HTTPLeaks

Este proyecto tiene como objetivo enumerar todas las formas posibles, un sitio web puede filtrar las solicitudes HTTP. En un solo archivo HTML. Consulte el archivo leak.html( versión de texto sin formato ) en la raíz de este repositorio.

¿Para qué sirve?

Puede usar esto para probar su navegador en busca de fugas de CSP , su correo web para fugas HTTP y todo lo demás que no se supone que envíe solicitudes HTTP a donde el sol no brillará.

Con "HTTP Leak", nos estamos refiriendo esencialmente a una situación en la que una determinada combinación de elementos y atributos HTML hace que se active una solicitud a un recurso externo, cuando no debería. Piense, por ejemplo, en el cuerpo de un correo HTML donde una fuga HTTP le diría a alguien que acaba de leer ese correo. No siempre es malo, pero casi nunca es bueno.

O piense en proxies web. Esas herramientas intentan mostrarle un sitio web de un dominio diferente para ofrecer lo que llaman "anonimato". Por supuesto, también tienen que reescribir todos los elementos y atributos HTML que obtienen recursos a través de HTTP (o similares) y si olvidan algo, el llamado "anonimato" desaparece.

Y, dado que nadie sabe realmente qué elementos y atributos pueden solicitar recursos externos, decidimos crear este proyecto para seguirlo.

¿Y ahora?

El HTML se extenderá tan pronto como nos enteremos de una nueva fuga, ¡las solicitudes de extracción con fuentes exóticas adicionales para fugas HTTP son muy bienvenidas! Más bienvenidas son las ideas de cómo se podría presentar este contenido (JSON, HTML, XML, ...).

Fuente: https://github.com/cure53/HTTPLeaks

Código fuente.

<!DOCTYPE html SYSTEM "https://leaking.via/doctype">
<html xmlns="http://www.w3.org/1999/xhtml" manifest="https://leaking.via/html-manifest">
<head profile="https://leaking.via/head-profile">

<!--
%Base (check manually)
-->
<base href="https://leaking.via/base-href/">

<!--
%MSIE Imports
-->
<?IMPORT namespace="myNS" implementation="https://leaking.via/import-implementation" ?>
<IMPORT namespace="myNS" implementation="https://leaking.via/import-implementation-2" />

<!--
%Redirects
-->
<meta http-equiv="refresh" content="10; url=https://leaking.via/meta-refresh">

<!--  
%CSP
-->
<meta http-equiv="Content-Security-Policy" content="script-src 'self'; report-uri https://leaking.via/meta-csp-report-uri">
<meta http-equiv="Content-Security-Policy-Report-Only" content="script-src 'self'; report-uri https://leaking.via/meta-csp-report-uri-2">

<!-- 
%Reading View
-->
<meta name="copyright" content="<img src='https://leaking.via/meta-name-copyright-reading-view'>">
<meta name="displaydate" content="<img src='https://leaking.via/meta-name-displaydate-reading-view'>">
<meta property="og:site_name" content="<img src='https://leaking.via/meta-property-reading-view'>">

<!-- 
%AppLink Web Fallback
-->
<meta property="al:web:url" content="https://leaking.via/meta-property-al-web-url">

<!-- 
%Pinned Websites
-->
<meta name="msapplication-config" content="https://leaking.via/meta-name-msa-config">
<meta name="msapplication-badge" content="frequency=30; polling-uri=https://leaking.via/meta-name-msa-badge">
<meta name="msapplication-notification" content="frequency=60;polling-uri=https://leaking.via/meta-name-msa-notification">
<meta name="msapplication-square150x150logo" content="https://leaking.via/meta-name-msa-logo-1">
<meta name="msapplication-square310x310logo" content="https://leaking.via/meta-name-msa-logo-2">
<meta name="msapplication-square70x70logo" content="https://leaking.via/meta-name-msa-logo-3">
<meta name="msapplication-wide310x150logo" content="https://leaking.via/meta-name-msa-logo-4">
<meta name="msapplication-task" content="name=Leak;action-uri=https://leaking.via/meta-name-msa-task;icon-uri=https://leaking.via/meta-name-msa-task-icon">
<meta name="msapplication-TileImage" content="https://leaking.via/meta-name-msa-tile-image">

