metnew / uxss-db Goto Github PK
View Code? Open in Web Editor NEW🔪Browser logic vulnerabilities :skull_and_crossbones:
Home Page: https://uxss-db.now.sh/
License: MIT License
🔪Browser logic vulnerabilities :skull_and_crossbones:
Home Page: https://uxss-db.now.sh/
License: MIT License
Some PoCs require user gestures(drag or click), while some PoCs don't need it.
In most cases element that triggers the vulnerability is something similar to <button id="x">Click me</button>
onclick
Most PoCs collected from trackers have window.onclick
handler to trigger the vulnerability.
This's bad, because, it makes manual testing from mobile devices impossible.
button[id="trigger"]
)I propose triggering the PoC by making button[id="trigger"]
as a unified way to trigger vulnerabilities.
I think that's ok to ignore vulnerabilities requiring DnD or oncontextmenu
, because in most cases they're not so severe as vulnerabilities requiring click.
The project is big enough now and includes not only UXSSs, but also URL spoofings, LPEs for chrome extensions, some memory bugs and other misc bugs.
I think it'd be better to categorize vulnerabilities/add tags/etc.
Memory bugs were out of the scope of this project.
However, maybe it worth to collect memory-related PoC/bugs/exploits too?
Microsoft says this is not an issue but in the way I see this is a big mistake.
Maybe you want to include in your list.
https://github.com/riramar/IE11xCORSxSOP
IE11 is not following CORS specification for local files like Chrome and Firefox.
I've contacted Microsoft and they say this is not a security issue so I'm sharing it.
From my tests IE11 is not following CORS specifications for local files as supposed to be.
In order to prove I've created a malicious cors.html.
The cors.html will be able to get an skype token and perform get on the user profile. Instead of using alert() function I could send this information to a domain that I have control.
Of course the victim needs to open the file from his local drive or maybe another application can open an IE instance.
If the user is logged on a Microsoft account and open the html file with the content above with onload function instead of onclick I'd be able to get his profile data.
This is a simple scenario. An attacker would be able to get any data from any domain that do not require a unique ID (e.g. CSRF token) which the attacker doesn't have and is unable to get.
If you do the same test on Chrome or Firefox the browser will follow CORS specification and block the response content since no CORS headers is present in the response.
I tested on IE11 running on Win7SP1 with all security patches and it worked. On Win10 didn't work. I didn't test in any server with CORS enabled.
If you think in another malicious scenario please let me know.I did a small improvement in this attack. Using IE File API (https://msdn.microsoft.com/en-us/library/hh772315(v=vs.85).aspx) an attacker would be able to create a web page with the content of fileAPI.html and send to a victim. A local file with the same content of cors.html would be created on download default folder. If the victim perform the three following clicks (Save, Open and Allow blocked content) an attacker would be able to perform any request to any domain and send the content to a domain which he/she has control. If the attacker is a MitM position this could be more intersting. Since the attacker could inject this content in a HTTP page and the victim will tend to relay on that. Next step would be force the victim to click on Save, Open and Allow blocked content buttons.
Same attack using XSS as vector. Imagine that https://xss-doc.appspot.com is a site about gift cards. The XSS payload below will create a giftcard.htm file in the default download folder. If the victim open the file a GET to https://mail.google.com/mail/u/0/#inbox will be submitted. After the GET the file will perform a POST to http://192.168.1.36/req.php using the GET response as a body. An attacker would be able to read all the emails in the following requests. I tested on Win7SP1 and IE11 with all patches and it worked.
BTW using file API on IE and a single XSS you can do the same stuff as RFD attack (https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/).
The table on the main README is pretty outdated.
It'd be great if someone could update it.
Adding a few entries from the repo to the table is already a valuable help 😈
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.