Merge remote-tracking branch 'upstream/master'

.gitignore

@@ -1,2 +1,5 @@
 config/config.inc.php
-Dockerfile
+Dockerfile
+
+# Vim swap files
+.*swp

dvwa/includes/dvwaPage.inc.php

@@ -208,6 +208,7 @@ function dvwaHtmlEcho( $pPage ) {
 		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_d', 'name' => 'XSS (DOM)', 'url' => 'vulnerabilities/xss_d/' );
 		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_r', 'name' => 'XSS (Reflected)', 'url' => 'vulnerabilities/xss_r/' );
 		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_s', 'name' => 'XSS (Stored)', 'url' => 'vulnerabilities/xss_s/' );
+		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'csp', 'name' => 'CSP Bypass', 'url' => 'vulnerabilities/csp/' );
 		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'javascript', 'name' => 'JavaScript', 'url' => 'vulnerabilities/javascript/' );
 	}
 

vulnerabilities/csp/help/help.php

@@ -0,0 +1,52 @@
+<div class="body_padded">
+	<h1>Help - Content Security Policy (CSP) Bypass</h1>
+
+	<div id="code">
+	<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid">
+	<tr>
+	<td><div id="code">
+		<h3>About</h3>
+		<p>Content Security Policy (CSP) is used to define where scripts and other resources can be loaded or executed from. This module will walk you through ways to bypass the policy based on common mistakes made by developers.</p>
+		<p>None of the vulnerabilities are actual vulnerabilities in CSP, they are vulnerabilities in the way it has been implemented.</p>
+
+		<br /><hr /><br />
+
+		<h3>Objective</h3>
+		<p>Bypass Content Security Policy (CSP) and execute JavaScript in the page.</p>
+
+		<br /><hr /><br />
+
+		<h3>Low Level</h3>
+		<p>Examine the policy to find all the sources that can be used to host external script files.</p>
+		<pre>Spoiler: <span class="spoiler">Scripts can be included from Pastebin, try storing some JavaScript on there and then loading it in.</span></pre>
+
+		<br />
+
+		<h3>Medium Level</h3>
+		<p>The CSP policy tries to use a nonce to prevent inline scripts from being added by attackers.</p>
+		<pre>Spoiler: <span class="spoiler">Examine the nonce and see how it varies (or doesn't).</span></pre>
+
+		<br />
+
+		<h3>High Level</h3>
+		<p>The page makes a JSONP call to source/jsonp.php passing the name of the function to callback to, you need to modify the jsonp.php script to change the callback function.</p>
+		<pre>Spoiler: <span class="spoiler">The JavaScript on the page will execute whatever is returned by the page, changing this to your own code will execute that instead</span></pre>
+
+		<br />
+
+		<h3>Impossible Level</h3>
+		<p>
+			This level is an update of the high level where the JSONP call has its callback function hardcoded and the CSP policy is locked down to only allow external scripts.
+		</p>
+	</div></td>
+	</tr>
+	</table>
+
+	</div>
+
+	<br />
+
+	<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://content-security-policy.com/', "Content Security Policy Reference" ); ?></p>
+	<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP', "Mozilla Developer Network - CSP: script-src"); ?></p>
+	<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/', "Mozilla Security Blog - CSP for the web we have" ); ?></p>
+</div>

vulnerabilities/csp/index.php

@@ -0,0 +1,57 @@
+<?php
+
+define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
+require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
+
+dvwaPageStartup( array( 'authenticated', 'phpids' ) );
+
+$page = dvwaPageNewGrab();
+$page[ 'title' ]   = 'Vulnerability: Content Security Policy (CSP) Bypass' . $page[ 'title_separator' ].$page[ 'title' ];
+$page[ 'page_id' ] = 'csp';
+$page[ 'help_button' ]   = 'csp';
+$page[ 'source_button' ] = 'csp';
+
+dvwaDatabaseConnect();
+
+$vulnerabilityFile = '';
+switch( $_COOKIE[ 'security' ] ) {
+	case 'low':
+		$vulnerabilityFile = 'low.php';
+		break;
+	case 'medium':
+		$vulnerabilityFile = 'medium.php';
+		break;
+	case 'high':
+		$vulnerabilityFile = 'high.php';
+		break;
+	default:
+		$vulnerabilityFile = 'impossible.php';
+		break;
+}
+
+$page[ 'body' ] = <<<EOF
+<div class="body_padded">
+	<h1>Vulnerability: Content Security Policy (CSP) Bypass</h1>
+
+	<div class="vulnerable_code_area">
+EOF;
+
+require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/csp/source/{$vulnerabilityFile}";
+
+$page[ 'body' ] .= <<<EOF
+	</div>
+EOF;
+
+$page[ 'body' ] .= "
+	<h2>More Information</h2>
+	<ul>
+		<li>" . dvwaExternalLinkUrlGet( 'https://content-security-policy.com/', "Content Security Policy Reference" ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP', "Mozilla Developer Network - CSP: script-src") . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/', "Mozilla Security Blog - CSP for the web we have" ) . "</li>
+	</ul>
+	<p><i>Module developed by <a href='https://twitter.com/digininja'>Digininja</a>.</i></p>
+</div>\n";
+
+dvwaHtmlEcho( $page );
+
+?>

