You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As explained in [this article](https://www.offsec.com/blog/cve-2024-46986/), uploading a `.rb` file into sensitive directories such as `config/initializers/` can lead to remote code execution (RCE) in Ruby on Rails applications.
Copy file name to clipboardExpand all lines: src/pentesting-web/clickjacking.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -100,6 +100,7 @@ Example:\
100
100
You found a**self XSS** in some private details of the account (details that **only you can set and read**). The page with the **form** to set these details is **vulnerable** to **Clickjacking** and you can **prepopulate** the **form** with the GET parameters.\
101
101
An attacker could prepare a **Clickjacking** attack to that page **prepopulating** the **form** with the **XSS payload** and **tricking** the **user** into **Submit** the form. So, **when the form is submitted** and the values are modified, the **user will execute the XSS**.
102
102
103
+
103
104
### DoubleClickjacking
104
105
105
106
Firstly [explained in this post](https://securityaffairs.com/172572/hacking/doubleclickjacking-clickjacking-on-major-websites.html), this technique would ask the victim to double click on abutton of a custom page placed in a specific location, and use the timing differences between mousedown and onclick events to load the victim page duing the double click so the **victim actually clicks a legit button in the victim page**.
As explained in [this article](https://blog.slonser.info/posts/make-self-xss-great-again/), the `credentialless` flag in an iframe is used to load a page inside an iframe without sending credentials in the request while maintaining the same origin policy (SOP) of the loaded page in the iframe.
150
+
151
+
This allows the iframe to access sensitive information from another iframe in the same SOP loaded in the parent page:
152
+
153
+
```javascript
154
+
window.top[1].document.body.innerHTML='Hi from credentialless';
155
+
alert(window.top[1].document.cookie);
156
+
```
157
+
158
+
- Exploit example: Self-XSS + CSRF
159
+
160
+
In this attack, the attacker prepares a malicious webpage with 2 iframes:
161
+
162
+
- An iframe that loads the victim's page with the `credentialless` flag with a CSRF that triggers a XSS (Imagin a Self-XSS in the username of the user):
- Another iframe that actually has the user logged in (without the `credentialless` flag).
179
+
180
+
Then, from the XSS it's possible to access the other iframe as they have the same SOP and steal the cookie for example executing:
181
+
182
+
```javascript
183
+
alert(window.top[1].document.cookie);
184
+
```
185
+
186
+
### fetchLater Attack
187
+
188
+
As indicated in [this article](https://blog.slonser.info/posts/make-self-xss-great-again/) The API `fetchLater` allows to configure a request to be executed later (after a certain time). Therefore, this can be abused to for example, login a victim inside an attackers session (with Self-XSS), set a `fetchLater` request (to change the password of the current user for example) and logout from the attackers session. Then, the victim logs in in his own session and the `fetchLater` request will be executed, changing the password of the victim to the one set by the attacker.
189
+
190
+
This way even if the victim URL cannot be loaded in an iframe (due to CSP or other restrictions), the attacker can still execute a request in the victim's session.
191
+
192
+
193
+
```javascript
194
+
var req =newRequest("/change_rights",{method:"POST",body:JSON.stringify({username:"victim", rights:"admin"}),credentials:"include"})
195
+
constminute=60000
196
+
let arr = [minute, minute *60, minute *60*24, ...]
0 commit comments