() | range.createContextualFragment() | someDOMElement.innerText | prepend() |
open() | crypto.generateCRMFRequest() | someDOMElement.outerText | replaceAll() |
domElem.srcdoc | ``Manipulasi ya njia za faili za ndani | someDOMElement.value | replaceWith() |
XMLHttpRequest.open() | FileReader.readAsArrayBuffer() | someDOMElement.name | wrap() |
XMLHttpRequest.send() | FileReader.readAsBinaryString() | someDOMElement.target | wrapInner() |
jQuery.ajax() | FileReader.readAsDataURL() | someDOMElement.method | wrapAll() |
$.ajax() | FileReader.readAsText() | someDOMElement.type | has() |
| ``Manipulasi ya ombi la Ajax | FileReader.readAsFile() | someDOMElement.backgroundImage | constructor() |
XMLHttpRequest.setRequestHeader() | FileReader.root.getFile() | someDOMElement.cssText | init() |
XMLHttpRequest.open() | FileReader.root.getFile() | someDOMElement.codebase | index() |
XMLHttpRequest.send() | Manipulasi ya viungo | someDOMElement.innerHTML | jQuery.parseHTML() |
jQuery.globalEval() | someDOMElement.href | someDOMElement.outerHTML | $.parseHTML() |
$.globalEval() | someDOMElement.src | someDOMElement.insertAdjacentHTML | Uingizaji wa JSON upande wa mteja |
| ``Manipulasi ya hifadhi ya HTML5 | someDOMElement.action | someDOMElement.onevent | JSON.parse() |
sessionStorage.setItem() | Uingizaji wa XPath | document.write() | jQuery.parseJSON() |
localStorage.setItem() | document.evaluate() | document.writeln() | $.parseJSON() |
**[**`Kukataa Huduma`**](dom-xss.md#denial-of-service)** | someDOMElement.evaluate() | document.title | ``Manipulasi ya Cookie |
requestFileSystem() | ``Manipulasi ya eneo la hati | document.implementation.createHTMLDocument() | document.cookie |
RegExp() | document.domain | history.pushState() | Uchafuzi wa URL wa WebSocket |
| Uingizaji wa SQl upande wa mteja | Manipulasi ya ujumbe wa wavuti | history.replaceState() | WebSocket |
executeSql() | postMessage() | `` | `` |
Sink ya innerHTML haiwezi kukubali vipengele vya script kwenye kivinjari chochote cha kisasa, wala matukio ya svg onload hayatafanyika. Hii inamaanisha unahitaji kutumia vipengele mbadala kama img au iframe.
Aina hii ya XSS huenda ikawa ngumu zaidi kupatikana, kwani unahitaji kuangalia ndani ya msimbo wa JS, kuona kama inatumia kitu chochote ambacho thamani yake unadhibiti, na katika hali hiyo, kuona kama kuna njia yoyote ya kutumia ili kutekeleza JS isiyo ya kawaida.
Zana za kuzipata
- https://github.com/mozilla/eslint-plugin-no-unsanitized
- Kiendelezi cha kivinjari kuangalia kila data inayofikia sink inayoweza: https://github.com/kevin-mizu/domloggerpp
Mifano
Mwelekeo wa Wazi
Kutoka: https://portswigger.net/web-security/dom-based/open-redirection
Uhalifu wa mwelekeo wa wazi katika DOM hutokea wakati skripti inaandika data, ambayo mshambuliaji anaweza kudhibiti, kwenye sink inayoweza kuanzisha urambazaji kati ya maeneo tofauti.
Ni muhimu kuelewa kwamba kutekeleza msimbo wa kawaida, kama javascript:alert(1), inawezekana ikiwa una udhibiti juu ya mwanzo wa URL ambapo mwelekeo unafanyika.
