Content Security Policy (CSP) Bypass

内容安全策略

额外的安全层，检测并消弱XSS 和数据注入攻击。本质上是建立白名单，规定了浏览器只能执行特定来源的代码。

防范XSS 代码注入攻击的手段之一。

两种方法可以启用 CSP。
一种是通过 HTTP 头信息的Content-Security-Policy的字段。

Content-Security-Policy: default-src https://example.com https://example2.com; object-src 'none'

一种是通过网页的meta标签

<meta
  http-equiv="Content-Security-Policy"
  content="default-src https://example.net; child-src 'none'; object-src 'none'"
/>

【low】

<?php

$headerCSP = "Content-Security-Policy: script-src 'self' https://pastebin.com hastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;"; // allows js from self, pastebin.com, hastebin.com, jquery and google analytics.

header($headerCSP);

# These might work if you can't create your own for some reason
# https://pastebin.com/raw/R570EE00
# https://hastebin.com/raw/ohulaquzex

?>
<?php
if (isset ($_POST['include'])) {
$page[ 'body' ] .= "
    <script src='" . $_POST['include'] . "'></script>
";
}
$page[ 'body' ] .= '
<form name="csp" method="POST">
    <p>You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:</p>
    <input size="50" type="text" name="include" value="" id="include" />
    <input type="submit" value="Include" />
</form>
';

posted @ 2021-07-03 16:14 dem0n小姐姐阅读(122) 评论(0) 收藏举报

刷新页面返回顶部

dem0n小姐姐

Content Security Policy (CSP) Bypass

Content Security Policy (CSP) Bypass

【low】

公告