performing-content-security-policy-bypass

# Performing Content Security Policy Bypass ## When to Use - When XSS is found but execution is blocked by Content Security Policy - During web application security assessments to evaluate CSP effectiveness - When testing the robustness of CSP against known bypass techniques - During bug bounty hunting where CSP prevents direct XSS exploitation - When auditing CSP header configuration for security weaknesses ## Prerequisites - Burp Suite for intercepting responses and analyzing CSP headers - CSP Evaluator (Google) for automated policy analysis - Understanding of CSP directives (script-src, default-src, style-src, etc.) - Knowledge of CSP bypass techniques (JSONP, base-uri, object-src) - Browser developer tools for CSP violation monitoring - Collection of whitelisted domain JSONP endpoints ## Workflow ### Step 1 — Analyze the CSP Policy ```bash # Extract CSP from response headers curl -sI http://target.com | grep -i "content-security-policy" # Check for CSP in meta tags curl -s http://target.com | grep -i "content-security-policy" # Analyze CSP with Google CSP Evaluator # Visit: https://csp-evaluator.withgoogle.com/ # Paste the CSP policy for automated analysis # Check for report-only mode (not enforced) curl -sI http://target.com | grep -i "content-security-policy-report-only" # If only report-only exists, CSP is NOT enforced - XSS works directly # Parse directive values # Example CSP: # script-src 'self' 'unsafe-inline' https://cdn.example.com; # default-src 'self'; ...