MaxCSP
HardWeb Security
Overview
"Who needs HTML escaping when you have a bulletproof Content Security Policy?"
That's what the developer thought when building this note-sharing platform. Surely nothing could go wrong with such a strict CSP... right?
Find a way to compromise the application despite the security measures in place. flag format: flag{}
Lab Details
Prerequisites & Requirements
- Basic understanding of web applications and HTTP protocols
- Knowledge of JavaScript and browser behavior
- Familiarity with Content Security Policy (CSP) and its directives
- Understanding of Cross-Site Scripting (XSS) attacks
- Basic knowledge of PHP configuration and internals
What Will You Learn?
- How Content Security Policy (CSP) protects against XSS attacks
- PHP's max_input_vars configuration and its security implications
- Technique to bypass CSP by exceeding PHP configuration limits
- Crafting XSS payloads for session hijacking
- Understanding parser differentials and configuration-based vulnerabilities
Tools
- Web browser with developer tools
- Webhook service (webhook.site or similar)
- Burp Suite or similar proxy (for crafting requests)
- Basic understanding of PHP and web application architecture
Job Positions
Ethical Hacker
Tags
XssContent Security PolicySession HijackingServer MisconfigurationInput Validation