GITBOOK-3790: No subject

This commit is contained in:
CPol 2023-02-20 09:58:12 +00:00 committed by gitbook-bot
parent 5d64cb46c6
commit 051dd65e8b
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 23 additions and 1 deletions

View file

@ -90,7 +90,7 @@ object-src 'none';
* **unsafe-inline**: This allows the use of inline resources, such as inline elements, javascript: URLs, inline event handlers, and inline elements. Again this is not recommended for security reasons.
* **nonce**: A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy.
* **sha256-\<hash>**: Whitelist scripts with an specific sha256 hash
* **strict-dynamic**:
* **strict-dynamic**: It allows the browser to load and execute new JavaScript tags in the DOM from any script source that has previously been whitelisted by a "nonce" or "hash" value.
* **host**: Indicate a host such as example.com
## Unsafe CSP Rules
@ -121,6 +121,10 @@ Working payload:
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
```
### strict-dynamic
If you can somehow make an **allowed JS code created a new script tag** in the DOM with your JS code, because an allowed script is creating it, the **new script tag will be allowed to be executed**.
### Wildcard (\*)
```yaml

View file

@ -141,6 +141,24 @@ alert(document.querySelector('.x'))
</script>
```
### Clobbering Forms
It's possible to add **new entries inside a form** just by **specifying the `form` attribute** inside some tags. You can use this to **add new values inside a form** and to even add a new **button** to **send it** (clickjacking or abusing some `.click()` JS code):
{% code overflow="wrap" %}
```html
<!--Add a new attribute and a new button to send-->
<textarea form=id-other-form name=info>
";alert(1);//
</textarea>
<button form=id-other-form type="submit" formaction="/edit" formmethod="post">
Click to send!
</button>
```
{% endcode %}
* For more form attributes in [**button check this**](https://www.w3schools.com/tags/tag\_button.asp)**.**
## References
* [https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)