SlideShare une entreprise Scribd logo

Ebrahem Hegazy - Bug hunters manual for bypassing Content-Security-Policy

Télécharger en tant que PPTX, PDF
Hacken_Ecosystem
Hacken_Ecosystem

HackIT is an annual cybersecurity conference that gathers the best technical researchers and top players in the cybersecurity industry to explore cutting-edge technologies together. In 2018, HackIT focused on the use of blockchain technology. Join our community: Website - https://hacken.live/hackit-slideshare Twitter - https://hacken.live/twitter_hackit Facebook - https://hacken.live/facebook_hackit Instagram - https://hacken.live/instagram_hackit Reddit - https://hacken.live/reddit Telegram community - https://hacken.live/tg-hackit #hackit #cybersecurity #blockchain #hacking

Technologie
1  sur  26
Bypassing CSP Automated discovery of JSONP endpoints. HackIT 4.0, Kyiv
HackIT 4.0, Kyiv Agenda 1. Root@localhost:~# whoami 2. Intro on how browsers handle the client to server request <-> response; 2. Cross-site scripting in a nutshell; 3. What is CSP, why we need it, and how it works?; 4. Techniques for bypassing CSP restrictions; 5. Payloads to bypass CSP for Uber, Yahoo, Paypal, and more; 6. Let's automate all the things (demo for JSONBEE);
Your Photo Name: Ebrahem HegazyCompany: Deloitte Position: Senior Consultant Company logohttps://www.linkedin.com/in/ebrahimhegazy facebook.com/me Ehegazy@Deloitte.nl HackIT 4.0, Kyiv
HackIT 4.0, Kyiv Intro on how browsers handle requests 1. HTTP protocol; 2. Browsers have to respect the response headers; 3. Rendering / Lay-out engines. Gecko Blink EdgeHTM L Obama won the elections!
HackIT 4.0, Kyiv Cross-site scripting (XSS) in a nutshell XSS occurs when a user input is being echoed back into the page response without validation. Cross-site scripting could be used to perform actions on behalf of application users, such as: • Accounts takeover, by stealing user’s cookies • Phishing attacks • Defacements
HackIT 4.0, Kyiv How XSS could be mitigated? Mitigation of XSS depends on where the user input is being reflected. However, below are some general methods to prevent XSS. 1. URL & HTML encoding, but what about: 1. Writing user input to EventHandlers (i.e. onmouseover); 2. Writing user input to JavaScript (i.e. setInterval); 3. Writing user input to CSS  <style> tags 2. Restricting user input type 1. You have to apply it application wide! 2. Newly developed code? 3. HTTP header (X-XSS-Protection) 1. Not supported on all browsers Image from OWASP
HackIT 4.0, Kyiv Question What would you do if your company application is vulnerable to 1337 XSS, and it is in production already?
HackIT 4.0, Kyiv What is CSP, why we need it? Content Security Policy (CSP) is a security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website. #WikiPedia
HackIT 4.0, Kyiv Real-life demo
HackIT 4.0, Kyiv How CSP works? Although that your XSS payload is being reflected inside the page un-sanatized, it is still not getting executed! Quoted from ‘Sebastian Lekies’ talk at Blackhat.
Techniques for bypassing CSP restrictions • There are lots of ways to bypass CSP restrictions, such as: • CSP misconfigurations; • Unsafe-eval & Unsafe-inline; • Internet Explorer; • File upload; • JSONP. HackIT 4.0, Kyiv
HackIT 4.0, Kyiv CSP misconfigurations Content security policy could be misconfigured in a way that it would still allow for XSS attacks. Example: 1. Setting CSP for JavaScript only but missing the CSS  h1:after{content:”Hacked!”;} 2. Trusting wide domains (I.e. *.cloudfront.net, *.herokuapp.com) 3. Missing “base-uri”, which could be exploited to set the base URL for all relative (script) URLs to an attacker controlled domain. #<head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body> 4. Trusting ‘self’ only, but hosting jsonp and file upload. 5. Setting script-src directive value to *
