Skip to content
Snippets Groups Projects
Commit 7d1f0244 authored by Vincent Mazenod's avatar Vincent Mazenod
Browse files

CSP

parent 33616086
Branches
No related tags found
No related merge requests found
Pipeline #11397 failed
......@@ -168,15 +168,15 @@ Tags: cours
</a>
<ul>
<li>
<a href="(slides/1337/csp.html"
<a href="slides/1337/csp.html"
class="customizable">
CSP <i class="fas fa-hammer"></i>
CSP
</a>
</li>
<li>
<a href="(slides/1337/sop.html"
<a href="slides/1337/sop.html"
class="customizable">
SOP/CORS <i class="fas fa-hammer"></i>
SOP/CORS
</a>
</li>
</ul>
......@@ -224,6 +224,8 @@ Tags: cours
<hr />
## Installer DVWA sur sa VM perso
* [https://github.com/digininja/DVWA#linux-packages](https://github.com/digininja/DVWA#linux-packages)
## Recréer l'environnement de cours dans VirtualBox
* testé avec [VirtualBox 5.2.18](https://download.virtualbox.org/virtualbox/5.2.18/virtualbox-5.2_5.2.18-124319~Ubuntu~bionic_amd64.deb) sous [Ubuntu Bionic](http://releases.ubuntu.com/bionic/)
......
......@@ -3,7 +3,7 @@
## a.k.a. Content Security Policy
## [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
### [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
* En-tête renvoyée côté serveur
* protéger son contenu
......@@ -12,10 +12,12 @@
* quelles tentatives ont été menées
## [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
### [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
```http
Content-Security-Policy: script-src 'self' https://apis.google.com; frame-src 'none'
Content-Security-Policy:
script-src 'self' https://apis.google.com;
frame-src 'none'
```
* informera le browser que
......@@ -23,7 +25,7 @@ Content-Security-Policy: script-src 'self' https://apis.google.com; frame-src 'n
* les balises iframes ne doivent pas être interprétées
## [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
### [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
![CSP](images/xss/csp.png "CSP")<!-- .element style="text-align: center" -->
......@@ -34,3 +36,23 @@ Note:
- couvre également le cas d'une iframe qui recouvre une page légitime
### <i class="fa-solid fa-bomb"></i> CSP / low
```http
Content-Security-Policy:
script-src 'self' https://pastebin.com hastebin.com
www.toptal.com example.com code.jquery.com
```
* écriture d'un fichier js sur l'hôte local via une autre faille [upload](upload.html) par exemple
* exécution directement sur [https://pastebin.com/raw/SAB3JTJc](https://pastebin.com/raw/SAB3JTJc)
* ne fonctione pas depuis Firefox 72 car l'entête [X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) force la désactivation du [MIME sniffing](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#mime_sniffing)
réponse pastebin
```http
..
X-Content-Type-Options: nosniff
...
```
* https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md
* https://www.komodosec.com/post/mime-sniffing-xss
* https://dev.to/ms_74/what-is-corb-3m3f
\ No newline at end of file
......@@ -2,6 +2,7 @@
## a.k.a Same Origin Policy
## [<i class="fa fa-medkit"></i> **SOP**: Same Origin Policy](https://developer.mozilla.org/fr/docs/Web/JavaScript/)
* concerne *XMLHttpRequest*
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment