# Week 24 - CSP Bypasses ## Content Security Policy - Bypasses For week 24, I wanted to share an in-depth post on Content Security Policies and how to bypass them. What is a Content Security Policy? CSP’s tell a browser what paths/sources are safe to load resources from. They are used to prevent Cross-Site Scripting, clickjacking, and similar vulnerabilities involving images, frames or JavaScript. The CSP is specified within a server response header or meta tag, and the browser blocks any payload that violates the policy. To bypass a CSP, first look for the ‘script-src’ section and determine if any of the following are specified: ‘unsafe-inline’ -> Allows normal XSS payloads:alert(1) ‘unsafe-eval’ -> Allows Base64 encoded payloads: https: -> Allows external scripts: data: -> Allows Base64 encoded payloads: ‘self’ AND .js File Upload -> If you can upload a JavaScript file, you can execute it as a script: Other more exotic bypasses: Static ‘nonce’ -> If the server's nonce does not change with every request, specify the nonce in the payload to execute: Lack of object-src and default-src -> Object payloads will render: Missing base-uri -> Payload loads all relative src paths from your specified attacker server I find the last base-uri bypass super interesting. It’s useful not just for working around a CSP, but also any application firewall. Frequently we see Cross-Site Scripting payloads involving or HTML events blocked immediately, but it’s much rarer to find a WAF that blocks ">. Just make sure you find a relative script source path used by the application, and upload your JavaScript file to that same path on your server. Then BAM, easy Cross-Site Scripting!!! ![](/files/4vdJ8xYWRrwH7tS9Xmfx) ![SRC: https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d](/files/0zwV3feX3CrwzycZeSKv) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.webhackingtips.com/weekly-tips/week-24-csp-bypasses.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.