Bypassing CSP is not enough to gain your XSS

-
Is it enough to bypass CSP to gain XSS?

A friend ask me to help him with a XSS to bypass the CSP, first look on the CSP


its okay we can bypass it using a JSONP in domains that the target trust like (google.com, cdnjs.cloudflare.com) and this bypass the CSP is that easy? let's see.

The JSONP in (google.com) which we will use in our POC will be in the following screenshot


and our payload will be

(<script src='https://www.google.com/complete/search?client=chrome&q=XSS&callback=alert'></script>)

But we faced another issue our payload is reflected in a JSON page but with Content-Type is HTML so there is an issue the Back slashes, can you know the issue from the screenshot?


if you didn't know the issue, you can see the following screenshot




the backslash will be a slash and google can't hamdle double slashes and give an error, so how can we solve this? I tried to use iframe tag with src attribute but the CSP is blocking me, but I could bypass it using (srcdoc) attribute in iframe tag but notice that we will use single quotes not double. If we used (srcdoc) attribute it will give use some features will help us like handling the Encoding values like the following


I used the script tag but encoded in the (srcdoc) attribute in iframe tag the tag will handle it and execute the payload, don't forget to encode it with URL-Encoding to avoid any breaks in your payload because of ( & ) which used to start a new parameter.

The result of our payload now


This is our POC, what about if we wanna add my own JS code not just a POC? we can use the angularJS using this domain (https://cdnjs.cloudflare.com/) which is trusted in our CSP, we can include a vulnerable angularJS and add our payload like this


and this is it, thank you for reading.

Comments

  1. UnknownNovember 23, 2021 at 5:21 AM

    Great Blog Keep Going

    ReplyDelete
  2. varintacheMarch 3, 2022 at 9:22 AM

    Harrah's Cherokee Casino - JT Hub
    Harrah's Cherokee Casino is located in Murphy, NC. The casino is owned 강원도 출장마사지 by 강원도 출장마사지 the 경기도 출장안마 Eastern Band of Cherokee Indians. The 아산 출장안마 casino is open daily 24 의왕 출장안마 hours.

    ReplyDelete

Post a Comment

Popular posts from this blog

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Let's check the "cockatoo" pwn challenge from Blackhat MEA CTF 2024. Reverse the Binary we note that the binary takes the input byte by byte and there is a counter (i hate static analysts) Dynamic analysis  Let's jump to GDB and see what happened. I set a breakpoint on the road to get the stack address in which our input will be stored, and the following screenshots show our input increase and the counter before the RIP address. and the payload to overwrite the counter and control where the next write will be in the following screenshots  and we added to the counter (16) and could overwrite the RIP now we have to find our gadgets and do a simple execve, right?!!! NOOOOOO Exploit we don't have gadgets for "rdx, rdi, rsi" and we need to do "execve(rdi, rsi, rdx)", but we have "syscall" and "pop rax" so its time for our SROP attack. we...
Read more

[WEB] ASC Wargame CTF 2024 - Challenge Hot Proxy

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) It was a nice CTF, I got 2nd place with my guys: Hissien Misbah ( Twitter ) Mohamed Bebo ( Linkedin ) Sameh ( Linkedin ) Osama Zidan ( Linkedin ) A picture during solving this challenge in the last 5m of the CTF (thinking that we got 1st place). Let's walk through the Web Challenge Hot Proxy, note that we did not solve it during the time of the CTF it was a minute way, let's start. Note: there is no source code in the challenge attachment, I requested it from the author ( @serWazito0 ) thanks to him, challenges files ( ASCWG_2024_CTF ). Note: the flag file in the server and called "flag_<RANDOM>.txt", so we have to get RCE. From the title I know that there is an "SSRF" vulnerability in this challenge and from the description, we know that there is an internal application called "app1" with a route called "/secret" so our target is to access...
Read more

Lets Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything...
Read more