Skip to content

Commit 5f1b933

Browse files
digininjadigininja
authored
Fixing capitalisation
1 parent 5183bb7 commit 5f1b933

File tree

1 file changed

+3
-2
lines changed

1 file changed

+3
-2
lines changed

vulnerabilities/csp/help/help.php

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,11 +18,11 @@
1818

1919
<h3>Low Level</h3>
2020
<p>Examine the policy to find all the sources that can be used to host external script files.</p>
21-
<p>This exercise was originally written to work with Pastebin, then updated for Hastebin, then Toptal, but all these stopped working as they set various headers that prevent the browser executing the JavaScript once it has downloaded it. Since then two new services have been identified, UNPKG and JSDELIVR, the first is a proxy for NPM packages, the second one for GitHub files. They are both designed to allow raw access to any files and do not set any headers that will stop injection.
21+
<p>This exercise was originally written to work with Pastebin, then updated for Hastebin, then Toptal, but all these stopped working as they set various headers that prevent the browser executing the JavaScript once it has downloaded it. Since then two new services have been identified, UNPKG and jsDelivr, the first is a proxy for NPM packages, the second one for GitHub files. They are both designed to allow raw access to any files and do not set any headers that will stop injection.
2222
</p>
2323
<p>I have also put a number of files on my site which help to demonstrate how different headers and file extensions can block execution.</p>
2424
<pre>Spoiler: <span class="spoiler">
25-
https://cdn.jsdelivr.net/gh/digininja/csp_bypass/alert.js - Using JSDELIVR to server a JavaScript file stored on GitHub.
25+
https://cdn.jsdelivr.net/gh/digininja/csp_bypass/alert.js - Using jsDelivr to server a JavaScript file stored on GitHub.
2626
https://unpkg.com/@digininja/csp_bypass@1.0.0/index.js - Using UNPKG to access a JavaScript file in an NPM package.
2727
https://digi.ninja/dvwa/alert.js - Will work, this is a normal JavaScript file served with the correct headers.
2828
https://digi.ninja/dvwa/alert.txt - This will not work as it has the wrong content type set by the web server due to its file extension.
@@ -60,3 +60,4 @@
6060
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP', "Mozilla Developer Network - CSP: script-src"); ?></p>
6161
<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/', "Mozilla Security Blog - CSP for the web we have" ); ?></p>
6262
</div>
63+

0 commit comments

Comments
 (0)