LoRexxar's Blog

using polyglot JPEGs bypass CSP 鍒嗘瀽

2016/12/07

鍓嶆鏃堕棿锛屽鍥界垎鍑烘潵鐨勬柊鐨刡ypass CSP鏂瑰紡锛岃繖閲岀◢寰爺绌朵笅銆

http://blog.portswigger.net/2016/12/bypassing-csp-using-polyglot-jpegs.html

浣嗗疄闄呮鏌ユ暣涓昏緫涔嬪悗锛屾垜瑙夊緱搴旇绠椾綔鏄涓婁紶妫鏌ョ殑缁曡繃锛屼笉鑳界畻浣滄槸bypass csp

鏂囩珷閲屾彁鍒伴氳繃鍒涘缓涓涓璇█鐨凧avaScript/JPEG 鏉ョ粫杩嘋SP锛屼粬缁欎簡涓ゅ紶demo鍥剧墖锛屽洖椤炬暣涓昏緫銆

鎴戜滑鎵撳紑缁欏嚭鐨刣emo鍥剧墖鍜岄殢渚夸竴寮爅pg鍥剧墖锛岄鍏堝墠鍥涗綅鏄疛PEG澶0xFF 0xD8 0xFF 0xE0锛屽鏋滀綘鏇惧皾璇曡繃鎶婁竴寮犲浘鐗囧綋浣渟cript鏉ユ墽琛岀殑璇濓紝搴旇浼氱煡閬撳湪js鐨勯昏緫閲岋紝鎵ц鍒伴敊璇殑浣嶇疆浣嶇疆锛屽鏋滃嚭鐜颁贡鐮佹棤娉曟墽琛岋紝閭d箞灏变細鐩存帴鎶ラ敊涓嶆墽琛屻

鎵浠ュ湪demo鍥剧墖涓紝澶村悗璺熺潃0x2F 0x2A 涔熷氨鏄\*锛岃繖閲岀殑瑙e喅鍔炴硶鏄敞閲婏紝浣嗚繖涓や綅鏈韩鍏跺疄鏄ご閮ㄧ殑闀垮害锛屾墍浠ュ湪demo鍥剧墖涓敤澶ч噺鐨00濉厖绌虹櫧锛岀揣鎺ョ潃鍦ㄦ渶鍚庢鍔犱笂0x2A 0x2F缁撴潫娉ㄩ噴锛屽悗闈㈣窡涓妀s鐨刾ayload銆

鏈鍚庡憿锛岃澶勭悊鍚庨潰澶ф鍥剧墖锛屾垜浠繕瑕佸姞涓婃敞閲婏紝姝e父鐨勬枃浠跺熬鏄0xFF 0xD9锛屽湪鍓嶉潰鍔犱笂娉ㄩ噴缁撴潫2A 2F 2F 2F锛屽緢绋冲仴銆

杩欐牱灏卞舰鎴愪簡涓涓畬鏁寸殑鍥剧墖js锛屾棦鏈夊浘鐗囩殑缁撴瀯锛屽張鏈塲s鐨勪唬鐮侊紝鏈変竴涓壒鍒殑闂灏辨槸锛屽鏋滅敤utf-8浣滀负缂栫爜鏃讹紝鍖呭惈鑴氭湰浠g爜鏃讹紝浼氭妸鏁翠釜璇箟鎵撲贡锛屾墍浠ヨ繖閲岄渶瑕佹寚瀹氱紪鐮佷负 ISO-8859-1銆

payload:

1
<script charset="ISO-8859-1" src="http://portswigger-labs.net/polyglot/jpeg/xss.jpg"></script>

姣旇緝鏈夎叮鐨勪竴鐐规槸锛岃繖閲宑hrome鎷︽埅浜嗚繖閮ㄥ垎锛屼細鐖嗗嚭

1
Refused to execute script from 'http://portswigger-labs.net/polyglot/jpeg/xss.jpg' because its MIME type ('image/jpeg') is not executable.

鑰屽湪Safari, Firefox, Edge and IE11涓垚鍔熸墽琛屼簡銆

浣嗗煎緱鎬濊冪殑鏄紝杩欓噷浜嬪疄涓婂苟涓嶈兘绠椾綔鏄粫杩囦簡CSP锛屽洜涓鸿繖閲岀殑CSP涓

1
Content-Security-Policy: script-src 'self' 'unsafe-inline'

鎵浠ュ浘鐗囦粛鐒跺繀椤讳负绔欏唴锛屾墍浠ヤ簨瀹炰笂锛岃繖閲屽叾瀹炵畻浣滄槸缁曡繃浜嗙珯鍐呯殑鍥剧墖涓婁紶鍒ゆ柇Orz

CATALOG