Hacker News

CSP for Pentesters: Faamuyali jɔnjɔnw

Kow fɔcogo

20 min read Via www.kayssel.com

Mewayz Team

Editorial Team

Hacker News

Mun na Pentester bɛɛ ka kan ka kɔnɔkow lakanani sariya dɔn

Kɔnɔkow lakanani sariya (CSP) kɛra navigatɔrɔn fan fɛ lafasali fɛɛrɛ kɔrɔlen dɔ ye ka ɲɛsin cross-site scripting (XSS), data injection ani clickjacking binkanniw ma. O bɛɛ n’a ta, doncogo sɛgɛsɛgɛli baarakɛtaw la, CSP kunkankow bɛ to lakana kɔlɔsiliw dɔ ye minnu ka teli ka labɛn cogo jugu la — ani minnu tɛ faamuya ka ɲɛ. San 2024 sɛgɛsɛgɛli dɔ min kɛra ka siti miliyɔn 1 ni kɔ sɛgɛsɛgɛ, o y’a jira ko 12,8% dɔrɔn de ye CSP kunkankow bila sen kan hali dɔɔnin, wa o la, 94% ɲɔgɔn na, politiki barikantanya kelen dɔrɔn de bɛ yen min bɛ se ka nafa sɔrɔ. Pentesters fɛ, CSP faamuyali tɛ ŋaniyata ye — o ye danfara ye surface-level jateminɛ ni rapɔɔri cɛ min bɛ tiɲɛ na kiliyan ka lakana jɔyɔrɔ barika bonya.

I mana ɛntɛrinɛti baarakɛminɛnw jateminɛw kɛ, ka bug bounty hunting kɛ, walima ka lakana jɔ jagokɛyɔrɔ la min bɛ kiliyanw ka kunnafoniw sɛgɛsɛgɛlenw ɲɛnabɔ, CSP dɔnniya ye jusigilan ye. Nin gafe in bɛ CSP ye min ye, a bɛ baara kɛ cogo min na hood jukɔrɔ, a bɛ dɛsɛ yɔrɔ min na, ani pentesterw bɛ se ka politiki barikamaw jateminɛ cogo min na cogo labɛnnen na ani k’u tɛmɛn.

Kɔnɔkow lakanani sariya bɛ min kɛ tiɲɛ na

A kɔnɔko la, CSP ye lakanani fɛɛrɛ ye min bɛ lase HTTP jaabi kuncɛlen fɛ (walima a ka dɔgɔ, taamasiyɛn fɛ). A bɛ navigatɔrɔn bila ka kunnafoni sɔrɔyɔrɔ minnu — sɛbɛnniw, cogoyaw, jaw, sɛbɛnnibolow, karamɔgɔw, ani fɛn wɛrɛw — minnu bɛ se ka doni ani ka baara kɛ ɲɛ dɔ kan. Ni nafolomafɛn dɔ ye sariya tiɲɛ, navigatɔrɔ b’a bali ani a b’a fɛ ka sariya tiɲɛni fɔ labanyɔrɔ dɔ la.

CSP kɔfɛ dusu fɔlɔ tun ye ka XSS binkanniw nɔgɔya . XSS lafasali laadalata i n’a fɔ donnakow saniyali ani bɔli kodɔn, olu bɛ baara kɛ nka u bɛ kari — sigida kelen min ma sɔrɔ walima kodɔn fili bɛ se ka nɔgɔya don kokura. CSP bɛ lafasali-yɔrɔ dɔ fara a kan : hali ni binkannikɛla dɔ ye sɛbɛnnikɛlan jugu dɔ pikiri DOM kɔnɔ, sariya min labɛnna ka ɲɛ, o bɛ navigatɔrɔ bali k’a kɛ.

CSP bɛ baara kɛ ni sɛbɛn finman modɛli ye. Sani a k’a ɲini ka kunnafoni-jugu dɔntaw bali, a bɛ min ɲɛfɔ k’a jɛya, min bɛ se ka kɛ. Fɛn tɔw bɛɛ bɛ ban ka da a kan. Nin lakana misali in jiginni in fanga ka bon hakilina ta fan fɛ, nka waleyali la, ka politiki gɛlɛnw mara ɛntɛrinɛti baarakɛminɛn gɛlɛnw kɔnɔ — kɛrɛnkɛrɛnnenya la, ɛntɛrinɛti yɔrɔ minnu bɛ modulu tan ni caman ɲɛnabɔ minnu bɛ ɲɔgɔn kan i n’a fɔ CRM, fatura, jateminɛ, ani jatebɔ siraw — o tɔgɔ bɔra kosɛbɛ.

