LoRexxar's Blog

gif bypass CSP?

2016/04/20

鍓嶆鏃堕棿鐪嬪埌浜嗕竴涓湁瓒g殑bypasscsp鐨勬枃绔狅紝鏈寮濮嬫槸鍦╤tml5sec涓婄湅鍒扮殑
http://html5sec.org/#138
杩欓噷鏈潵璇寸殑鏄叧浜巐ink鐨刬mport灞炴э紝浣嗙ず渚嬩腑鍗翠娇鐢╣if bypass浜哻sp锛岀爺绌朵簡涓涓嬪崍锛屽彂鐜颁簡涓浜涙湁瓒g殑涓滆タ銆

鍘熸枃

棣栧厛鏄師鏂
http://html5sec.org/cspbypass/
鎴戜滑鐪嬪埌浣滆呯殑鏍囬鏄CSP Bypass in Chrome Canary + AngularJS
骞朵笖濡傛灉浣犱娇鐢ㄤ簡chrome娴忚鍣(鍊煎緱娉ㄦ剰鐨勯棶棰樻槸杩欎釜demo鍙湁chrome鎵嶄細寮圭獥)锛屽彲浠ユ槑鏄剧殑鐪嬪埌鏈夊脊绐椼

閭d箞璁╂垜浠潵鍒嗘瀽涓涓媎emo鍚

鍘熺悊

杩欎釜鏂瑰紡鐨勫師鐞嗘潵鑷簬http://www.slideshare.net/x00mario/jsmvcomfg-to-sternly-look-at-javascript-mvc-and-templating-frameworks/48


棣栧厛閫氳繃涓婁紶甯︽湁淇℃伅鐨刧if鍥剧墖,璁ゞif涓庣珯鍦ㄥ悓婧愮幆澧冧笅

1
GIF89ad=1/*xxxxxx*/;alert(1)/*<script src="test.gif"></script>,xxxxxxxxxxxxxxxxxxxxxxxxxxxxx<link rel="import" href="test.gif" />*/

鏋勯燾lass=ng-include:鈥漷est.gif鈥濇潵寮曠敤test.gif,angularjs浼氭妸gif鐨勫唴瀹硅В鏋愬埌椤甸潰鍐呫

1
<span style="visibility:hidden" class="ng-include:'test.gif'"></span>

浼氬彉鎴

1
2
3
4
5
6
7
8
9
10
11
12
<span style="visibility:hidden" class="ng-include:'test.gif' ng-scope">
<span class="ng-scope">
GIF89ad=1/*xxxxxxxxx*/;alert(1)/*
</span>
<script src="test.gif" class="ng-scope"></script>
<span class="ng-scope">,xxxxxxxxxxxxxx;
</span>
<link rel="import" href="test.gif" class="ng-scope">
<span class="ng-scope">*/
</span>
</span>

鎴戜滑鑳界湅鍒3涓姹

浣嗘槸鎴戜滑涔熻兘鐪嬪埌鏈夐儴鍒嗚CSP鎷︿簡

鏍规嵁杩欎釜ppt涓殑瑙i噴鏉ヨ锛屾槸<link rel="import" href="test.gif" class="ng-scope">鍔犺浇浜唗est.gif,鎴戜滑鐪嬬湅杩欎釜link鏍囩閲岄潰鍙堟槸浠涔堝憿銆

1
2
3
4
5
6
<html>
<head>
</head>
<body>
GIF89ad=1/*xxxxx*/;alert(1)/*<script src="test.gif"></script>,xxxxxxxx;<link rel="import" href="test.gif">*/</body>
</html>


link涓張鍔犺浇浜嗕竴娆est.gif

杩欓噷鎴愬姛鎵ц浜<script src="test.gif"></script>
鎴愬姛寮圭獥銆

鐪熺殑灏辫繖涔堢畝鍗曞悧锛

鐪嬩笂鍘熺悊灏卞鍚屾墍杩扮殑閭f牱锛屼絾鏄湪鎴戠殑娴嬭瘯涓嬪疄闄呮儏鍐靛拰demo涓湁涓鍒囧尯鍒
demo
鎴戠殑娴嬭瘯鐜
鎴戜滑鍙戠幇涓鍒囬兘鏄啛鎮夌殑锛屼絾鏄師鏈殑閭f潯浼氬鑷村脊绐楃殑<link>鍑虹幇浜嗕竴鏉℃姤閿