<!--
%Conditional Comments
-->
<!--[if true]>
<link href="https://leaking.via/conditional-comment-1" rel="stylesheet">
<![endif]-->

<!-- 
%Links 
-->
<link rel="stylesheet" href="https://leaking.via/link-stylesheet" />
<link rel="icon" href="https://leaking.via/link-icon" />
<link rel="canonical" href="https://leaking.via/link-canonical" />
<link rel="shortcut icon" href="https://leaking.via/link-shortcut-icon" />
<link rel="import" href="https://leaking.via/link-import" />
<link rel="dns-prefetch" href="https://leaking.via/link-dns-prefetch" />
<link rel="preconnect" href="https://leaking.via/link-preconnect">
<link rel="prefetch" href="https://leaking.via/link-prefetch" />
<link rel="preload" href="https://leaking.via/link-preload" />
<link rel="prerender" href="https://leaking.via/link-prerender" />

<link rel="preload" as="font" href="https://leaking.via/link-preload-as-font" />
<link rel="preload" as="image" href="https://leaking.via/link-preload-as-image" />
<link rel="preload" as="image" imagesrcset=",,,,,https://leaking.via/link-preload-imagesrcset" />
<link rel="preload" as="style" href="https://leaking.via/link-preload-as-style" />
<link rel="preload" as="script" href="https://leaking.via/link-preload-as-script" />

<link rel="search" href="https://leaking.via/link-search" />
<!--
Note that OpenSearch description URLs are ignored in Chrome if this file isn't placed in the webroot.
Also, in Chrome, you won't see the request in the developer tools because the request happens in the privileged browser process.
Use a network sniffer to detect it.
-->

<link rel="alternate" href="https://leaking.via/link-alternate" />
<link rel="alternate" type="application/atom+xml" href="https://leaking.via/link-alternate-atom" /> 
<link rel="alternate stylesheet" href="https://leaking.via/link-alternate-stylesheet" />
<link rel="amphtml" href="https://leaking.via/link-amphtml">
<link rel="appendix" href="https://leaking.via/link-appendix" />
<link rel="apple-touch-icon-precomposed" href="https://leaking.via/link-apple-touch-icon-precomposed">
<link rel="apple-touch-icon" href="https://leaking.via/link-apple-touch-icon">
<link rel="apple-touch-startup-image" href="https://leaking.via/link-apple-touch-startup-image">
<link rel="archives" href="https://leaking.via/link-archives" />
<link rel="author" href="https://leaking.via/link-author" />
<link rel="bookmark" href="https://leaking.via/link-bookmark" />
<link rel="canonical" href="https://leaking.via/link-canonical">
<link rel="chapter" href="https://leaking.via/link-chapter" />
<link rel="chrome-webstore-item" href="https://leaking.via/link-chrome-webstore-item">
<link rel="contents" href="https://leaking.via/link-contents" />
<link rel="copyright" href="https://leaking.via/link-copyright" />
<link rel="entry-content" href="https://leaking.via/link-entry-content" />
<link rel="external" href="https://leaking.via/link-external" />
<link rel="feedurl" href="https://leaking.via/link-feedurl" />
<link rel="first" href="https://leaking.via/link-first" />
<link rel="glossary" href="https://leaking.via/link-glossary" />
<link rel="help" href="https://leaking.via/link-help" />
<link rel="index" href="https://leaking.via/link-index" />
<link rel="last" href="https://leaking.via/link-last" />
<link rel="manifest" href="https://leaking.via/link-manifest" />
<link rel="mask-icon" href="https://leaking.via/link-mask-icon" color="red">
<link rel="next" href="https://leaking.via/link-next" />
<link rel="offline" href="https://leaking.via/link-offline" />
<link rel="P3Pv1" href="https://leaking.via/link-P3Pv1">
<link rel="pingback" href="https://leaking.via/link-pingback" />
<link rel="prev" href="https://leaking.via/link-prev" />
<link rel="publisher" href="https://leaking.via/link-publisher">
<link rel="search" type="application/opensearchdescription+xml" href="https://leaking.via/link-search-2" title="Search" /> 
<link rel="sidebar" href="https://leaking.via/link-sidebar" />
<link rel="start" href="https://leaking.via/link-start" />
<link rel="section" href="https://leaking.via/link-section" />
<link rel="subsection" href="https://leaking.via/link-subsection" />
<link rel="subresource" href="https://leaking.via/link-subresource">
<link rel="tag" href="https://leaking.via/link-tag" />
<link rel="up" href="https://leaking.via/link-up" />
</head>

