这几天测试用Selenium 和 Chrome插件都无法在 谷歌插件商店https://chrome.google.com/webstore/category/extensions?hl=en 实现JS注入
检查发现响应头里面有一个 ‘content-security-policy’,错误提示:
"Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'report-sample' 'nonce-wNKF1pjNhZent+g6jyFL9g' 'unsafe-inline' 'unsafe-eval'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list."
CSP全称Content Security Policy ,可以直接翻译为内容安全策略,说白了,就是为了页面内容安全而制定的一系列防护策略. 通过CSP所约束的的规责指定可信的内容来源(这里的内容可以指脚本、图片、iframe、fton、style等等可能的远程的资源)。通过CSP协定,让WEB处于一个安全的运行环境中.
我这里使用MitmProxy绕过CSP执行JS注入
脚本如下
from bs4 import BeautifulSoup
from mitmproxy import ctx
import re
# Load in the javascript to inject.
with open('injected-javascript.js', 'r') as f:
injected_javascript = f.read()
def response(flow):
# Only process 200 responses of HTML content.
if 'text/html' not in flow.response.headers['content-type']:
return
if not flow.response.status_code == 200:
return
try:
# two ways: remove the content-security-policy or set the nonce id to injected-javascript.js
if flow.response.headers['content-security-policy']:
text = flow.response.headers['content-security-policy']
nonce_id = re.search( r'\'nonce-([^\']+)', text).group(1)
print(nonce_id)
#del flow.response.headers['content-security-policy']
#flow.response.headers['content-security-policy'] = "script-src 'self'; object-src 'self'"
except:
pass
# Inject a script tag containing the JavaScript.
html = BeautifulSoup(flow.response.text, 'html.parser')
container = html.head or html.body
if container:
if 'nonce_id' in dir():
script = html.new_tag('script', type='text/javascript', nonce=nonce_id)
else:
script = html.new_tag('script', type='text/javascript')
script.string = injected_javascript
container.insert(0, script)
flow.response.text = str(html)
ctx.log.info('Successfully injected the `injected-javascript.js` script.')
from mitmproxy import ctx
import re
# Load in the javascript to inject.
with open('injected-javascript.js', 'r') as f:
injected_javascript = f.read()
def response(flow):
# Only process 200 responses of HTML content.
if 'text/html' not in flow.response.headers['content-type']:
return
if not flow.response.status_code == 200:
return
try:
# two ways: remove the content-security-policy or set the nonce id to injected-javascript.js
if flow.response.headers['content-security-policy']:
text = flow.response.headers['content-security-policy']
nonce_id = re.search( r'\'nonce-([^\']+)', text).group(1)
print(nonce_id)
#del flow.response.headers['content-security-policy']
#flow.response.headers['content-security-policy'] = "script-src 'self'; object-src 'self'"
except:
pass
# Inject a script tag containing the JavaScript.
html = BeautifulSoup(flow.response.text, 'html.parser')
container = html.head or html.body
if container:
if 'nonce_id' in dir():
script = html.new_tag('script', type='text/javascript', nonce=nonce_id)
else:
script = html.new_tag('script', type='text/javascript')
script.string = injected_javascript
container.insert(0, script)
flow.response.text = str(html)
ctx.log.info('Successfully injected the `injected-javascript.js` script.')
参考:
Content Security Policy (CSP)
前端安全配置之Content-Security-Policy(csp)
Content Security Policy (CSP) 是什么?为什么它能抵御 XSS 攻击?