Evading Content Security Policy with CRLF Injection

Source: Internet
Author: User

Content Security Policy () was developed with the aim of initiating content injection attacks like Cross Site Scripting. CSP allows the developers to specify the permitted content sources for their web applications and relies on HTTP response headers to enforce content restrictions.

When CSP is implemented by the web application and supported by the web browser, content injection attacks can be saved med:

  1. Exploiting flaws in browser CSP implementation
  2. Manipulating HTTP response headers.

Injection is one possible technique by which an attacker can control HTTP response headers. If client provided parameters are returned in response headers without any validation, CRLF injection can be used to bypass CSP restrictions.

For demonstrations, two web pages were setup with the following content at two different origins
Webpage 1:Http: // localhost: 3000/csp
Content:
Http://www.bkjia.com/xss. js

Webpage 2:Http: /localhost: 3333/xss. js
Content:
Alert ('xss ')


CRLF Injection and CSP:
If a HTTP response contains same HTTP header multiple times, different browsers interpret the headers differently. certain browsers interpret the first occurrence of the HTTP header, others choose the last one. hence, positioning of CSP directive (X-Content-Security-Policy) in application response can play an interesting role. in the discussion below, we assume that the web application implements CSP and is vulnerable to CRLF injection:

Case 1: Attack vector is returned before the CSP header in the HTTP response headers:
Case 1a:If the browser picks the first occurrence of the CSP header, CRLF injection can then be used to insert a CSP header with following attack vector:

Lang = en_US % 0d % 0aX-Content-Security-Policy: allow *

In this case, the web browser will interpret the first CSP header and will happily retrieve content from any malicious URL.

Image shows malicious CSP directive inserted before the legitimate header

Case 1b:If the browser picks the last occurrence of the CSP header, following CRLF injection attack vector can be used to insert custom CSP header.

Lang = en_US % 0d % 0aX-Content-Security-Policy: allow * % 0d % 0a % 0d % 0a

Two trailing occurrences of CRLF will push the CSP directive into the content and will not be interpreted as a CSP directive. This again allows attacker to bypass CSP protection and execute and source arbitrary content.



Image shows CSP directive pushed out to response body and rendered ineffective


Case 2:Attack vector is returned after the CSP header in the HTTP response headers
Case 2a:If the browser picks the first occurrence of the CSP header, the CSP directive cannot be overridden for the current resource. for an attack to function one has to look into the possibility of exploiting HTTP Response Splitting.

Case 2b:If the browser picks the last occurrence of the CSP header, CRLF injection can be used to insert a malicious header similar to case 1a.

Lang = en_US % 0d % 0aX-Content-Security-Policy: allow *

This will cause the browser to interpret the CSP directive as allow * to retrieve content from arbitrary URLs.

It was observed that when more than one X-Content-Security-Policy headers were received ed by Firefox (7.0.1), it securely defaulted to same origin policy for all content.

The POC below pushes the headers out to the response body by two CRLF sequences to achieve script execution.


 
 
Image shows script execution prevented from a different origin (http://www.bkjia.com)


Image shows successful script execution when the page was vulnerable CRLF injection


From http://hi.baidu.com/evilrapper/blog/item/323e0bde20818b47ccbf1a3f.html

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.