<!--
%Body Background
-->
<body background="https://leaking.via/body-background">

<!-- 
%Links & Maps
-->
<a ping="https://leaking.via/a-ping" href="#">You have to click me</a>
<img src="data:;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw" width="150" height="150" usemap="#map">
<map name="map">
  <area ping="https://leaking.via/area-ping" shape="rect" coords="0,0,150,150" href="#">
</map> 
<!-- 
The ping attribute allows to send a HTTP request to an external IP or domain, 
even if the link's HREF points somewhere else. The link has to be clicked though 

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#attr-ping
-->

<!--
%Table Background
-->
<table background="https://leaking.via/table-background">
    <tr>
        <td background="https://leaking.via/td-background"></td>
    </tr>
</table>

<!--
%Images
-->
<img src="https://leaking.via/img-src">
<img dynsrc="https://leaking.via/img-dynsrc">
<img lowsrc="https://leaking.via/img-lowsrc">
<img src="data:image/svg+xml,<svg%20xmlns='%68ttp:%2f/www.w3.org/2000/svg'%20xmlns:xlink='%68ttp:%2f/www.w3.org/1999/xlink'><image%20xlink:hr%65f='%68ttps:%2f/leaking.via/svg-via-data'></image></svg>">

<image src="https://leaking.via/image-src">
<image href="https://leaking.via/image-href">

<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="https://leaking.via/svg-image-href">
<image xlink:href="https://leaking.via/svg-image-xlink-href">
</svg>

<picture>
    <source srcset="https://leaking.via/picture-source-srcset">
</picture>
<picture>
    <img srcset="https://leaking.via/picture-img-srcset">
</picture>
<img srcset=",,,,,https://leaking.via/img-srcset">

<img src="#" longdesc="https://leaking.via/img-longdesc">
<!-- longdesc works on Firefox but requires right-click, "View Description" -->

<!--
%Forms
-->
<form action="https://leaking.via/form-action"></form>
<form id="test"></form><button form="test" formaction="https://leaking.via/button-formaction">CLICKME</button>
<input type="image" src="https://leaking.via/input-src" name="test" value="test">
<isindex src="https://leaking.via/isindex-src" type="image">
<isindex action="https://leaking.via/isindex-action"></isindex>
<form id="test2"></form><isindex type="submit" formaction="https://leaking.via/isindex-formaction" form="test2"></isindex>
<!--
%Media
-->
<bgsound src="https://leaking.via/bgsound-src"></bgsound>
<video src="https://leaking.via/video-src">
  <track kind="subtitles" label="English subtitles" src="https://leaking.via/track-src" srclang="en" default></track>
</video>
<video controls>
  <source src="https://leaking.via/video-source-src" type="video/mp4">
</video>
<audio src="https://leaking.via/audio-src"></audio>
<audio controls>
  <source src="https://leaking.via/audio-source-src" type="video/mp4">
</audio>
<video poster="https://leaking.via/video-poster" src="https://leaking.via/video-poster-2"></video>

<!--
%Object & Embed
-->
<object data="https://leaking.via/object-data"></object>
<object type="text/x-scriptlet" data="https://leaking.via/object-data-x-scriptlet"></object>
<object movie="https://leaking.via/object-movie" type="application/x-shockwave-flash"></object>
<object movie="https://leaking.via/object-movie">
    <param name="type" value="application/x-shockwave-flash"></param>
</object>
<object codebase="https://leaking.via/object-codebase"></object>
<embed src="https://leaking.via/embed-src"></embed>
<embed code="https://leaking.via/embed-code"></embed>
<object classid="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83">
    <param name="DataURL" value="https://leaking.via/object-param-dataurl">
</object>
<object classid="clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6">
    <param name="URL" value="https://leaking.via/object-param-url">
</object>
  