Vyanzo:
location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
domElem.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()
Cookie manipulation
From: https://portswigger.net/web-security/dom-based/cookie-manipulation
Vikosi vya uendeshaji wa cookie vinavyotokana na DOM vinatokea wakati script inajumuisha data, ambayo inaweza kudhibitiwa na mshambuliaji, katika thamani ya cookie. Uthibitisho huu unaweza kusababisha tabia isiyotarajiwa ya ukurasa wa wavuti ikiwa cookie itatumika ndani ya tovuti. Zaidi ya hayo, inaweza kutumika kutekeleza shambulio la fixation ya kikao ikiwa cookie inahusishwa na kufuatilia vikao vya watumiaji. Kichimbaji kikuu kinachohusishwa na uthibitisho huu ni:
Sinks:
document.cookie
JavaScript Injection
From: https://portswigger.net/web-security/dom-based/javascript-injection
Vikosi vya kuingiza JavaScript vinavyotokana na DOM vinaundwa wakati script inapoendesha data, ambayo inaweza kudhibitiwa na mshambuliaji, kama msimbo wa JavaScript.
Sinks:
eval()
Function() constructor
setTimeout()
setInterval()
setImmediate()
execCommand()
execScript()
msSetImmediate()
range.createContextualFragment()
crypto.generateCRMFRequest()
Document-domain manipulation
From: https://portswigger.net/web-security/dom-based/document-domain-manipulation
Document-domain manipulation vulnerabilities hutokea wakati script inapoweka mali ya document.domain kwa kutumia data ambayo mshambuliaji anaweza kudhibiti.
Mali ya document.domain ina jukumu muhimu katika utekelezaji wa sera ya asili sawa na vivinjari. Wakati kurasa mbili kutoka asili tofauti zinapoweka document.domain yao kwa thamani sawa, zinaweza kuingiliana bila vizuizi. Ingawa vivinjari vinaweka mipaka fulani kwenye thamani zinazoweza kuwekwa kwa document.domain, kuzuia uwekaji wa thamani zisizo na uhusiano kabisa na asili halisi ya ukurasa, kuna visamaha. Kawaida, vivinjari vinaruhusu matumizi ya domeni za watoto au domeni za wazazi.
Sinks:
document.domain
WebSocket-URL poisoning
From: https://portswigger.net/web-security/dom-based/websocket-url-poisoning
WebSocket-URL poisoning hutokea wakati script inatumia data inayoweza kudhibitiwa kama URL ya lengo kwa ajili ya muunganisho wa WebSocket.
Sinks:
Mjenzi wa WebSocket unaweza kusababisha udhaifu wa WebSocket-URL poisoning.
Link manipulation
From: https://portswigger.net/web-security/dom-based/link-manipulation
DOM-based link-manipulation vulnerabilities zinatokea wakati script inaandika data inayoweza kudhibitiwa na mshambuliaji kwenye lengo la urambazaji ndani ya ukurasa wa sasa, kama vile kiungo kinachoweza kubofyekwa au URL ya kuwasilisha ya fomu.
Sinks:
someDOMElement.href
someDOMElement.src
someDOMElement.action
Ajax request manipulation
From: https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation
Vulnerabilities za uendeshaji wa ombi la Ajax zinatokea wakati script inaandika data inayoweza kudhibitiwa na mshambuliaji katika ombi la Ajax ambalo linatolewa kwa kutumia kitu XmlHttpRequest.
Sinks:
XMLHttpRequest.setRequestHeader()
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.globalEval()
$.globalEval()
Local file-path manipulation
From: https://portswigger.net/web-security/dom-based/local-file-path-manipulation
Vulnerabilities za usimamizi wa njia za faili za ndani zinatokea wakati script inapopita data inayoweza kudhibitiwa na mshambuliaji kwa API ya usimamizi wa faili kama parameter ya filename. Uthibitisho huu unaweza kutumiwa na mshambuliaji kuunda URL ambayo, ikiwa itatembelewa na mtumiaji mwingine, inaweza kusababisha kuweka au kufungua faili ya ndani isiyo na mipaka kwenye kivinjari cha mtumiaji.
Sinks:
FileReader.readAsArrayBuffer()
FileReader.readAsBinaryString()
FileReader.readAsDataURL()
FileReader.readAsText()
FileReader.readAsFile()
FileReader.root.getFile()
FileReader.root.getFile()
Client-Side SQl injection
From: https://portswigger.net/web-security/dom-based/client-side-sql-injection
Vikosi vya SQL-injection upande wa mteja hutokea wakati script inajumuisha data inayoweza kudhibitiwa na mshambuliaji katika ombi la SQL upande wa mteja kwa njia isiyo salama.
