SpellBook

Mon, 01 Jan 0001 00:00:00 +0000

Cookie manipulation may not have impact on its own. However, it could be a crucial part of an exploit chain.

Cookie manipulation allow attackers to manipulate data they don’t typically have control of. This makes document.cookie a potential source for later exploit chain

Example#

Consider this code:

const current_location = location.pathname;

// Extract existing history from cookie
const match = /history=([^;]*)/.exec(document.cookie);
const history = match ? match[1].split(',') : [];

// Prepend current location, keep max 5
history.unshift(current_location);
const trimmed = history.slice(0, 5);

// Write back to cookie
document.cookie = 'history=' + trimmed.join(',');

// Render to DOM
document.write('<h3>History</h3><ul>' + trimmed.map(p => '<li>' + p + '</li>').join('') + '</ul>');

This code will keep recent visiting paths inside a cookie history, then write it onto the page.

Mon, 01 Jan 0001 00:00:00 +0000

DOM clobbering#

DOM clobbering is a client-side attack. It might result in XSS.

The way this works is, you inject HTML that when parsed by browser, might result in overwriting global variables or objects in JavaScript context

This attack requires you to already have a way to inject HTML, but can’t execute JavaScript. DOM clobbering is how you might escalate to XSS

Most of this page is what i understand from HackTricks

Mon, 01 Jan 0001 00:00:00 +0000

Open Redirect#

DOM-based open-redirection vulnerabilities arise when a script writes attacker-controllable data into a sink that can trigger cross-domain navigation

Example 1#

Consider the following code:

goto = location.hash.slice(1)
if (goto.startsWith('https:')) {
  location = goto;
}

This code takes the string after the hash fragment #, and if it starts with https, it will pass the URL into location, which will redirect the browser to that URL.

So, this code uses a sink that attacker can control location.hash, and a sink that do redirection location. This vulnerability is open redirect, and could be exploited for a phishing attack

Mon, 01 Jan 0001 00:00:00 +0000

Web messages#

Web Messages (the postMessage API) is a browser mechanism that allows communication between different browsing contexts, like between a page and an <iframe>, or between a page and a Web Worker, or even across different origins.

Normally, the Same-Origin Policy blocks scripts from different origins from accessing each other’s data. postMessage provides a controlled, safe channel to pass data across that boundary.

If a page handles incoming web messages in an unsafe way, for example, not verify the origin of incoming messages correctly, we can pass our controlled message to the functions or properties that consume the message

SpellBook

Cookie Manipulation#

Example#

DOM clobbering#

Open Redirect#

Example 1#

Web messages#