Writeups IO | Technical Analysis of "Bypassing CSP with Path in Late 2021"

# Technical Analysis of "Bypassing CSP with Path in Late 2021"

The video discusses techniques for circumventing Content Security Policy (CSP) protections using path-based exploits, emphasizing how CSP misconfigurations can still lead to exploitation in late 2021. Throughout the video, various CSP bypass techniques are demonstrated, focusing on both the conceptual understanding and practical execution.

## Key Technical Highlights

### 1. **Understanding CSP and Its Purpose**:
Content Security Policy (CSP) is a web security measure that helps prevent Cross-Site Scripting (XSS) and data injection attacks by defining which resources are permitted to load for a given page.
- CSP rules include directives like `script-src`, `style-src`, `img-src`, etc., specifying allowed resource sources.
- The policy is deployed via HTTP headers or `<meta>` tags.

### 2. **Common Bypasses and Techniques**:
- In the video, several bypass techniques are highlighted. The focus is on exploiting path-based misconfigurations within CSP, rather than on vulnerabilities intrinsic to the CSP standard itself.

#### a. **Wildcard (*) Usage and Overly Broad Rules**:
- Using wildcard (`*`) in CSP allows resources from any URI. When directives like `script-src *` or `style-src *` are employed, the policy is almost useless as it opens up the application to execute scripts and styles from any source.

#### b. **Trusting Insecure Protocols**:
- Using HTTP in the `script-src` or `style-src` directives (`script-src http:`) allows for script injection via MitM (Man-in-the-Middle) attacks, compromising the integrity of resource loading since HTTP traffic can be intercepted and modified.

#### c. **Subdomain-based Bypasses**:
- Misconfigured CSP policies often include directives like `script-src subdomain.example.com`, assuming all resources from subdomains are trusted. If any subdomain is compromised, an attacker can host malicious scripts on it.

#### d. **Self and Path Exploits**:
- The `self` keyword allows scripts to be loaded from the same origin. However, if the path can be influenced (e.g., `/example.com/<payload>`), then self-referential scripts can be used for injection.
- Similarly, allowing specific paths (`script-src example.com/scripts/`) can be exploited if attackers find ways to upload malicious scripts to those paths.

### 3. **Path-based Exploits**:
- The core of the video's demo revolves around how attackers can exploit path patterns within CSP rules.
  - **Parameter Injection into URLs**: If CSP allows specific paths and user input can manipulate these paths, it opens up vectors for XSS.
  - **Subresource Integrity (SRI)**: Although not discussed in detail, the principle suggests using SRI for scripts to ensure integrity and protect against injection even if the source is allowed by CSP.

### Example Exploit Overview:
- The demonstration showcases how to bypass CSP by manipulating paths allowed by `script-src`.
  - **Scenario Setup**: Assume CSP allows scripts from `/static/js/*`.
  - **Attack**: If it is possible to upload to `/static/js/payload.js`, a malicious payload can be executed due to the liberal path inclusion in the CSP without specific checks on the content integrity.
  - **Real-world Application**: The example can be realized in platforms where user content can influence the file structure of served scripts (e.g., upload directories, dynamically generated script paths).

### 4. **Remediation and Best Practices**:
- **Avoid Wildcards and Broad Rules**: Do not use overly broad rules like `script-src *`.
- **Enforce HTTPS**: Strictly enforce `https:` for all resource directives to mitigate potential MitM attacks.
- **Use SRI (Subresource Integrity)**: Employ SRI to check the integrity of scripts and styles loaded from external sources.
- **Limit Self and Paths**: Ensure that `self` and specific paths (`/static/js/*`) are accompanied by rigorous validation to prevent injection.

### Conclusion:
The video provides an insightful look into modern methods of bypassing CSP using path-based exploits, highlighting the significance of proper CSP configuration and the potential dangers of misconfigurations. The demonstration emphasizes the need for meticulous design in CSP rules to prevent XSS attacks effectively.

For full details and practical demonstrations, you can watch the original video [here](https://www.youtube.com/watch?v=MYsUhAgSgwc).