Table of contents
What is a CSP Bypass?
When implementing a Content-Security-Policy, precision is always key: Too strict of rules, will block legitimate parts of your website from working properly. Too loose of rules, will be easily bypassable — not offering true protection.
A google research on CSP has found that 94.72% of CSPs are automatically bypassable — and don't even require the attacker to apply sophisticated logic in order to find a CSP bypass.
A CSP Bypass is a technique to overcome a misconfiguration in the site's Content-Security-Policy, and prevent it from blocking and exploited web client-side attack.
Common Content Security Policy Bypasses
This excellent article covers the common CSP bypasses:
1. Wildcard CSP Bypasses
Wildcards: such as *, https: in the script-src , essentially allow all scripts to run (so no bypass needed).
2. CSP bypass of unsafe-inline
Creating policies for web applications without adding unsafe-inline or unsafe-eval is very challenging, and may require major refactoring to the codebase. Hence, in many cases (like large marketing sites), some directives of the Content Security Policy can be bypassed
3. Bypass CSP via Objects / Plugins
Another tool for getting js-runtime access.
4. Uploadable destinations
When a website allows uploading files that will get hosted on the 'self' or a when a public CdN is allowed in the policy.
5. JSONP CSP bypasses
If your CSP allows a site with a JSONP endpoint — the attacker could manipulate it into running a custom payload of their choice.
6. Legacy Angular Libraries CSP Bypass
Legacy Angular 1.x libraries are easily manipulated to run injected content from the DOM as javascript.
Since these files exist all over the web, many allowlists are susceptible to this bypass.
7. Iframe CSP Bypasses
These techniques use the special attribute srcdoc or iframes to achieve XSS
Considering the above bypasses, developers seeking to manually implement an effective Content-Security-Policy have a complex roadmap.
It gets even more complex...
Advanced Content Security Policy (CSP) Bypasses
The below exotic techniques by some of the top security researchers in the world - can sometimes bypass strong CSPs.
1. Loading scripts via images to bypass CSP:
Techniques such as Hiding JS in a png image or Bypassing CSP using polyglot JPEGs
2. Bypass nonce CSP with base injection
See the bypasses section in "We Broke All CSPs You Won't Guess What Happened Next" by Michele Spagnuolo (Google)
3. Using Dangling markup to bypass CSP
Excellent writeup by PortSwigger's Gareth Heyes
4. Advanced iframe CSP bypasses
A superb rundown of multiple iframe techniques to bypass CSP's protection against XSS and data exfiltration.
5. Open Redirects CSP bypass
Leveraging open-redirect implementation edge cases to bypass allowlists (see scenario 9)
Another Great Resource
Legacy Angular 1.x libraries are easily manipulated to run injected content from the DOM as javascript.
Since these files exist all over the web, many allowlists are susceptible to this bypass.
How to avoid CSP bypasses
Make sure that you use a proper CSP generator, that will combine multiple techniques to avoid bypasses AND run proper monitoring in case an attack does slip through.
Looking for an enterprise-grade CSP solution? Book a RapidSec demo today.
If you think I can improve this article, please let me know @Shai_Alon.