The Content-Security-Policy is a widely adopted security standard designed to protect applications against content injection vulnerabilities such as XSS and HTML injection. Often, these types of vulnerabilities become worthless due to the Content Security Policy.
Nowadays, there are many write-ups that show how to find a way around poorly configured policies. This presentation differs because it shows how to exploit applications even if the CSP is correctly configured. Some of these bypasses don't rely on any misconfigurations.
This post will begin by showing that very often the Content-Security-Policy is not adequately configured. Due to these super common configuration flaws, applications often remain vulnerable to dangerous attacks.
Later on, a form-action Content-Security-Policy will be exposed. This bypass allows attackers to exfiltrate information from users' accounts by injecting forms that consume the document's content and then submitting the form to an external domain despite of facing a Content-Security-Policy that forbids submitting form data to external domains. This attack doesn't rely on misconfigurations and works in a lot of scenarios.
Browsers' security defenses against dangling markup attacks were bypassed too: Dangling markup attacks were very powerful content injection attacks that came in useful in situations where script execution is not allowed (e.g. blocked by the CSP). Because of this, browsers now have security defenses that block dangling markup attacks. Due to this mitigation, these attacks became dead and useless. The post will show how to bypass these browsers' security defenses, resurrecting dangling markup attacks back from the dead. With one of these bypasses it is possible to exploit content injection vulnerabilities regardless of whatever the configuration might be, it works even when facing the strictest CSP configurations (e.g. everything set to 'none': default-src 'none'; form-action: 'none').
After a sample study of 300 of the most visited websites in the world, statistics have proven that there is a lot of ignorance regarding the correct use of the CSP: 82.6% of the policies have vulnerable configurations and 87.5% of the well-configured policies can be bypassed with one of the attacks exposed in this post; this means that 98% of the policies can be defeated. It is very likely that if you have a web app that uses a Content Security Policy, its configuration is vulnerable.
Other tactics for dealing with the CSP will be shown too.
Possibly this post will help transform those worthless code injection bugs into exploitable vulnerabilities.
(more…)