From 8148835959b3b19bcdb83119022e875faa7adf40 Mon Sep 17 00:00:00 2001 From: xanhacks Date: Thu, 23 May 2024 21:04:58 +0200 Subject: [PATCH] add SSTI --- content/docs/others/browser-exploit.md | 8 +++ .../{framework => server-side}/ssti/_index.md | 0 .../ssti/django-template.md | 0 content/docs/server-side/ssti/ejs.md | 32 +++++++++ content/docs/server-side/ssti/pug.md | 66 +++++++++++++++++++ .../{framework => server-side}/ssti/tera.md | 0 hugo_stats.json | 9 +++ 7 files changed, 115 insertions(+) rename content/docs/{framework => server-side}/ssti/_index.md (100%) rename content/docs/{framework => server-side}/ssti/django-template.md (100%) create mode 100644 content/docs/server-side/ssti/ejs.md create mode 100644 content/docs/server-side/ssti/pug.md rename content/docs/{framework => server-side}/ssti/tera.md (100%) diff --git a/content/docs/others/browser-exploit.md b/content/docs/others/browser-exploit.md index 9c62fbf..087238f 100644 --- a/content/docs/others/browser-exploit.md +++ b/content/docs/others/browser-exploit.md @@ -30,6 +30,14 @@ chrome.exe --remote-debugging-port=9222 ## Vulnerabilities +### Firefox + +#### CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js + +- [CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js](https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/) +- [CVE-2024-4367 PoC - Github](https://github.com/LOURC0D3/CVE-2024-4367-PoC/) +- Version: Firefox 126, Firefox ESR 115.11 and Thunderbird 115.11 released including the fixed version of PDF.js + ### Chromium #### Arbitrary file reading diff --git a/content/docs/framework/ssti/_index.md b/content/docs/server-side/ssti/_index.md similarity index 100% rename from content/docs/framework/ssti/_index.md rename to content/docs/server-side/ssti/_index.md diff --git a/content/docs/framework/ssti/django-template.md b/content/docs/server-side/ssti/django-template.md similarity index 100% rename from content/docs/framework/ssti/django-template.md rename to content/docs/server-side/ssti/django-template.md diff --git a/content/docs/server-side/ssti/ejs.md b/content/docs/server-side/ssti/ejs.md new file mode 100644 index 0000000..745fdc4 --- /dev/null +++ b/content/docs/server-side/ssti/ejs.md @@ -0,0 +1,32 @@ +--- +title: "EJS" +description: "Cheatsheet on EJS" +lead: "Cheatsheet on EJS" +date: 2023-01-01T00:00:00+00:00 +lastmod: 2023-01-01T00:00:00+00:00 +draft: false +images: [] +menu: + docs: + parent: "ssti" +weight: 620 +toc: true +--- + +## EJS - Embedded JavaScript templating + +[EJS](https://ejs.co/) is a simple templating language that lets you generate HTML markup with plain JavaScript. + +## XSS + +**Unsafe:** + +```html +

<%- user.name %>

+``` + +**Safe:** + +```html +

<%= user.name %>

+``` \ No newline at end of file diff --git a/content/docs/server-side/ssti/pug.md b/content/docs/server-side/ssti/pug.md new file mode 100644 index 0000000..02d33da --- /dev/null +++ b/content/docs/server-side/ssti/pug.md @@ -0,0 +1,66 @@ +--- +title: "Pug" +description: "Cheatsheet on Pug" +lead: "Cheatsheet on Pug" +date: 2023-01-01T00:00:00+00:00 +lastmod: 2023-01-01T00:00:00+00:00 +draft: false +images: [] +menu: + docs: + parent: "ssti" +weight: 620 +toc: true +--- + +## Pug + +[Pug](https://pugjs.org/) is a simple templating language that lets you generate HTML markup with plain JavaScript. + +## XSS + +### Unescaped Attributes + +- [Unescaped Attributes - pugjs.org](https://pugjs.org/language/attributes.html#unescaped-attributes) +- [&attributes - pugjs.org](https://pugjs.org/language/attributes.html#attributes) + +By default, all attributes are escaped. If you need to use special characters, use `!=` instead of `=`. + +```html +div(escaped="") +=>
+div(unescaped!="") +=>
+ +p = 'This code is escaped!' +=>

This code <strong>is</strong> !

+p != 'This code is' + ' not escaped!' +=> This code is not escaped! + +div#foo(data-bar="foo")&attributes({'data-foo': 'bar'}) +=>
+``` + +> Attributes applied using `&attributes` are not automatically escaped. + +### Unescaped Strings + +- [String Interpolation, Unescaped - pugjs.org](https://pugjs.org/language/interpolation.html#string-interpolation-unescaped) + +**Safe:** + +```bash +p You're logged in as #{user.name} +``` + +**Unsafe:** + +```bash +p You're logged in as !{user.name} +``` + +### Unescaped Protocol + +```js +a(href="javascript:alert(document.domain)") +``` \ No newline at end of file diff --git a/content/docs/framework/ssti/tera.md b/content/docs/server-side/ssti/tera.md similarity index 100% rename from content/docs/framework/ssti/tera.md rename to content/docs/server-side/ssti/tera.md diff --git a/hugo_stats.json b/hugo_stats.json index 9ea66bb..ea5a832 100644 --- a/hugo_stats.json +++ b/hugo_stats.json @@ -333,6 +333,7 @@ "csrf", "cve-2021-41773---path-traversal--potential-rce", "cve-2023-25690---request-smuggling", + "cve-2024-4367--arbitrary-javascript-execution-in-pdfjs", "dangerous-functions", "data-import", "database-enumeration", @@ -350,6 +351,8 @@ "dos", "drupal", "ejs", + "ejs---embedded-javascript-templating", + "email", "empty-pattern", "error-based", "example", @@ -442,6 +445,7 @@ "postgresql-2", "properties", "prototype-pollution", + "pug", "python", "query", "query-string-parsing", @@ -458,6 +462,7 @@ "resources", "response-headers-manipulation", "restart-frame", + "ruby", "samesite", "script-loading-content-type-page", "search-form", @@ -470,6 +475,7 @@ "secure", "security", "self-xss", + "send", "set-cookie-from-javascript", "socialMenu", "softwares", @@ -496,6 +502,9 @@ "trust-proxy", "two-levels-deep", "type-juggling", + "unescaped-attributes", + "unescaped-protocol", + "unescaped-strings", "uppercase", "uri-scheme", "urls",