Full Report
The Content Security Policy (CSP) is a browser-based protection to protection against XSS. In many ways, it does kill XSS but this post is about bypassing CSPs using forms. default-src works well for is the fallback directive in the CSP. Unfortunately, it doesn't include several, such as form-action. By creating a form that does not have an end, it's possible to have this form contain a bunch of sensitive data upon submission. Additionally, the form can be made to take up the entire page using CSS, leading to a single click doing the submission. Although this can't read variables, it can be used for data exfiltration. An additional method is abusing autofill in browsers. By making the form look like a password, it will autofill the inputs for many password managers. If the form is the whole page and the page is clicked on, this will then be submitted to the attacker. Even with the form-action directive in the CSP being set to self, there are still some issues with it. First, same-site request forgery is possible when using form-based auth. Dangling markup attacks are another option as well. There's a bunch of good tricks in this article for using forms to get around CSPs. Pretty neat!
Analysis Summary
# Tool/Technique: Content Security Policy (CSP) Form-Action Bypass via Unclosed Forms and Autofill Abuse
## Overview
This describes a set of techniques used to bypass Content Security Policy (CSP) protections against Cross-Site Scripting (XSS) and data exfiltration, specifically by exploiting the `form-action` directive or lack thereof via HTML injection that manipulates form submission behavior. The primary goal is data exfiltration or exploitation of applications even when CSP seems strictly configured.
## Technical Details
- Type: Technique
- Platform: Web Browsers (Client-Side)
- Capabilities: Bypassing CSP restrictions on outgoing form submissions; exfiltrating sensitive data via forged form submissions; resurrecting previously mitigated "Dangling Markup Attacks."
- First Seen: Tactics related to form-based XSS and injection have roots dating back to at least 2011 (Michal Zalewski's work), but the specific form-action bypass approach described here is highlighted as often overlooked.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing: Attack relies on tricking a user into interacting with a crafted element (an invisible form/button).
- T1056 - Input Capture
- T1056.001 - Input Capture: GUI: Attacks leverage user interaction (clicks) to capture data submitted via a forged form.
- T1560 - Archive Collected Data
- T1560.001 - Archive via Collection: Data is collected into a `<textarea>` before exfiltration.
- T1041 - Exfiltration Over C2 Channel (Applicable if the form submits to an external endpoint)
- T1583 - Acquire Infrastructure (Implied: Attacker needs a listening endpoint for the form submission)
## Functionality
### Core Capabilities
- **Data Exfiltration via Unclosed Forms:** Injecting an unclosed `<form>` tag that consumes subsequent sensitive page data into its body (e.g., via an injected `<textarea>`).
- **Forced Single-Click Submission:** Using inline CSS (`<style>` or inline attributes) to make the form's submit mechanism (e.g., an injected submit button) large and invisible, covering the entire viewport. Clicking anywhere on the page triggers the form submission.
- **Abusing `default-src` Weakness:** Exploiting the fact that if `form-action` is not explicitly defined, it often falls back to directives other than `'none'`, allowing unauthorized form submissions if the application has HTML injection vulnerabilities.
### Advanced Features
- **Autofill/Password Manager Abuse:** Crafting the injected form elements to mimic credentials fields (e.g., password fields). If the user has a password manager, the manager might automatically fill sensitive credentials into the hidden form fields, which are then submitted upon user click or page interaction.
- **Dangling Markup Attack Resuscitation:** Bypassing modern browser defenses against classic dangling markup injections using advanced encoding tricks (like UTF-16 encoding bypasses or target bypasses) to achieve content injection regardless of the CSP.
- **Bypassing `form-action: 'self'`:** Even with `form-action` set to `'self'`, the article suggests that data leakage via form submission is still possible in certain scenarios like Cross-Site Request Forgery (CSRF) against form-based authentication mechanisms or via dangling markup attacks.
## Indicators of Compromise
- File Hashes: N/A (Injection technique, not persistent malware)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Outbound HTTP/HTTPS POST requests originating from the vulnerable web origin to an external, attacker-controlled domain (via the forged form's `action` attribute).
- Behavioral Indicators: Unexpected form submissions occurring upon general page interaction (e.g., on initial page load or any click) where no visible form submission mechanisms are present or expected. Detection of large, invisible, or transparent elements overlaying main page content.
## Associated Threat Actors
The article does not name specific threat actor groups; it focuses on demonstrating general security research findings and attack methodologies applicable to any attacker targeting web application misconfigurations.
## Detection Methods
- **Signature-based detection:** Difficult, as the attack relies on valid HTML/CSS/JS structures used maliciously.
- **Behavioral detection:** Monitoring for unintended outbound network traffic originating from the client-side application endpoint where the form action URL points to an external domain, especially following simple user input events like a single click on an ostensibly benign page element.
- **YARA rules:** N/A (Client-side injection)
## Mitigation Strategies
- **Strict CSP Configuration:** Always explicitly setting the `form-action` directive in the CSP header (e.g., `form-action 'self' https://trusted.domain.com;` or `form-action 'none';` if forms are not required).
- **Enforce Referrer Policy:** Enforcing a strict `Referrer-Policy` HTTP header or meta tag across the entire site to prevent leaking the submission URL, which can aid attackers in bypassing certain CSP settings if the referrer policy is too permissive.
- **Input Validation:** Preventing HTML/CSS/JavaScript injection vulnerabilities in the first place, which is the root cause enabling the injection of these malicious forms.
- **Dangling Markup Defenses:** Ensuring browser security mitigations for dangling markup attacks are active and not circumvented by potential encoding tricks.
## Related Tools/Techniques
- General XSS Exploitation Techniques
- CSRF Attacks (Specifically mentioned in context of authenticated forms with `form-action: 'self'`)
- HTML Injection Vulnerabilities