/
csp.go
161 lines (159 loc) 路 4.71 KB
/
csp.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
package scanning
import (
"strings"
)
// checkCSP is bypass CSP for StaticAnalysis
func checkCSP(policy string) string {
var result string
var arr []string
if strings.Contains(policy, ".doubleclick.net") {
arr = append(arr, ".doubleclick.net")
}
if strings.Contains(policy, ".googleadservices.com") {
arr = append(arr, ".googleadservices.com")
}
if strings.Contains(policy, "cse.google.com") {
arr = append(arr, "cse.google.com")
}
if strings.Contains(policy, "accounts.google.com") {
arr = append(arr, "accounts.google.com")
}
if strings.Contains(policy, "*.google.com") {
arr = append(arr, "*.google.com")
}
if strings.Contains(policy, "www.blogger.com") {
arr = append(arr, "www.blogger.com")
}
if strings.Contains(policy, "*.blogger.com") {
arr = append(arr, "*.blogger.com")
}
if strings.Contains(policy, "translate.yandex.net") {
arr = append(arr, "translate.yandex.net")
}
if strings.Contains(policy, "api-metrika.yandex.ru") {
arr = append(arr, "api-metrika.yandex.ru")
}
if strings.Contains(policy, "api.vk.comm") {
arr = append(arr, "api.vk.com")
}
if strings.Contains(policy, "*.vk.com") {
arr = append(arr, "*.vk.com")
}
if strings.Contains(policy, "*.yandex.ru") {
arr = append(arr, "*.yandex.ru")
}
if strings.Contains(policy, "*.yandex.net") {
arr = append(arr, "*.yandex.het")
}
if strings.Contains(policy, "app-sjint.marketo.com") {
arr = append(arr, "app-sjint.marketo.com")
}
if strings.Contains(policy, "app-e.marketo.com") {
arr = append(arr, "app-e.marketo.com")
}
if strings.Contains(policy, "*.marketo.com") {
arr = append(arr, "*.marketo.com")
}
if strings.Contains(policy, "detector.alicdn.com") {
arr = append(arr, "detector.alicdn.com")
}
if strings.Contains(policy, "suggest.taobao.com") {
arr = append(arr, "suggest.taobao.com")
}
if strings.Contains(policy, "ount.tbcdn.cn") {
arr = append(arr, "ount.tbcdn.cn")
}
if strings.Contains(policy, "bebezoo.1688.com") {
arr = append(arr, "bebezoo.1688.com")
}
if strings.Contains(policy, "wb.amap.com") {
arr = append(arr, "wb.amap.com")
}
if strings.Contains(policy, "a.sm.cn") {
arr = append(arr, "a.sm.cn")
}
if strings.Contains(policy, "api.m.sm.cn") {
arr = append(arr, "api.m.sm.cn")
}
if strings.Contains(policy, "*.alicdn.com") {
arr = append(arr, "*.alicdn.com")
}
if strings.Contains(policy, "*.taobao.com") {
arr = append(arr, "*.taobao.com")
}
if strings.Contains(policy, "*.tbcdn.cn") {
arr = append(arr, "*.tbcdn.cn")
}
if strings.Contains(policy, "*.1688.com") {
arr = append(arr, "*.1688.com")
}
if strings.Contains(policy, "*.amap.com") {
arr = append(arr, "*.amap.com")
}
if strings.Contains(policy, "*.sm.cn") {
arr = append(arr, "*.sm.cn")
}
if strings.Contains(policy, "mkto.uber.com") {
arr = append(arr, "mkto.uber.com")
}
if strings.Contains(policy, "*.uber.com") {
arr = append(arr, "*.uber.com")
}
if strings.Contains(policy, "ads.yap.yahoo.com") {
arr = append(arr, "ads.yap.yahoo.com")
}
if strings.Contains(policy, "mempf.yahoo.co.jp") {
arr = append(arr, "mempf.yahoo.co.jp")
}
if strings.Contains(policy, "suggest-shop.yahooapis.jp") {
arr = append(arr, "suggest-shop.yahooapis.jp")
}
if strings.Contains(policy, "www.aol.com") {
arr = append(arr, "www.aol.com")
}
if strings.Contains(policy, "df-webservices.comet.aol.com") {
arr = append(arr, "df-webservices.comet.aol.com")
}
if strings.Contains(policy, "api.cmi.aol.com") {
arr = append(arr, "api.cmi.aol.com")
}
if strings.Contains(policy, "ui.comet.aol.com") {
arr = append(arr, "ui.comet.aol.com")
}
if strings.Contains(policy, "portal.pf.aol.com") {
arr = append(arr, "portal.pf.aol.com")
}
if strings.Contains(policy, "*.yahoo.com") {
arr = append(arr, "*.yahoo.com")
}
if strings.Contains(policy, "*.yahoo.jp") {
arr = append(arr, "*.yahoo.jp")
}
if strings.Contains(policy, "*.yahooapis.jp") {
arr = append(arr, "*.yahooapis.jp")
}
if strings.Contains(policy, "*.aol.com") {
arr = append(arr, "*.aol.com")
}
if strings.Contains(policy, "search.twitter.com") {
arr = append(arr, "search.twitter.com")
}
if strings.Contains(policy, "twitter.com") {
arr = append(arr, "twitter.com")
}
if strings.Contains(policy, "*.twitter.com") {
arr = append(arr, "*.twitter.com")
}
if strings.Contains(policy, "ajax.googleapis.com") {
arr = append(arr, "ajax.googleapis.com")
}
if strings.Contains(policy, "*.googleapis.com") {
arr = append(arr, "*googleapis.com")
}
if len(arr) > 0 {
result = strings.Join(arr[:], " ")
result = result + "\n" + " Needs manual testing. please refer to it. https://t.co/lElLxtainw?amp=1"
}
// https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/XSS%20Injection/Intruders/jsonp_endpoint.txt
return result
}