impossible level added and help content updated

82784b42 · Robin Wood · 3259202f · 82784b42 · 82784b42 · 82784b42
Commit 82784b42 authored Aug 14, 2018 by Robin Wood
--- a/vulnerabilities/csp/index.php
+++ b/vulnerabilities/csp/index.php
@@ -45,8 +45,9 @@ EOF;
 $page[ 'body' ] .= "
 	<h2>More Information</h2>
 	<ul>
-		<li>" . dvwaExternalLinkUrlGet( 'https://content-security-policy.com/' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://content-security-policy.com/', "Content Security Policy Reference" ) . "</li>
-		<li>" . dvwaExternalLinkUrlGet( 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP', "Mozilla Developer Network - CSP: script-src") . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/', "Mozilla Security Blog - CSP for the web we have" ) . "</li>
 	</ul>
 </div>\n";


--- a/vulnerabilities/csp/source/impossible.js
+++ b/vulnerabilities/csp/source/impossible.js
+function clickButton() {
+    var s = document.createElement("script");
+    s.src = "source/jsonp_impossible.php";
+    document.body.appendChild(s);
+}
+function solveSum(obj) {
+	if ("answer" in obj) {
+		document.getElementById("answer").innerHTML = obj['answer'];
+	}
+}
+var solve_button = document.getElementById ("solve");
+if (solve_button) {
+	solve_button.addEventListener("click", function() {
+		clickButton();
+	});
+}
--- a/vulnerabilities/csp/source/impossible.php
+++ b/vulnerabilities/csp/source/impossible.php
+<?php
+$nonce = hash('ripemd160', mt_rand() . time());
+//CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+
+$headerCSP = "Content-Security-Policy:".
+"connect-src 'self' ;". // XMLHttpRequest (AJAX request), WebSocket or EventSource.
+"default-src 'self';". // Default policy for loading html elements
+"frame-ancestors 'self' ;". //allow parent framing - this one blocks click jacking and ui redress
+"frame-src 'none';". // vaid sources for frames
+"media-src 'self';". // vaid sources for media (audio and video html tags src)
+"object-src 'none'; ". // valid object embed and applet tags src
+"script-src 'self';" .
+"style-src 'self' 'unsafe-inline';";// allows css from self and inline allows inline css
+header($headerCSP);
+?>
+<?php
+if (isset ($_POST['include'])) {
+$page[ 'body' ] .= "
+	" . $_POST['include'] . "
+";
+}
+$page[ 'body' ] .= '
+<form name="csp" method="POST">
+	<p>Unlike the high level, this does a JSONP call but does not use a callback, instead it hardcodes the function to call.</p><p>The CSP settings only allow external JavaScript on the local server and no inline code.</p>
+	<p>1+2+3+4+5=<span id="answer"></span></p>
+	<input type="button" id="solve" value="Solve the sum" />
+</form>
+<script src="source/impossible.js"></script>
+';
--- a/vulnerabilities/csp/source/jsonp_impossible.php
+++ b/vulnerabilities/csp/source/jsonp_impossible.php
+<?php
+header("Content-Type: application/json; charset=UTF-8");
+$outp = array ("answer" => "15");
+echo "solveSum (".json_encode($outp).")";
+?>