Bypassing CSP is not enough to gain your XSS
Is it enough to bypass CSP to gain XSS?
its okay we can bypass it using a JSONP in domains that the target trust like (google.com, cdnjs.cloudflare.com) and this bypass the CSP is that easy? let's see.
and our payload will be
(<script src='https://www.google.com/complete/search?client=chrome&q=XSS&callback=alert'></script>)
if you didn't know the issue, you can see the following screenshot
the backslash will be a slash and google can't hamdle double slashes and give an error, so how can we solve this? I tried to use iframe tag with src attribute but the CSP is blocking me, but I could bypass it using (srcdoc) attribute in iframe tag but notice that we will use single quotes not double. If we used (srcdoc) attribute it will give use some features will help us like handling the Encoding values like the following
I used the script tag but encoded in the (srcdoc) attribute in iframe tag the tag will handle it and execute the payload, don't forget to encode it with URL-Encoding to avoid any breaks in your payload because of ( & ) which used to start a new parameter.
and this is it, thank you for reading.
A friend ask me to help him with a XSS to bypass the CSP, first look on the CSP
its okay we can bypass it using a JSONP in domains that the target trust like (google.com, cdnjs.cloudflare.com) and this bypass the CSP is that easy? let's see.
The JSONP in (google.com) which we will use in our POC will be in the following screenshot
and our payload will be
(<script src='https://www.google.com/complete/search?client=chrome&q=XSS&callback=alert'></script>)
But we faced another issue our payload is reflected in a JSON page but with Content-Type is HTML so there is an issue the Back slashes, can you know the issue from the screenshot?
if you didn't know the issue, you can see the following screenshot
the backslash will be a slash and google can't hamdle double slashes and give an error, so how can we solve this? I tried to use iframe tag with src attribute but the CSP is blocking me, but I could bypass it using (srcdoc) attribute in iframe tag but notice that we will use single quotes not double. If we used (srcdoc) attribute it will give use some features will help us like handling the Encoding values like the following
I used the script tag but encoded in the (srcdoc) attribute in iframe tag the tag will handle it and execute the payload, don't forget to encode it with URL-Encoding to avoid any breaks in your payload because of ( & ) which used to start a new parameter.
The result of our payload now
 |
This is our POC, what about if we wanna add my own JS code not just a POC? we can use the angularJS using this domain (https://cdnjs.cloudflare.com/) which is trusted in our CSP, we can include a vulnerable angularJS and add our payload like this
and this is it, thank you for reading.
Great Blog Keep Going
ReplyDeleteHarrah's Cherokee Casino - JT Hub
ReplyDeleteHarrah's Cherokee Casino is located in Murphy, NC. The casino is owned 강원도 출장마사지 by 강원도 출장마사지 the 경기도 출장안마 Eastern Band of Cherokee Indians. The 아산 출장안마 casino is open daily 24 의왕 출장안마 hours.