CSP kunkolo dɔ farikololabɔli : cikanw ni sɔrɔyɔrɔw

CSP kuncɛlan dɔ bɛ kɛ ni cikanw ye , minnu kelen-kelen bɛɛ bɛ nafolo suguya kɛrɛnkɛrɛnnen dɔ kɔlɔsi . Nin cikan ninnu faamuyali nafa ka bon pentester bɛɛ bolo min bɛ laɲini dɔ ka politiki jateminɛ. Ladilikan minnu nafa ka bon kosɛbɛ olu ye default-src (cikan o cikan min ma sigi sen kan k’a jɛya), script-src (JavaScript waleyali), style-src (CSS), img-src (jaw), connect-src (XHR, Fetch, WebSocket jɛɲɔgɔnyaw), frame-src (iframes minnu bɛ don a kɔnɔ), ani object-src (plugins i n’a fɔ Flash walima Java applets).

cikan kelen-kelen bɛɛ bɛ sɔn sɔrɔ-fɔcogo kelen walima caman ma minnu bɛ bɔyɔrɔ yamaruyalenw ɲɛfɔ . Olu bɛ daminɛ jatigila tɔgɔ kɛrɛnkɛrɛnnenw na (https://cdn.example.com) ka se daɲɛ kolomaw ma minnu ka bon kosɛbɛ:

  • 'yɛrɛ' — a bɛ sira di nafolo ma ka bɔ bɔyɔrɔ kelen na ni sɛbɛn
    • ye
  • 'ne si' — o bɛ o suguya nafolo bɛɛ bali
  • 'unsafe-inline' — a bɛ sira di inline sɛbɛnniw walima cogoyaw ma (a bɛ XSS lakanani tiɲɛ kosɛbɛ)
  • 'unsafe-eval' — bɛ sira di eval(), setTimeout(string), ani o ɲɔgɔnna kode dinamiki waleyali
    • ma
  • 'nonce-{random}' — bɛ sira di inline sɛbɛnni kɛrɛnkɛrɛnnenw ma minnu taamasiyɛn bɛ kɛ ni nonce cryptographic nonce
    • ye min bɛ bɛn ɲɔgɔn ma
  • 'strict-dynamic' — a bɛ da sɛbɛnnibolow la minnu doni bɛ sɛbɛnnikɛlanw fɛ minnu dalen bɛ u la kaban , ka jatigila basigilenw ka yamaruyasɛbɛnw jate
  • donanw : — a bɛ sira di kunnafonidilanw URIw ma i n’a fɔ kɔnɔkow sɔrɔyɔrɔw

CSP kunkanko lakika bɛ se ka kɛ nin cogo la : Kɔnɔkow-Lakanali-Politiki: default-src 'yɛrɛ'; script-src 'yɛrɛ' https://cdn.jsdelivr.net 'kɔrɔ-abc123'; style-src 'yɛrɛ' 'safe-inline'; img-src * ye; fɛn-src 'fɛn si tɛ'. i n' a fɔ pentester , i ka baara ye ka nin sariya in kalan k' a dɔn joona a barika ka bon yɔrɔ min na , a barika ka dɔgɔ yɔrɔ min na , ani a bɛ se ka nafa sɔrɔ yɔrɔ min na .

CSP labɛncogo jugu minnu bɛ kɛ tuma caman na Pentesterw ka kan ka laɲini

danfara min bɛ CSP kunkanko dɔ bilali ni nafama CSP kuncɛlan bilali cɛ , o ka bon kosɛbɛ . Tiɲɛ na, barikantanya dɔw bɛ politiki fanba kɔnɔ minnu bɛ don baarakɛlaw ka nɔgɔya fɛ, mɔgɔ sabananw ka jɛɲɔgɔnya fɛ, walima faamuyabaliya nɔgɔman fɛ. Jateminɛw senfɛ, pentɛriw ka kan ka nin dɛsɛw lajɛ cogo labɛnnen na.

labɛnbaliya min ka jugu kosɛbɛ , o ye 'unsafe-inline' sɔrɔli ye script-src cikan kɔnɔ . Nin daɲɛ koloma kelen in bɛ CSP ka XSS kɛlɛli nafa bɛɛ kɛ nafa tɛ min na a jɔyɔrɔba la, bawo a b’a to navigatɔrɔ bɛ se ka