<!--
%Portal
-->
<portal src="https://leaking.via/portal-src"></portal>

<!--
%Script
-->
<script src="https://leaking.via/script-src"></script>
<svg><script href="https://leaking.via/svg-script-href"></script></svg>
<svg><script xlink:href="https://leaking.via/svg-script-xlink-href"></script></svg>
<script>
//# sourceMappingURL=https://leaking.via/javascript-source-map
</script>

<!--
%Frames
-->
<iframe src="https://leaking.via/iframe-src"></iframe>
<iframe src="data:image/svg+xml,<svg%20xmlns='%68ttp:%2f/www.w3.org/2000/svg'%20xmlns:xlink='%68ttp:%2f/www.w3.org/1999/xlink'><image%20xlink:hr%65f='%68ttps:%2f/leaking.via/svg-via-data'></image></svg>"></iframe>
<iframe srcdoc="<img src=https://leaking.via/iframe-srcdoc-img-src>"></iframe>
<frameset>
    <frame src="https://leaking.via/frame-src"></frame>
</frameset>
<iframe src="view-source:https://leaking.via/iframe-src-viewsource"></iframe>
<iframe src="javascript:'&lt;img src=https://leaking.via/iframe-javascript-src&gt;'"></iframe>
<iframe src="javascript:'&lt;iframe src=&quot;javascript:\&apos;&lt;img src=https://leaking.via/iframe-javascript-src-2&gt;\&apos;&quot;&gt;&lt;/iframe&gt;'"></iframe>
<iframe src="javascript:atob('PGltZyBzcmM9Imh0dHBzOi8vbGVha2luZy52aWEvaWZyYW1lLWphdmFzY3JpcHQtc3JjLTMiPg==')"></iframe>

<!-- 
%Menu
-->
<p contextmenu="a">Right Click</p>
<menu type="context" id="a">
    <menuitem label="a" icon="https://leaking.via/menuitem-icon"></menuitem>
</menu>

<!--
%CSS
-->
<style>
    /*# sourceMappingURL=https://leaking.via/css-source-map */
</style>
<style>
    @import 'https://leaking.via/css-import-string';
    @import url(https://leaking.via/css-import-url);
</style>
<style>
    a:after {content: url(https://leaking.via/css-after-content)}
    a::after {content: url(https://leaking.via/css-after-content-2)}
    a:before {content: url(https://leaking.via/css-before-content)}
    a::before {content: url(https://leaking.via/css-before-content-2)}    
</style>
<a href="#">ABC</a>
<style>
    big {
        list-style: url(https://leaking.via/css-list-style);
        list-style-image: url(https://leaking.via/css-list-style-image);
        background: url(https://leaking.via/css-background);
        background-image: url(https://leaking.via/css-background-image);
        border-image: url(https://leaking.via/css-border-image);
        -moz-border-image: url(https://leaking.via/css--moz-border-image-alias);
        -webkit-border-image: url(https://leaking.via/css--webkit-border-image-alias);
        border-image-source: url(https://leaking.via/css-border-image-source);
        shape-outside: url(https://leaking.via/css-shape-outside);
        cursor: url(https://leaking.via/css-cursor), auto;
    }
</style>
<big>DEF</big>
<style>
    /* Basic font-face */
    @font-face {
        font-family: leak;
        src: url(https://leaking.via/css-font-face-src);
    }
    
