0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

Add new CSP bypasses through third-parties

This commit is contained in:
Felipe Molina 2023-10-26 18:30:16 +01:00
parent 548aed19f8
commit 306481ac24
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pentesting-web/content-security-policy-csp-bypass/README.md
View File

@ -288,7 +288,7 @@ https://www.youtube.com/oembed?callback=alert;
The same vulnerability will occur if the **trusted endpoint contains an Open Redirect** because if the initial endpoint is trusted, redirects are trusted.
### Third Party Abuses
As described in the (following post)[https://sensepost.com/blog/2023/dress-code-the-talk/#bypasses], there are many third party domains, that might be allowed somewhere in the CSP, can be abused to either exfiltrate data or execute JavaScript code. Some of these third-parties are:
As described in the [following post](https://sensepost.com/blog/2023/dress-code-the-talk/#bypasses), there are many third party domains, that might be allowed somewhere in the CSP, can be abused to either exfiltrate data or execute JavaScript code. Some of these third-parties are:
| Entity | Allowed Domain | Capabilities |
|--------|----------------|--------------|
@ -315,7 +315,7 @@ or
Content-Security-Policy: connect-src www.facebook.com;
```
You should be able to exfiltrate data, similarly as it has always be done with (Google Analytics)[https://www.humansecurity.com/tech-engineering-blog/exfiltrating-users-private-data-using-google-analytics-to-bypass-csp]/(Google Tag Manager)[https://blog.deteact.com/csp-bypass/]. In this case, you follow these general steps:
You should be able to exfiltrate data, similarly as it has always be done with [Google Analytics](https://www.humansecurity.com/tech-engineering-blog/exfiltrating-users-private-data-using-google-analytics-to-bypass-csp)/[Google Tag Manager](https://blog.deteact.com/csp-bypass/). In this case, you follow these general steps:
1. Create a Facebook Developer account here.
1. Create a new "Facebook Login" app and select "Website".
@ -332,7 +332,7 @@ fbq('trackCustom', 'My-Custom-Event',{
});
```
As for the other seven third-party domains specified in the previous table, there are many other ways you can abuse them. Refer to the previously (blog post)[https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses] for additional explanations about other third-party abuses.
As for the other seven third-party domains specified in the previous table, there are many other ways you can abuse them. Refer to the previously [blog post](https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses) for additional explanations about other third-party abuses.
### Folder path bypass