Sinks:
executeSql()
HTML5-storage manipulation
From: https://portswigger.net/web-security/dom-based/html5-storage-manipulation
Vulnerabilities za HTML5-storage manipulation zinatokea wakati script inaweka data inayoweza kudhibitiwa na mshambuliaji katika hifadhi ya HTML5 ya kivinjari cha wavuti (localStorage au sessionStorage). Ingawa kitendo hiki si hatari ya usalama kwa asili, kinakuwa na matatizo ikiwa programu itasoma data iliyohifadhiwa na kuiprocess kwa njia isiyo salama. Hii inaweza kumruhusu mshambuliaji kutumia mekanizma ya hifadhi kufanya mashambulizi mengine ya msingi wa DOM, kama vile cross-site scripting na JavaScript injection.
Sinks:
sessionStorage.setItem()
localStorage.setItem()
XPath injection
From: https://portswigger.net/web-security/dom-based/client-side-xpath-injection
Vulnerabilities za XPath-injection zinazotokana na DOM hutokea wakati script inajumuisha data inayoweza kudhibitiwa na mshambuliaji katika uchunguzi wa XPath.
Sinks:
document.evaluate()
someDOMElement.evaluate()
Client-side JSON injection
From: https://portswigger.net/web-security/dom-based/client-side-json-injection
Vulnerabilities za JSON-injection zinazotokana na DOM hutokea wakati script inajumuisha data inayoweza kudhibitiwa na mshambuliaji katika mfuatano ambao unachambuliwa kama muundo wa data wa JSON na kisha kushughulikiwa na programu.
Sinks:
JSON.parse()
jQuery.parseJSON()
$.parseJSON()
Web-message manipulation
From: https://portswigger.net/web-security/dom-based/web-message-manipulation
Vikosi vya ujumbe wa wavuti vinatokea wakati script inatuma data inayoweza kudhibitiwa na mshambuliaji kama ujumbe wa wavuti kwa hati nyingine ndani ya kivinjari. Mfano wa udanganyifu wa ujumbe wa wavuti unaweza kupatikana katika Akademia ya Usalama wa Wavuti ya PortSwigger.
Sinks:
Njia ya postMessage() ya kutuma ujumbe wa wavuti inaweza kusababisha vikosi ikiwa msikilizaji wa tukio la kupokea ujumbe unashughulikia data inayokuja kwa njia isiyo salama.
DOM-data manipulation
From: https://portswigger.net/web-security/dom-based/dom-data-manipulation
Vikosi vya udanganyifu wa data ya DOM vinatokea wakati script inaandika data inayoweza kudhibitiwa na mshambuliaji kwenye uwanja ndani ya DOM ambayo inatumika ndani ya UI inayoonekana au mantiki ya upande wa mteja. Udhaifu huu unaweza kutumiwa na mshambuliaji kuunda URL ambayo, ikiwa itatembelewa na mtumiaji mwingine, inaweza kubadilisha muonekano au tabia ya UI ya upande wa mteja.
Sinks:
scriptElement.src
scriptElement.text
scriptElement.textContent
scriptElement.innerText
someDOMElement.setAttribute()
someDOMElement.search
someDOMElement.text
someDOMElement.textContent
someDOMElement.innerText
someDOMElement.outerText
someDOMElement.value
someDOMElement.name
someDOMElement.target
someDOMElement.method
someDOMElement.type
someDOMElement.backgroundImage
someDOMElement.cssText
someDOMElement.codebase
document.title
document.implementation.createHTMLDocument()
history.pushState()
history.replaceState()
Denial of Service
From: https://portswigger.net/web-security/dom-based/denial-of-service
Vulnerabilities za denial-of-service zinazotokana na DOM hutokea wakati script inapopita data inayoweza kudhibitiwa na mshambuliaji kwa njia isiyo salama kwa API ya jukwaa yenye matatizo. Hii inajumuisha APIs ambazo, zinapoitwa, zinaweza kusababisha kompyuta ya mtumiaji kutumia kiasi kikubwa cha CPU au nafasi ya diski. Vulnerabilities kama hizi zinaweza kuwa na athari kubwa, kama vile kivinjari kuzuia utendaji wa tovuti kwa kukataa juhudi za kuhifadhi data katika localStorage au kumaliza scripts zinazofanya kazi.
Sinks:
requestFileSystem()
RegExp()
Dom Clobbering
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.