Skip to content

/ security-research-pocs

Branch: master
Find file History
security-research-pocs/script-gadgets/
Cannot retrieve the latest commit at this time.
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
dojo Updated the bypasses and added a list. May 2, 2017
repo Replaced sebastian-lekies.de references with internal file. May 9, 2017
shout Updated the bypasses and added a list. May 2, 2017
.gitignore Added Polymer sample app. May 8, 2017
Breaking_XSS_mitigations_via_Script_Gadgets_BHUSA.pdf Added BlackHat USA slides Jul 28, 2017
README.md Added CCS paper. Oct 7, 2017
bypasses.md Fixed URL. May 7, 2017
ccs_gadgets.pdf Added CCS paper. Oct 7, 2017
init.sh Added Polymer sample app. May 8, 2017
jquerymobile.php Updated the bypasses and added a list. May 2, 2017

README.md

This directory hosts proof-of-concept codes accompanying script gadgets research.

Authors:

Presentations / papers:

In order to use the code, you'll need a HTTP(S) server with PHP support. We used Apache2 + mod_php. Respective virtual hosts used in the PoCs are:

  • victim.example.com
  • attacker.example.com

Feel free to replace those hostnames according to your setup with grep. Please set up both virtual hosts as serving the same directory, with the root of the site pointing to script-gadgets directory.

The proof-of-concepts are organized by the XSS mitigation bypassed, so e.g. /repo/csp/sd will host all Content Security Policy (CSP) strict-dynamic bypasses. In each directory each of the *-exploit.* files contains bypass using a given framework or library, so /repo/csp/ue/aurelia_exploit.php demonstrates how aurelia framework may bypass the unsafe-eval CSP.

The full list of bypasses is in bypasses.md.

Some of the payloads require additional modules e.g. ModSecurity. You will need TLS certificates for some of the payloads - try LetsEncrypt.

You can’t perform that action at this time.