Content Security Policy Writeup
https://tryhackme.com/room/csp
Last updated
Was this helpful?
https://tryhackme.com/room/csp
Last updated
Was this helpful?
The alternative way is using data:;base64,iVBORw0KGgo...
CDN is way too generous. They're not only providing dependence for your website also for the hackers. When setting up the script-src directive and its sources, you should pay special attention to what you're allowing to load. If you're loading a script from an external source such as a CDN, make sure you're specifying the full URL of the script or a nonce/SHA hash of it and not just the hostname where it's hosted at, unless you're 100% sure no scripts that could be used to bypass your policy are hosted there. For example, if you're including jQuery from cdnjs on your website, you should include the full URL of the script script-src cdnjs.cloudflare.com/ajax/.../jquery.min.js or the SHA256 hash in your policy. Most CDNs allow you to get the script hash somewhere on their site.
'self' can be problematic if you host JSONP, Angular or user-uploaded files.
This one is the hardest and the best.
1. The 404 pages will show up whatever you put in. means this one match can be problematic if you host JSONP, Angular or user uploaded files.
2. Need to understand how script-src 'self'; works. It means something like ip:3008/defend-1.js will be executed.
3. Then try to close the tag with '. <script src="/'; alert(1); '"></script> alert should just work.
4. What to do after the fetch, window.open and document.location is blocked by CSP? The answer is media-src new Audio
5. Use relative path for the 404 pages, also a browser won't block your input for Phishing
script-src 'self';
script-src 'nonce-ae3b00';
After checking
media-src specifies the URLs from which video, audio and text track resources can be loaded from. Checking
to generate the hash for that inline javascript. script-src 'sha256-8gQ3l0jVGr5ZXaOeym+1jciekP8wsfNgpZImdHthDRo='