Red Teaming: Flaring CSP Report-URIs

TL;DR: This is a flaring script for report-uri. It will distract the blue team by sending random false positives.

No question: CSP and report-uri is a strong team and it helps the blue team detecting you. So in the latest Red Team Assessment we had an externally available employee portal. It was kind of self-written, although I assumed it was built around a template engine. We also had a few other external sites. Perfect material for XSS. But wait – there is more: Multiple deployed CSP. Even if it wasn’t that sophisticated, it might make your life as a red team member harder.

In my mind’s eye I could see the blue team checking their reports while the assessments was going on.

But what if this could help us in some way? While you may trigger a WAF to report some false positives, with the report-uri this is even easier: You literally can send your own “alerts”. And you can determine when and what to be reported. Read More