HackIT 4.0, Kyiv Unsafe-eval & Unsafe-inline Unsafe-eval: Allows unsafe dynamic code evaluation such as: eval() Function() When passing a string literal like to methods like: window.setTimeout window.setInterval window.setImmediate Unsafe-inline: Allows use of inline source elements such as style attribute, onclick, or script tag bodies, and “javascript:” URIs https://www.site.com/pages/search.php?term=x’;alert(1);// <script> jscode…. term=‘x’;alert(1)// ….jscode</script>
HackIT 4.0, Kyiv Internet Explorer Doesn’t honor CSP! CSP is not supported for MSIE. MSIE only supports the old X-Content-Security-Policy header, which is a deprecated header.
HackIT 4.0, Kyiv File upload Doesn’t matter if you write your JavaScript code inside image or else, browsers will still treat it based on the tag you are using to call it! Quoted from brute logic
HackIT 4.0, Kyiv JSONP JSONP is a method for sending JSON data without worrying about cross-domain issues. Wait, What about SOP (Same-origin policy). Before: http://a.sm.cn/api/getgamehotboarddata?format=jsonp&page=1&_=1537365429621&callback=jsonp1 After: http://a.sm.cn/api/getgamehotboarddata?format=jsonp&page=1&_=1537365429621&callback=confirm(1);//jsonp1
HackIT 4.0, Kyiv CSP evaluators Google CSP evaluator is a great tool to help you audit your CSP policy and tells you the misconfigurations and possible bypasses. https://csp-evaluator.withgoogle.com/ Also Burp have a very nice Plugins “CSP-Auditor” and “CSP-Bypass” that helps you find the CSP weaknesses during your bug hunting.
HackIT 4.0, Kyiv Payloads to bypass the top BBP sites CSP • Facebook.com: • "><script+src="https://accounts.google.com/o/oauth2/revoke?callback=alert()"></script> • "><script+src="https://cse.google.com/api/007627024705277327428/cse/r3vs7b0fcli/queries/js?callback=confirm()"></scrip t>
HackIT 4.0, Kyiv Payloads to bypass the top BBP sites CSP • AOL: AOL CSP policy is set to "Content-Security-Policy-Report-Only", which means it is set to work in a monitor mode only. No enforcing, thus using the report-uri directive.
HackIT 4.0, Kyiv Payloads to bypass the top BBP sites CSP • Uber.com: "><script src="https://mkto.uber.com/index.php/form/getKnownLead?callback=alert(document.domain);"></script> //POC by Efkan.
HackIT 4.0, Kyiv Payloads to bypass the top BBP sites CSP
HackIT 4.0, Kyiv Automating JSONP searching (JSONBEE) JSONBEE is created to automate the process of finding a JSONP endpoint within the “script-src” sites scope. Thus, allowing for fast way of bypassing content security policy. Google CSP evaluator (https://csp-evaluator.withgoogle.com) is a great tool. JSONBEE doesn’t replace it, but completes its job. JSONBEE could be found at: https://github.com/zigoo0 JSONBEE finds JSONP endpoints via 3 main sources: • Github project “JSONBEE” repo; • Google dorks - eleminating false positives by validating the content-type of the pages response; • The internet archive website.
HackIT 4.0, Kyiv Demo for JSONBEE
HackIT 4.0, Kyiv Useful references • Content security policy official website: • http://content-security-policy.com • Google CSP evaluator: • https://csp-evaluator.withgoogle.com/ • https://blog.thomasorlita.cz/vulns/google-csp-evaluator/ • H5SC Minichallenge + solutions: • https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22 • Using Google Analytics for data extraction: • https://labs.detectify.com/2018/01/19/google-analytics-data-extraction/ • Neatly bypassing CSP: • https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa • Bypass CSP by Abusing XSS Filter in Edge: • https://medium.com/bugbountywriteup/bypass-csp-by-abusing-xss-filter-in-edge-43e9106a9754 • Bypassing Content-Security-Policy with DNS prefetching: • https://blog.compass-security.com/2016/10/bypassing-content-security-policy-with-dns-prefetching/ • Data Exfiltration in the Face of CSP: • http://www.cse.chalmers.se/research/group/security/pdf/data-exfiltration-in-the-face-of-csp.pdf • Bypassing CSP using polyglot JPEGs: • https://portswigger.net/blog/bypassing-csp-using-polyglot-jpegs
HackIT 4.0, Kyiv Thank you!

