added the high level

vulnerabilities/csp/help/help.php

@@ -18,21 +18,19 @@
 
 		<h3>Low Level</h3>
 		<p>Examine the policy to find all the sources that can be used to host external script files.</p>
-		<pre>Spoiler: <span class="spoiler">Scripts can be included from Pastebin, try storing some JavaScript on there.</span>.</pre>
+		<pre>Spoiler: <span class="spoiler">Scripts can be included from Pastebin, try storing some JavaScript on there and then loading it in.</span></pre>
 
 		<br />
 
 		<h3>Medium Level</h3>
 		<p>The CSP policy tries to use a nonce to prevent inline scripts from being added by attackers.</p>
-		<pre>Spoiler: <span class="spoiler">Examine the nonce and see how it varies (or doesn't).</span>.</pre>
+		<pre>Spoiler: <span class="spoiler">Examine the nonce and see how it varies (or doesn't).</span></pre>
 
 		<br />
 
 		<h3>High Level</h3>
-		<p>In the high level, the developer goes back to the drawing board and puts in even more pattern to match. But even this isn't enough.</p>
-		<p>The developer has either made a slight typo with the filters and believes a certain PHP command will save them from this mistake.</p>
-		<pre>Spoiler: <span class="spoiler"><?php echo dvwaExternalLinkUrlGet( 'https://secure.php.net/manual/en/function.trim.php', 'trim()' ); ?>
-			removes all leading & trailing spaces, right?</span>.</pre>
+		<p>The page makes a JSONP call to source/jsonp.php passing the name of the function to callback to, you need to modify the jsonp.php script to change the callback function.</p>
+		<pre>Spoiler: <span class="spoiler">The JavaScript on the page will execute whatever is returned by the page, changing this to your own code will execute that instead</span></pre>
 
 		<br />
 

vulnerabilities/csp/source/high.js

+function clickButton() {
+    var s = document.createElement("script");
+    s.src = "source/jsonp.php?callback=solveSum";
+    document.body.appendChild(s);
+}
+
+function solveSum(obj) {
+	if ("answer" in obj) {
+		document.getElementById("answer").innerHTML = obj['answer'];
+	}
+}
+
+var solve_button = document.getElementById ("solve");
+
+if (solve_button) {
+	solve_button.addEventListener("click", function() {
+		clickButton();
+	});
+}

vulnerabilities/csp/source/high.php

+<?php
+//CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+
+$headerCSP = "Content-Security-Policy:".
+"connect-src 'self' ;". // XMLHttpRequest (AJAX request), WebSocket or EventSource.
+"default-src 'self';". // Default policy for loading html elements
+"frame-ancestors 'self' ;". //allow parent framing - this one blocks click jacking and ui redress
+"frame-src 'none';". // vaid sources for frames
+"media-src 'self';". // vaid sources for media (audio and video html tags src)
+"object-src 'none'; ". // valid object embed and applet tags src
+"script-src 'self';" .
+"style-src 'self' 'unsafe-inline';";// allows css from self and inline allows inline css
+
+header($headerCSP);
+
+?>
+<?php
+if (isset ($_POST['include'])) {
+$page[ 'body' ] .= "
+	" . $_POST['include'] . "
+";
+}
+$page[ 'body' ] .= '
+<form name="csp" method="POST">
+	<p>The page makes a call to ' . DVWA_WEB_PAGE_TO_ROOT . '/vulnerabilities/csp/source/jsonp.php to load some code. Modify that page to run your own code.</p>
+	<p>1+2+3+4+5=<span id="answer"></span></p>
+	<input type="button" id="solve" value="Solve the sum" />
+</form>
+
+<script src="source/high.js"></script>
+';
+

vulnerabilities/csp/source/jsonp.php

+<?php
+header("Content-Type: application/json; charset=UTF-8");
+
+if (array_key_exists ("callback", $_GET)) {
+	$callback = $_GET['callback'];
+} else {
+	return "";
+}
+
+$outp = array ("answer" => "15");
+
+echo $callback . "(".json_encode($outp).")";
+?>