Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Content Security Policy (CSP) is a browser-based protection to protection against XSS. In many ways, it does kill XSS but this post is about bypassing CSPs using forms.

default-src works well for is the fallback directive in the CSP. Unfortunately, it doesn't include several, such as form-action.

By creating a form that does not have an end, it's possible to have this form contain a bunch of sensitive data upon submission. Additionally, the form can be made to take up the entire page using CSS, leading to a single click doing the submission. Although this can't read variables, it can be used for data exfiltration.

An additional method is abusing autofill in browsers. By making the form look like a password, it will autofill the inputs for many password managers. If the form is the whole page and the page is clicked on, this will then be submitted to the attacker.

Even with the form-action directive in the CSP being set to self, there are still some issues with it. First, same-site request forgery is possible when using form-based auth. Dangling markup attacks are another option as well.

There's a bunch of good tricks in this article for using forms to get around CSPs. Pretty neat!