    /* 
    * Cross-browser font-face
    * IE6-8 will use the EOT source, modern browsers will use WOFF(2) and fallback to TTF in case of error
    * More info:
    * http://www.paulirish.com/2009/bulletproof-font-face-implementation-syntax/
    * http://caniuse.com/#search=eot
    * http://caniuse.com/#search=woff2
    * http://caniuse.com/#search=woff
    * http://caniuse.com/#search=ttf
    */
    @font-face {
      font-family: 'leak';
      src: url('https://leaking.via/css-font-face-src-eot') format('eot'), url('https://leaking.via/css-font-face-src-woff') format('woff'), url('https://leaking.via/css-font-face-src-ttf') format('truetype');
    }

    big {
        font-family: leak;
    }
</style>
<big>GHI</big>
<svg>
    <style>
        circle {
            fill: url(https://leaking.via/svg-css-fill#foo);
            mask: url(https://leaking.via/svg-css-mask#foo);
            -webkit-mask: url(https://leaking.via/svg-css--webkit-mask#foo);
            filter: url(https://leaking.via/svg-css-filter#foo);
            clip-path: url(https://leaking.via/svg-css-clip-path#foo);
        }
    </style>
    <circle r="40"></circle>
</svg>
<s foo="https://leaking.via/css-attr-notation">JKL</s>
<style>
    s {
      --leak: url(https://leaking.via/css-variables);
    }
    s {
      background: var(--leak);
    }
    s::after {
      content: attr(foo url);
    }    
    s::before {
      content: attr(notpresent, url(https://leaking.via/css-attr-fallback));
    }
</style>
<style>
    p#p1 {
        background-image: \75 \72 \6C (https://leaking.via/css-escape-url-1);
    }
    p#p2 {
        background-image: \000075\000072\00006C(https://leaking.via/css-escape-url-2);
    }
</style>
<p id="p1">bla</p>
<p id="p2">bla</p>

<!--
%Inline CSS
-->
<b style="
        list-style: url(https://leaking.via/inline-css-list-style);
        list-style-image: url&#40;https://leaking.via/inline-css-list-style-image&#41;;
        background: url&#x28;https://leaking.via/inline-css-background&#x29;;
        background-image: url&lpar;https://leaking.via/inline-css-background-image&rpar;;
        border-image: url(https://leaking.via/inline-css-list-style-image);
        -moz-border-image: url(https://leaking.via/inline-css--moz-background-image-alias);
        -webkit-border-image: url(https://leaking.via/inline-css--webkit-background-image-alias);
        border-image-source: url(https://leaking.via/inline-css-border-image-source);
        shape-outside: url(https://leaking.via/inline-css-shape-outside);
        cursor: url(https://leaking.via/inline-css-cursor), auto;
">MNO</b>

<svg>
<circle style="
        fill: url(https://leaking.via/svg-inline-css-fill#foo);
        mask: url(https://leaking.via/svg-inline-css-mask#foo);
        -webkit-mask: url(https://leaking.via/svg-inline-css--webkit-mask#foo);
        filter: url(https://leaking.via/svg-inline-css-filter#foo);
        clip-path: url(https://leaking.via/svg-inline-css-clip-path#foo);
"></circle>
</svg>

<!-- 
%Exotic Inline CSS
-->
<div style="background: url() url() url() url() url(https://leaking.via/inline-css-multiple-backgrounds);"></div>
<div style="behavior: url('https://leaking.via/inline-css-behavior');"></div>
<div style="-ms-behavior: url('https://leaking.via/inline-css-behavior-2');"></div>
<div style="background-image: image('https://leaking.via/inline-css-image-function')"></div>
<div style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoader( src='https://leaking.via/inline-css-filter-alpha', sizingMethod='scale');" ></div>
<div style="filter:progid:DXImageTransform.Microsoft.ICMFilter(colorSpace='https://leaking.via/inline-css-filter-icm')"></div>

<!--
%Applet
-->
<applet code="Test" codebase="https://leaking.via/applet-codebase"></applet>
<applet code="Test" archive="https://leaking.via/applet-archive"></applet>
<applet code="Test" object="https://leaking.via/applet-object"></applet>

<!--
%SVG
-->
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <defs>
    <linearGradient id="Gradient">
      <stop offset="0" stop-color="white" stop-opacity="0" />
      <stop offset="1" stop-color="white" stop-opacity="1" />
    </linearGradient>
    <mask id="Mask">
      <rect x="0" y="0" width="200" height="200" fill="url(https://leaking.via/svg-fill)"  />
    </mask>
  </defs>
  <rect x="0" y="0" width="200" height="200" fill="green" />
  <rect x="0" y="0" width="200" height="200" fill="red" mask="url(https://leaking.via/svg-mask)" />
</svg>

