CSP bypass: self + 'unsafe-inline' with Iframes
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Mkonfigu kama:
Prohibits usage of any functions that execute code transmitted as a string. For example: eval, setTimeout, setInterval
will all be blocked because of the setting unsafe-eval
Any content from external sources is also blocked, including images, CSS, WebSockets, and, especially, JS
Inabainika kwamba vivinjari vya kisasa vinabadilisha picha na maandiko kuwa HTML ili kuboresha uonyeshaji wao (kwa mfano: kuweka mandharinyuma, kuzingatia, n.k.). Kwa hivyo, ikiwa picha au faili ya maandiko, kama favicon.ico
au robots.txt
, inafunguliwa kupitia iframe
, inatolewa kama HTML. Kwa kuzingatia, kurasa hizi mara nyingi hazina vichwa vya CSP na zinaweza kutokuwepo na X-Frame-Options, na hivyo kuruhusu utekelezaji wa JavaScript isiyo na mpangilio kutoka kwao:
Vivyo hivyo, majibu ya makosa, kama vile faili za maandiko au picha, kwa kawaida yanakuja bila vichwa vya CSP na yanaweza kukosa X-Frame-Options. Makosa yanaweza kusababisha kupakia ndani ya iframe, kuruhusu hatua zifuatazo:
Baada ya kuanzisha mojawapo ya hali zilizotajwa, utekelezaji wa JavaScript ndani ya iframe unaweza kupatikana kama ifuatavyo:
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)