1
Refused to execute script from 'http://119.29.192.14/test.gif' because its MIME type ('image/gif') is not executable.

鏌ヤ簡涓涓嬪彂鐜拌繖閲岀殑鎶ラ敊澶у閮芥槸鐢变簬X-Content-Type-Options杩欎釜澶撮犳垚鐨勶紝浠栭氳繃鏌ョ湅鍝嶅簲涓殑content-type鏄笉鏄笌棰勬湡鐩哥鍒ゆ柇鐨勶紝杩欓噷浼犲叆鐨則est.gif MIME type涓篿mage/gif锛屽拰棰勬湡鐨刯s涓嶇锛屾墍浠ヨ鎷掔粷浜嗭紝鍏蜂綋鍙互鐪
http://drops.wooyun.org/tips/1166
https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/

浣嗘槸鎴戜滑寰堟槑鏄剧殑鍙戠幇锛岃繖涓ご灞炴у苟娌℃湁鍑虹幇鍦╮esponse鐨勮姹傚ご涓紝浣嗕簨瀹炲氨鏄繖涓睘鎬у簲璇ユ槸榛樿寮鍚殑锛岄偅涔堟垜浠兘淇敼鍥剧墖respense鐨刢ontext-type灞炴?

鎴戜滑鍙互鐪嬪埌鍦╠emo鍜屾垜鐨勬祴璇曠幆澧冧腑鍏充簬test.gif鐨勮姹傛槑鏄炬槸涓嶅悓鐨勭殑銆

鍦ㄨ姹傚ご涓垜浠槑鏄剧湅鍒版湁涓や釜鐗规畩鐨勫湴鏂广
1銆丆ontent-Type
鏄剧ず姝TTP璇锋眰鎻愪氦鐨勫唴瀹圭被鍨嬨備竴鑸彧鏈塸ost鎻愪氦鏃舵墠闇瑕佽缃灞炴с
http://tool.oschina.net/commons

2銆丆ontent-Location:test.gif.js
璇锋眰璧勬簮鍙浛浠g殑澶囩敤鐨勫彟涓鍦板潃
涔熷氨鏄鏋渢est.gif娌℃湁璇锋眰鍒帮紝閭d箞涔呬娇鐢╰est.gif.js鈥.閭d箞杩欎釜璁剧疆鍒板簳鏄共鍢涚殑鈥

content-location:test.gif.js?

濡傛灉鎴戜滑灏唖cript涓殑src鏀逛负test.gif.js锛屾垜浠湅鍒拌姹傚彉浜

鎴戜滑鍙戠幇鍒氭墠鐨勬姤閿欐秷澶变簡锛屼絾杩欐牱涓鏉ワ紝濡傛灉鑳藉鍦ㄥ悓婧愮幆澧冧笅涓婁紶涓涓.js鍚庣紑锛岄偅涔堟墍璋撶殑bypass csp涔熷氨娌℃湁鎰忎箟浜嗐

content-type

鍦ㄦ湇鍔″櫒鐨勯厤缃腑锛屽彲浠ラ氳繃淇敼閰嶇疆鏂囦欢灏.gif鐨勯粯璁ontext-type鏀逛负js锛岃繖鏍蜂互鏉ワ紝鎵璋撶殑.gif涔熷氨鏄竴涓.js浜嗭紝浠庢湰璐ㄤ笂鏉ヨ骞舵病鏈変粈涔堝尯鍒

閭d箞杩欎釜娲炲埌搴曞瓨涓嶅瓨鍦ㄥ憿

CATALOG
  1. 1. 鍘熸枃
    1. 1.1. 鍘熺悊
    2. 1.2. 鐪熺殑灏辫繖涔堢畝鍗曞悧锛
      1. 1.2.1. content-location:test.gif.js?
      2. 1.2.2. content-type