vulnerabilities/csp/source/high.js

@@ -0,0 +1,19 @@
+function clickButton() {
+    var s = document.createElement("script");
+    s.src = "source/jsonp.php?callback=solveSum";
+    document.body.appendChild(s);
+}
+
+function solveSum(obj) {
+	if ("answer" in obj) {
+		document.getElementById("answer").innerHTML = obj['answer'];
+	}
+}
+
+var solve_button = document.getElementById ("solve");
+
+if (solve_button) {
+	solve_button.addEventListener("click", function() {
+		clickButton();
+	});
+}

vulnerabilities/csp/source/high.php

@@ -0,0 +1,22 @@
+<?php
+$headerCSP = "Content-Security-Policy: script-src 'self';";
+
+header($headerCSP);
+
+?>
+<?php
+if (isset ($_POST['include'])) {
+$page[ 'body' ] .= "
+	" . $_POST['include'] . "
+";
+}
+$page[ 'body' ] .= '
+<form name="csp" method="POST">
+	<p>The page makes a call to ' . DVWA_WEB_PAGE_TO_ROOT . '/vulnerabilities/csp/source/jsonp.php to load some code. Modify that page to run your own code.</p>
+	<p>1+2+3+4+5=<span id="answer"></span></p>
+	<input type="button" id="solve" value="Solve the sum" />
+</form>
+
+<script src="source/high.js"></script>
+';
+

vulnerabilities/csp/source/impossible.js

@@ -0,0 +1,19 @@
+function clickButton() {
+    var s = document.createElement("script");
+    s.src = "source/jsonp_impossible.php";
+    document.body.appendChild(s);
+}
+
+function solveSum(obj) {
+	if ("answer" in obj) {
+		document.getElementById("answer").innerHTML = obj['answer'];
+	}
+}
+
+var solve_button = document.getElementById ("solve");
+
+if (solve_button) {
+	solve_button.addEventListener("click", function() {
+		clickButton();
+	});
+}

vulnerabilities/csp/source/impossible.php

@@ -0,0 +1,23 @@
+<?php
+
+$headerCSP = "Content-Security-Policy: script-src 'self';";
+
+header($headerCSP);
+
+?>
+<?php
+if (isset ($_POST['include'])) {
+$page[ 'body' ] .= "
+	" . $_POST['include'] . "
+";
+}
+$page[ 'body' ] .= '
+<form name="csp" method="POST">
+	<p>Unlike the high level, this does a JSONP call but does not use a callback, instead it hardcodes the function to call.</p><p>The CSP settings only allow external JavaScript on the local server and no inline code.</p>
+	<p>1+2+3+4+5=<span id="answer"></span></p>
+	<input type="button" id="solve" value="Solve the sum" />
+</form>
+
+<script src="source/impossible.js"></script>
+';
+

vulnerabilities/csp/source/jsonp.php

@@ -0,0 +1,13 @@
+<?php
+header("Content-Type: application/json; charset=UTF-8");
+
+if (array_key_exists ("callback", $_GET)) {
+	$callback = $_GET['callback'];
+} else {
+	return "";
+}
+
+$outp = array ("answer" => "15");
+
+echo $callback . "(".json_encode($outp).")";
+?>

vulnerabilities/csp/source/jsonp_impossible.php

@@ -0,0 +1,7 @@
+<?php
+header("Content-Type: application/json; charset=UTF-8");
+
+$outp = array ("answer" => "15");
+
+echo "solveSum (".json_encode($outp).")";
+?>

vulnerabilities/csp/source/low.php

@@ -0,0 +1,22 @@
+<?php
+
+$headerCSP = "Content-Security-Policy: script-src 'self' https://pastebin.com  example.com code.jquery.com https://ssl.google-analytics.com ;"; // allows js from self, pastebin.com, jquery and google analytics.
+
+header($headerCSP);
+
+# https://pastebin.com/raw/R570EE00
+
+?>
+<?php
+if (isset ($_POST['include'])) {
+$page[ 'body' ] .= "
+	<script src='" . $_POST['include'] . "'></script>
+";
+}
+$page[ 'body' ] .= '
+<form name="csp" method="POST">
+	<p>You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:</p>
+	<input size="50" type="text" name="include" value="" id="include" />
+	<input type="submit" value="Include" />
+</form>
+';

vulnerabilities/csp/source/medium.php

@@ -0,0 +1,25 @@
+<?php
+
+$headerCSP = "Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=';";
+
+header($headerCSP);
+
+// Disable XSS protections so that inline alert boxes will work
+header ("X-XSS-Protection: 0");
+
+# <script nonce="TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=">alert(1)</script>
+
+?>
+<?php
+if (isset ($_POST['include'])) {
+$page[ 'body' ] .= "
+	" . $_POST['include'] . "
+";
+}
+$page[ 'body' ] .= '
+<form name="csp" method="POST">
+	<p>Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.</p>
+	<input size="50" type="text" name="include" value="" id="include" />
+	<input type="submit" value="Include" />
+</form>
+';