双语翻译参考:https://www.intigriti.com/researchers/blog/hacking-tools/content-security-policy-csp-bypasses
对于SRC来说,通常是从web安全入手,web靶场首选burpsuite官方靶场作为漏洞原理的学习(即只用于漏洞教学,而非SRC教学的某个功能点或一点点功能点的demo环境 https://portswigger.net/web-security ),那什么是真正的SRC风格教学的环境?(zseano提供的真是SRC风格(https://www.bugbountyhunter.com, hackerone TOP10,亚马逊连续7年百万赏猎),遗憾的是自2025年起停止会员服务,花钱也不行。真SRC风格是所有漏洞放入真实企业环境(我遇见过的最先进的环境),所有的行为对标hackerone,包括测试注意事项,漏洞类型,报告等)。其次,SRC需要不停的阅读别人的报告与思考。intigriti 是如今最流行的SRC文章资源之一(即所谓的RSS订阅,都2025年了,RSS没必要)。对于文章资源我们首选红迪,飞机,油管,博客等主流社交平台即可。
Bypassing Content Security Policy (CSP) 绕过内容安全策略 (CSP)
Content Security Policies (CSPs) are often deployed as the last line of defense against client-side attacks such as cross-site scripting (XSS) and clickjacking. Since their first introduction in 2012, they've enabled developers to control which and what resources are allowed to load and evaluate within a given DOM context.
内容安全策略 (CSP) 通常被部署为抵御客户端攻击(例如跨站脚本攻击 (XSS https://www.intigriti.com/researchers/blog/hacking-tools/hunting-for-reflected-xss-vulnerabilities) 和点击劫持)的最后一道防线。自 2012 年首次推出以来,CSP 使开发人员能够控制在给定的 DOM 上下文中允许加载和执行哪些资源。
However, it still commonly occurs that developers rely on this countermeasure as the sole defensive layer against these client-side attacks. Ultimately, introducing new opportunities for us to evade this and manage to execute our malicious JavaScript code.
然而,开发者仍然普遍依赖这种防御措施作为抵御客户端攻击的唯一防线。最终,这反而为我们提供了新的机会来规避这种防御,并成功执行恶意 JavaScript 代码。
In this article, we'll explore in-depth what Content Security Policies are and how we can bypass CSPs to, for example, exploit XSS vulnerabilities.
在本文中,我们将深入探讨什么是内容安全策略,以及如何绕过 CSP 来利用 XSS 漏洞等(https://www.intigriti.com/researchers/blog/hacking-tools/hunting-for-reflected-xss-vulnerabilities)。
Let's dive in! 让我们开始吧!
What is a Content Security Policy (CSP) 什么是内容安全策略 (CSP)?
Content Security Policy (CSP) is a browser security mechanism designed to mitigate content injection attacks, including cross-site scripting (XSS) and clickjacking vulnerabilities. By specifying which sources the browser should trust for different types of content (scripts, stylesheets, images, etc.), developers can effectively control what resources are allowed to load and execute on their web pages.
内容安全策略 (CSP) 是一种浏览器安全机制,旨在缓解内容注入攻击,包括跨站脚本攻击 (XSS) 和点击劫持漏洞。通过指定浏览器应信任哪些来源来获取不同类型的内容(脚本、样式表、图像等),开发人员可以有效地控制允许在其网页上加载和执行的资源。
When implemented correctly, CSP acts as a defense-in-depth layer that can prevent XSS exploitation even when input validation is missing or insufficient. However, CSP should never be considered as the only line of defense, as misconfigurations and oversights can render it ineffective or allow for complete bypasses, as we'll cover later on throughout this article.
如果部署得当,CSP 可以作为纵深防御层,即使在输入验证缺失或不足的情况下也能防止 XSS 攻击。然而,CSP 绝不应被视为唯一的防御手段,因为配置错误和疏忽会导致其失效,甚至允许攻击者完全绕过 CSP,我们将在本文后续部分详细讨论这一点。
Let's go over the most important directive names and sources to help us better understand what CSP bypasses are. If you're already familiar with CSPs and client-side attacks, you may skip ahead to the bypasses section.
让我们回顾一下最重要的指令名称和来源,以帮助我们更好地理解什么是 CSP 绕过。如果您已经熟悉 CSP 和客户端攻击,可以直接跳到绕过部分。
Content Security Policy (CSP) bypasses in bug bounty
Identifying Content Security Policy (CSP) misconfigurations is often report-worthy in pentests. However, this isn't necessarily the same with bug bounty.
Most programs won't accept CSP bypass reports as standalone vulnerabilities. You'll always need to chain your CSP bypass with, for instance, an actual XSS vulnerability to demonstrate real-world impact.
在漏洞赏金计划中,识别内容安全策略 (CSP) 配置错误通常值得上报。然而,在漏洞赏金计划中,情况并非总是如此。
大多数计划不会将 CSP 绕过报告作为独立的漏洞。您始终需要将 CSP 绕过报告与其他漏洞(例如实际的 XSS 漏洞)结合起来,以证明其对实际环境的影响。
Finding Content Security Policy (CSP) declarations 查找内容安全策略 (CSP) 声明
Content Security Policies (CSPs) can be implemented in two main ways, understanding where to look for them is essential for analyzing potential misconfigurations.