CSP

content/Etudiants/zz2-f5-websec.md

@@ -168,15 +168,15 @@ Tags: cours
     </a>
     <ul>
       <li>
-        <a href="(slides/1337/csp.html"
+        <a href="slides/1337/csp.html"
           class="customizable">
-          CSP <i class="fas fa-hammer"></i>
+          CSP
         </a>  
       </li>
       <li>
-        <a href="(slides/1337/sop.html"
+        <a href="slides/1337/sop.html"
           class="customizable">
-          SOP/CORS <i class="fas fa-hammer"></i>
+          SOP/CORS
         </a>  
       </li>
     </ul>
@@ -224,6 +224,8 @@ Tags: cours
 <hr />
 
 ## Installer DVWA sur sa VM perso
+
+* [https://github.com/digininja/DVWA#linux-packages](https://github.com/digininja/DVWA#linux-packages)
 ## Recréer l'environnement de cours dans VirtualBox
 
 * testé avec [VirtualBox 5.2.18](https://download.virtualbox.org/virtualbox/5.2.18/virtualbox-5.2_5.2.18-124319~Ubuntu~bionic_amd64.deb) sous [Ubuntu Bionic](http://releases.ubuntu.com/bionic/)

content/slides/1337/md/csp.md

@@ -3,7 +3,7 @@
 ## a.k.a. Content Security Policy
 
 
-## [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
+### [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
 
 * En-tête renvoyée côté serveur
   * protéger son contenu
@@ -12,10 +12,12 @@
     * quelles tentatives ont été menées
 
 
-## [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
+### [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
 
 ```http
-Content-Security-Policy: script-src 'self' https://apis.google.com; frame-src 'none'
+Content-Security-Policy:
+  script-src 'self' https://apis.google.com; 
+  frame-src 'none'
 ```
 
 * informera le browser que
@@ -23,7 +25,7 @@ Content-Security-Policy: script-src 'self' https://apis.google.com; frame-src 'n
   * les balises iframes ne doivent pas être interprétées
 
 
-## [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
+### [<i class="fa fa-medkit"></i> **CSP**: Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives)
 
 ![CSP](images/xss/csp.png "CSP")<!-- .element style="text-align: center" -->
 
@@ -34,3 +36,23 @@ Note:
 - couvre également le cas d'une iframe qui recouvre une page légitime
 
 
+### <i class="fa-solid fa-bomb"></i> CSP / low
+
+```http
+Content-Security-Policy: 
+  script-src 'self' https://pastebin.com hastebin.com 
+  www.toptal.com example.com code.jquery.com 
+```
+
+* écriture d'un fichier js sur l'hôte local via une autre faille [upload](upload.html) par exemple
+* exécution directement sur [https://pastebin.com/raw/SAB3JTJc](https://pastebin.com/raw/SAB3JTJc)
+  * ne fonctione pas depuis Firefox 72 car l'entête [X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) force la désactivation du [MIME sniffing](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#mime_sniffing)
+    réponse pastebin
+    ```http
+    ..
+    X-Content-Type-Options: nosniff
+    ...
+    ```
+    * https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md
+    * https://www.komodosec.com/post/mime-sniffing-xss
+    * https://dev.to/ms_74/what-is-corb-3m3f
\ No newline at end of file

content/slides/1337/md/sop.md

@@ -2,6 +2,7 @@
 
 ## a.k.a Same Origin Policy
 
+
 ## [<i class="fa fa-medkit"></i> **SOP**: Same Origin Policy](https://developer.mozilla.org/fr/docs/Web/JavaScript/)
 
   * concerne *XMLHttpRequest*