[Translation] CRLF and CSP

Source: Internet
Author: User

First of all, let's briefly introduce the next thing, the Content SEcurity Policy (CSP), which is so popular in XSS. I believe all of our friends have heard of it. In simple terms, CSP is mainly developed to prevent injection attacks. For example, although XSS is rumored to be the terminator of XSS, the majority of friends still have a lot of positions. CRLF is one of them. As an attack method that can change the HTTP Response header, here we can bring a possibility to bypass CSP. Here is a little bit of Content interspersed: CRLF and CSP, for example, we inserted a Content-Security-Policy in the CRLF method. Two identical Content-Security-policies exist. For processing the same content, Each browser is different. Some browsers select the front position, while some browsers also select the back position. Let's make an interesting experiment: A simple CSP rule can make it look like this: Content-Security-Policy: default-src 'self '. Now we assume there are two pages: ------------------------------------ page 1: http://localhost:3000/csp Content: http://localhost:3333/xss.js ------------------------------------ Page 2: http://localhost:3333/xss.js The content is: alert ('xss') ------------------------------------ let's first divide the situation into two categories: first case: the http response header is faster than the CSP header. Here, we divide the situation into two types based on the browser's choice principle: (1) the content of the duplicate header prevails. In this case, we can directly GET the request: GET http://www.bkjia.com : 3000/csp? Content-Security-Policy: allow * and the HTTP response may be like this: --------------------------------------------- HTTP/1.1 200 OKconnection: closeX-Content-Security-Policy: allow * X-Runtime: 3X-Content-Security-Policy: default-src 'self 'Content-Type: text/htmlContent-Length: 81 ---------------------------------------------- pwned! CSP bypass successful! (2) Duplicate headers are subject to the content on the back. We only need to push the following X-Content-Security-Policy back to the page: our request can be like this: GET http://localhsot:3000/csp?lang=jp <Html> the following content shows that our poor CSP has been crowded into the html page: Response HTTP/1.1 200 OKconnection: closeDate: 15.01.2013lang: jap

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.