mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-28 23:51:29 +00:00
GITBOOK-3790: No subject
This commit is contained in:
parent
5d64cb46c6
commit
051dd65e8b
2 changed files with 23 additions and 1 deletions
|
@ -90,7 +90,7 @@ object-src 'none';
|
||||||
* **unsafe-inline**: This allows the use of inline resources, such as inline elements, javascript: URLs, inline event handlers, and inline elements. Again this is not recommended for security reasons.
|
* **unsafe-inline**: This allows the use of inline resources, such as inline elements, javascript: URLs, inline event handlers, and inline elements. Again this is not recommended for security reasons.
|
||||||
* **nonce**: A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy.
|
* **nonce**: A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy.
|
||||||
* **sha256-\<hash>**: Whitelist scripts with an specific sha256 hash
|
* **sha256-\<hash>**: Whitelist scripts with an specific sha256 hash
|
||||||
* **strict-dynamic**:
|
* **strict-dynamic**: It allows the browser to load and execute new JavaScript tags in the DOM from any script source that has previously been whitelisted by a "nonce" or "hash" value.
|
||||||
* **host**: Indicate a host such as example.com
|
* **host**: Indicate a host such as example.com
|
||||||
|
|
||||||
## Unsafe CSP Rules
|
## Unsafe CSP Rules
|
||||||
|
@ -121,6 +121,10 @@ Working payload:
|
||||||
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
|
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### strict-dynamic
|
||||||
|
|
||||||
|
If you can somehow make an **allowed JS code created a new script tag** in the DOM with your JS code, because an allowed script is creating it, the **new script tag will be allowed to be executed**.
|
||||||
|
|
||||||
### Wildcard (\*)
|
### Wildcard (\*)
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
|
|
@ -141,6 +141,24 @@ alert(document.querySelector('.x'))
|
||||||
</script>
|
</script>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Clobbering Forms
|
||||||
|
|
||||||
|
It's possible to add **new entries inside a form** just by **specifying the `form` attribute** inside some tags. You can use this to **add new values inside a form** and to even add a new **button** to **send it** (clickjacking or abusing some `.click()` JS code):
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```html
|
||||||
|
<!--Add a new attribute and a new button to send-->
|
||||||
|
<textarea form=id-other-form name=info>
|
||||||
|
";alert(1);//
|
||||||
|
</textarea>
|
||||||
|
<button form=id-other-form type="submit" formaction="/edit" formmethod="post">
|
||||||
|
Click to send!
|
||||||
|
</button>
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
* For more form attributes in [**button check this**](https://www.w3schools.com/tags/tag\_button.asp)**.**
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)
|
* [https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)
|
||||||
|
|
Loading…
Reference in a new issue