Recommandé

Peter Todd - Hardware Wallets - Threats and Vulnerabilities
Peter Todd - Hardware Wallets - Threats and VulnerabilitiesPeter Todd - Hardware Wallets - Threats and Vulnerabilities
Peter Todd - Hardware Wallets - Threats and Vulnerabilities
Hacken_Ecosystem
 
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT TechniquesSeyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Hacken_Ecosystem
 
Walter Belgers - Lockpicking and IT security
Walter Belgers - Lockpicking and IT securityWalter Belgers - Lockpicking and IT security
Walter Belgers - Lockpicking and IT security
Hacken_Ecosystem
 
Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?
Hacken_Ecosystem
 
Tomi Wen - The Blockchain Built for Real World Apps
Tomi Wen - The Blockchain Built for Real World AppsTomi Wen - The Blockchain Built for Real World Apps
Tomi Wen - The Blockchain Built for Real World Apps
Hacken_Ecosystem
 
Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?
Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?
Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?
Hacken_Ecosystem
 
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Hacken_Ecosystem
 
Alex Zdrilko - АI and Blockchain in real life application with the highest se...
Alex Zdrilko - АI and Blockchain in real life application with the highest se...Alex Zdrilko - АI and Blockchain in real life application with the highest se...
Alex Zdrilko - АI and Blockchain in real life application with the highest se...
Hacken_Ecosystem
 

Recommandé

Peter Todd - Hardware Wallets - Threats and Vulnerabilities
Peter Todd - Hardware Wallets - Threats and VulnerabilitiesPeter Todd - Hardware Wallets - Threats and Vulnerabilities
Peter Todd - Hardware Wallets - Threats and Vulnerabilities
Hacken_Ecosystem
 
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT TechniquesSeyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Hacken_Ecosystem
 
Walter Belgers - Lockpicking and IT security
Walter Belgers - Lockpicking and IT securityWalter Belgers - Lockpicking and IT security
Walter Belgers - Lockpicking and IT security
Hacken_Ecosystem
 
Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?
Hacken_Ecosystem
 
Tomi Wen - The Blockchain Built for Real World Apps
Tomi Wen - The Blockchain Built for Real World AppsTomi Wen - The Blockchain Built for Real World Apps
Tomi Wen - The Blockchain Built for Real World Apps
Hacken_Ecosystem
 
Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?
Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?
Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?
Hacken_Ecosystem
 
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Hacken_Ecosystem
 
Alex Zdrilko - АI and Blockchain in real life application with the highest se...
Alex Zdrilko - АI and Blockchain in real life application with the highest se...Alex Zdrilko - АI and Blockchain in real life application with the highest se...
Alex Zdrilko - АI and Blockchain in real life application with the highest se...
Hacken_Ecosystem
 
John Graham-Cumming - Helping to build a better Internet
John Graham-Cumming - Helping to build a better InternetJohn Graham-Cumming - Helping to build a better Internet
John Graham-Cumming - Helping to build a better Internet
Hacken_Ecosystem
 
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Hacken_Ecosystem
 
Max Keidun - How to build a Bitcoin exchange and not burn in hell
Max Keidun - How to build a Bitcoin exchange and not burn in hellMax Keidun - How to build a Bitcoin exchange and not burn in hell
Max Keidun - How to build a Bitcoin exchange and not burn in hell
Hacken_Ecosystem
 
Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
Hacken_Ecosystem
 
Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...
Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...
Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...
Hacken_Ecosystem
 
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
Hacken_Ecosystem
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
 

Contenu connexe

Plus de Hacken_Ecosystem

Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
Hacken_Ecosystem
 
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
Hacken_Ecosystem
 

Plus de Hacken_Ecosystem (6)

John Graham-Cumming - Helping to build a better Internet
John Graham-Cumming - Helping to build a better InternetJohn Graham-Cumming - Helping to build a better Internet
John Graham-Cumming - Helping to build a better Internet
 
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
 
Max Keidun - How to build a Bitcoin exchange and not burn in hell
Max Keidun - How to build a Bitcoin exchange and not burn in hellMax Keidun - How to build a Bitcoin exchange and not burn in hell
Max Keidun - How to build a Bitcoin exchange and not burn in hell
 
Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
 
Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...
Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...
Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...
 
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
 

Dernier

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Dernier (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Ebrahem Hegazy - Bug hunters manual for bypassing Content-Security-Policy

  • 1. Bypassing CSP Automated discovery of JSONP endpoints. HackIT 4.0, Kyiv
  • 2. HackIT 4.0, Kyiv Agenda 1. Root@localhost:~# whoami 2. Intro on how browsers handle the client to server request <-> response; 2. Cross-site scripting in a nutshell; 3. What is CSP, why we need it, and how it works?; 4. Techniques for bypassing CSP restrictions; 5. Payloads to bypass CSP for Uber, Yahoo, Paypal, and more; 6. Let's automate all the things (demo for JSONBEE);
  • 3. Your Photo Name: Ebrahem HegazyCompany: Deloitte Position: Senior Consultant Company logohttps://www.linkedin.com/in/ebrahimhegazy facebook.com/me Ehegazy@Deloitte.nl HackIT 4.0, Kyiv
  • 4. HackIT 4.0, Kyiv Intro on how browsers handle requests 1. HTTP protocol; 2. Browsers have to respect the response headers; 3. Rendering / Lay-out engines. Gecko Blink EdgeHTM L Obama won the elections!
  • 5. HackIT 4.0, Kyiv Cross-site scripting (XSS) in a nutshell XSS occurs when a user input is being echoed back into the page response without validation. Cross-site scripting could be used to perform actions on behalf of application users, such as: • Accounts takeover, by stealing user’s cookies • Phishing attacks • Defacements
  • 6. HackIT 4.0, Kyiv How XSS could be mitigated? Mitigation of XSS depends on where the user input is being reflected. However, below are some general methods to prevent XSS. 1. URL & HTML encoding, but what about: 1. Writing user input to EventHandlers (i.e. onmouseover); 2. Writing user input to JavaScript (i.e. setInterval); 3. Writing user input to CSS  <style> tags 2. Restricting user input type 1. You have to apply it application wide! 2. Newly developed code? 3. HTTP header (X-XSS-Protection) 1. Not supported on all browsers Image from OWASP
  • 7. HackIT 4.0, Kyiv Question What would you do if your company application is vulnerable to 1337 XSS, and it is in production already?
  • 8. HackIT 4.0, Kyiv What is CSP, why we need it? Content Security Policy (CSP) is a security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website. #WikiPedia
  • 10. HackIT 4.0, Kyiv How CSP works? Although that your XSS payload is being reflected inside the page un-sanatized, it is still not getting executed! Quoted from ‘Sebastian Lekies’ talk at Blackhat.
  • 11. Techniques for bypassing CSP restrictions • There are lots of ways to bypass CSP restrictions, such as: • CSP misconfigurations; • Unsafe-eval & Unsafe-inline; • Internet Explorer; • File upload; • JSONP. HackIT 4.0, Kyiv
  • 12. HackIT 4.0, Kyiv CSP misconfigurations Content security policy could be misconfigured in a way that it would still allow for XSS attacks. Example: 1. Setting CSP for JavaScript only but missing the CSS  h1:after{content:”Hacked!”;} 2. Trusting wide domains (I.e. *.cloudfront.net, *.herokuapp.com) 3. Missing “base-uri”, which could be exploited to set the base URL for all relative (script) URLs to an attacker controlled domain. #<head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body> 4. Trusting ‘self’ only, but hosting jsonp and file upload. 5. Setting script-src directive value to *
  • 13. HackIT 4.0, Kyiv Unsafe-eval & Unsafe-inline Unsafe-eval: Allows unsafe dynamic code evaluation such as: eval() Function() When passing a string literal like to methods like: window.setTimeout window.setInterval window.setImmediate Unsafe-inline: Allows use of inline source elements such as style attribute, onclick, or script tag bodies, and “javascript:” URIs https://www.site.com/pages/search.php?term=x’;alert(1);// <script> jscode…. term=‘x’;alert(1)// ….jscode</script>
  • 14. HackIT 4.0, Kyiv Internet Explorer Doesn’t honor CSP! CSP is not supported for MSIE. MSIE only supports the old X-Content-Security-Policy header, which is a deprecated header.
  • 15. HackIT 4.0, Kyiv File upload Doesn’t matter if you write your JavaScript code inside image or else, browsers will still treat it based on the tag you are using to call it! Quoted from brute logic
  • 16. HackIT 4.0, Kyiv JSONP JSONP is a method for sending JSON data without worrying about cross-domain issues. Wait, What about SOP (Same-origin policy). Before: http://a.sm.cn/api/getgamehotboarddata?format=jsonp&page=1&_=1537365429621&callback=jsonp1 After: http://a.sm.cn/api/getgamehotboarddata?format=jsonp&page=1&_=1537365429621&callback=confirm(1);//jsonp1
  • 17. HackIT 4.0, Kyiv CSP evaluators Google CSP evaluator is a great tool to help you audit your CSP policy and tells you the misconfigurations and possible bypasses. https://csp-evaluator.withgoogle.com/ Also Burp have a very nice Plugins “CSP-Auditor” and “CSP-Bypass” that helps you find the CSP weaknesses during your bug hunting.
  • 18. HackIT 4.0, Kyiv Payloads to bypass the top BBP sites CSP • Facebook.com: • "><script+src="https://accounts.google.com/o/oauth2/revoke?callback=alert()"></script> • "><script+src="https://cse.google.com/api/007627024705277327428/cse/r3vs7b0fcli/queries/js?callback=confirm()"></scrip t>
  • 19. HackIT 4.0, Kyiv Payloads to bypass the top BBP sites CSP • AOL: AOL CSP policy is set to "Content-Security-Policy-Report-Only", which means it is set to work in a monitor mode only. No enforcing, thus using the report-uri directive.
  • 20. HackIT 4.0, Kyiv Payloads to bypass the top BBP sites CSP • Uber.com: "><script src="https://mkto.uber.com/index.php/form/getKnownLead?callback=alert(document.domain);"></script> //POC by Efkan.
  • 21. HackIT 4.0, Kyiv Payloads to bypass the top BBP sites CSP
  • 22. HackIT 4.0, Kyiv Automating JSONP searching (JSONBEE) JSONBEE is created to automate the process of finding a JSONP endpoint within the “script-src” sites scope. Thus, allowing for fast way of bypassing content security policy. Google CSP evaluator (https://csp-evaluator.withgoogle.com) is a great tool. JSONBEE doesn’t replace it, but completes its job. JSONBEE could be found at: https://github.com/zigoo0 JSONBEE finds JSONP endpoints via 3 main sources: • Github project “JSONBEE” repo; • Google dorks - eleminating false positives by validating the content-type of the pages response; • The internet archive website.
  • 23. HackIT 4.0, Kyiv Demo for JSONBEE
  • 24. HackIT 4.0, Kyiv Useful references • Content security policy official website: • http://content-security-policy.com • Google CSP evaluator: • https://csp-evaluator.withgoogle.com/ • https://blog.thomasorlita.cz/vulns/google-csp-evaluator/ • H5SC Minichallenge + solutions: • https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22 • Using Google Analytics for data extraction: • https://labs.detectify.com/2018/01/19/google-analytics-data-extraction/ • Neatly bypassing CSP: • https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa • Bypass CSP by Abusing XSS Filter in Edge: • https://medium.com/bugbountywriteup/bypass-csp-by-abusing-xss-filter-in-edge-43e9106a9754 • Bypassing Content-Security-Policy with DNS prefetching: • https://blog.compass-security.com/2016/10/bypassing-content-security-policy-with-dns-prefetching/ • Data Exfiltration in the Face of CSP: • http://www.cse.chalmers.se/research/group/security/pdf/data-exfiltration-in-the-face-of-csp.pdf • Bypassing CSP using polyglot JPEGs: • https://portswigger.net/blog/bypassing-csp-using-polyglot-jpegs
  • 25.

Notes de l'éditeur

  1. Here you can enter your personal information and move this slide to the end of the presentation.