<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
    <image xmlns:xlink="http://www.w3.org/1999/xlink">
        <set attributeName="xlink:href" begin="0s" to="https://leaking.via/svg-image-set" />
    </image>
</svg>

<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
    <image xmlns:xlink="http://www.w3.org/1999/xlink">
        <animate attributeName="xlink:href" begin="0s" from="#" to="https://leaking.via/svg-image-animate" />
    </image>
</svg>

<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
    <feImage xlink:href="https://leaking.via/svg-feimage" />
</svg>

<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
    <a xlink:href="https://leaking.via/svg-a-text/"><text transform="translate(0,20)">CLICKME</text></a>
</svg>

<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
    <rect cursor="url(https://leaking.via/svg-cursor),auto" />
</svg>

<svg>
    <font-face-uri xlink:href="https://leaking.via/svg-font-face-uri" />
</svg>

<!--
%XSLT Stylesheets
-->
<?xml-stylesheet type="text/xsl" href="https://leaking.via/xslt-stylesheet" ?>

<!--
%Data Islands
-->
<xml src="https://leaking.via/xml-src" id="xml"></xml>
<div datasrc="#xml" datafld="$text" dataformatas="html"></div>
<script language="xml">
    <!DOCTYPE html SYSTEM "https://leaking.via/script-doctype">
</script>
<xml>
    <!DOCTYPE html SYSTEM "https://leaking.via/xml-doctype">
</xml>

<!-- 
%VML
-->
<line xmlns="urn:schemas-microsoft-com:vml" style="behavior:url(#default#vml)">
    <fill style="behavior:url(#default#vml)" src="https://leaking.via/vml-line-fill-src" />
    <stroke style="behavior:url(#default#vml)" src="https://leaking.via/vml-line-stroke-src" />
    <imageData style="behavior:url(#default#vml)" src="https://leaking.via/vml-line-imgdata-src" />
</line>

<vmlframe 
    xmlns="urn:schemas-microsoft-com:vml" 
    style="behavior:url(#default#vml);position:absolute;width:100%;height:100%" 
    src="https://leaking.via/vmlframe-src#xss">
</vmlframe>

<line xmlns="urn:schemas-microsoft-com:vml" style="behavior:url(#default#vml)">
    <imageData style="behavior:url(#default#vml)" o:href="https://leaking.via/vml-line-imgdata-href" />
</line>

<!--
%MathML
-->
<math xlink:href="https://leaking.via/mathml-math">CLICKME</math>

<math><mi xlink:href="https://leaking.via/mathml-mi">CLICKME</mi></math>

</body>
</html>

Grupo de Telegram: https://t.me/hackingteamelrinconoscuro


Canal de Youtube: https://www.youtube.com/channel/UCXy8Lg28OuGuI5Z-2EWJaNA?view_as=subscriber

Canal Vimeo: https://vimeo.com/403136547?activityReferer=1

Red Social Twitter: https://twitter.com/HackingTeam1?s=09

Pagina Web: https://elrincondehackingteam.blogspot.com/

Comentarios

Publicar un comentario

Todos sus comentarios seran bienvenidos, no se admiten insultos todo con el debido respeto que se merece cada persona, o de lo contrario seran eliminado cada comentario inrespetuoso hacia los demas. y autores del blog tambien puedes seguirnos en:

Facebook: https://www.facebook.com/groups/HackingTeamCyber/

Grupo de Telegram: https://t.me/TheHackForceOfficial

Canal de Youtube: https://www.youtube.com/channel/UCXy8Lg28OuGuI5Z-2EWJaNA?view_as=subscriber

Canal Vimeo: https://vimeo.com/403136547?activityReferer=1

Red Social Twitter: https://twitter.com/TheHackForce

Hacking Team

Buscar este blog

HTTPLeaks

¿Y ahora?

Comentarios

Publicar un comentario