[Translation] CRLF and CSP

First of all, let's briefly introduce the next thing, the Content SEcurity Policy (CSP), which is so popular in XSS. I believe all of our friends have heard of it. In simple terms, CSP is mainly developed to prevent injection attacks. For example, although XSS is rumored to be the terminator of XSS, the majority of friends still have a lot of positions. CRLF is one of them. As an attack method that can change the HTTP Response header, here we can bring a possibility to bypass CSP. Here is a little bit of Content interspersed: CRLF and CSP, for example, we inserted a Content-Security-Policy in the CRLF method. Two identical Content-Security-policies exist. For processing the same content, Each browser is different. Some browsers select the front position, while some browsers also select the back position. Let's make an interesting experiment: A simple CSP rule can make it look like this: Content-Security-Policy: default-src 'self '. Now we assume there are two pages: ------------------------------------ page 1: http://localhost:3000/csp Content: http://localhost:3333/xss.js ------------------------------------ Page 2: http://localhost:3333/xss.js The content is: alert ('xss') ------------------------------------ let's first divide the situation into two categories: first case: the http response header is faster than the CSP header. Here, we divide the situation into two types based on the browser's choice principle: (1) the content of the duplicate header prevails. In this case, we can directly GET the request: GET http://www.bkjia.com : 3000/csp? Content-Security-Policy: allow * and the HTTP response may be like this: --------------------------------------------- HTTP/1.1 200 OKconnection: closeX-Content-Security-Policy: allow * X-Runtime: 3X-Content-Security-Policy: default-src 'self 'Content-Type: text/htmlContent-Length: 81 ---------------------------------------------- pwned! CSP bypass successful! (2) Duplicate headers are subject to the content on the back. We only need to push the following X-Content-Security-Policy back to the page: our request can be like this: GET http://localhsot:3000/csp?lang=jp <Html> the following content shows that our poor CSP has been crowded into the html page: Response HTTP/1.1 200 OKconnection: closeDate: 15.01.2013lang: jap