About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

How to trick CSP in letting you run whatever you want- 1227

bo0om - Wallarm ResearchPosted 2 Years Ago
  • The Content Security Policy (CSP) is used to restrict what can be done on a web page. This is useful for defense-in-depth on issues, like XSS, as well as framing. The origin of resources and the types can be restricted as well. In this case, the author had an arbitrary file upload bug but couldn't exploit it because of the CSP not allowing unsafe-inline.
  • Modern browsers will display accessed data as HTML, as long as the Content-Type lines up. This includes images, CSS files and more. If we can load data into an iFrame, then we can trick the page into loading the page for us. A lot of the time, the CSP is conditional; by loading it into an iFrame with a weird page, we can bypass the CSP. This works with weird looking images or JS files.
  • The solution? Put the CSP on all requests. This will gunk things up, which is annoying though.
  • The final payload is confusing to me though; it's using JavaScript to create an iFrame on the page to bypass the CSP. If you can execute JS already then why do you need to bypass the CSP? Regardless, interesting CSP bypass technique; put stuff in iFrames that is not meant to be in iFrames.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed