Content Security Policy Bypass (WIP)

The Content-Security-Policy header defines rules for the validation of certain requests or inputs on an application. To bypass this verification we can modify the rules by poisoning our input.

Here we find an example of this scenario:

A site lets us upload an image by entering the link of the location, and this process is validated with the security policy

Example Response

HTTP/1.1 200 OK
host: host
Content-Security-Polic: img-src 'self' /src/image script-src 'self' $RestOfPolicy
...

We can poison the input by adding a modified configuration for the security policy header, and after this, the other functions of the app where the security policy is applied will not be filtered properly, allowing us to use injections

$input script-src 'unsafe-inline" 'self' $RestOfPolicy   #Fill on the image link

PreviousHTTP Parameter Pollution (WIP)NextServer-Side Template Injection (WIP)

Last updated 1 year ago