Home » Resources » Blog » CSP bypasses, and how to build a strict Content-Security-Policy

CSP bypasses, and how to build a strict Content-Security-Policy

RapidSec » Resources » Knowledge Base » CSP bypasses, and how to build a strict Content-Security-Policy

What is a CSP Bypass?

When implementing a Content-Security-Policy, precision is always key: Too strict of rules, will block legitimate parts of your website from working properly. Too loose of rules, will be easily bypassable — not offering true protection.

google research on CSP has found that 94.72% of CSPs are automatically bypassable — and don't even require the attacker to apply sophisticated logic in order to find a CSP bypass.

A CSP Bypass is a technique to overcome a misconfiguration in the site's Content-Security-Policy, and prevent it from blocking and exploited web client-side attack.

Common Content Security Policy Bypasses

This excellent article covers the common CSP bypasses:

1. Wildcard CSP Bypasses

Wildcards: such as *, https: in the script-src , essentially allow all scripts to run (so no bypass needed).

2. CSP bypass of unsafe-inline

Creating policies for web applications without adding unsafe-inline or unsafe-eval is very challenging, and may require major refactoring to the codebase. Hence, in many cases (like large marketing sites), some directives of the Content Security Policy can be bypassed

3. Bypass CSP via Objects / Plugins

Another tool for getting js-runtime access.

4. Uploadable destinations

When a website allows uploading files that will get hosted on the 'self' or a when a public CdN is allowed in the policy.

5. JSONP CSP bypasses

If your CSP allows a site with a JSONP endpoint — the attacker could manipulate it into running a custom payload of their choice.

6. Legacy Angular Libraries CSP Bypass

Legacy Angular 1.x libraries are easily manipulated to run injected content from the DOM as javascript.

Since these files exist all over the web, many allowlists are susceptible to this bypass.

7. Iframe CSP Bypasses

These techniques use the special attribute srcdoc or iframes to achieve XSS

Considering the above bypasses, developers seeking to manually implement an effective Content-Security-Policy have a complex roadmap.

It gets even more complex...

Advanced Content Security Policy (CSP) Bypasses

The below exotic techniques by some of the top security researchers in the world - can sometimes bypass strong CSPs.

1. Loading scripts via images to bypass CSP:

Techniques such as Hiding JS in a png image or Bypassing CSP using polyglot JPEGs

2. Bypass nonce CSP with base injection

See the bypasses section in "We Broke All CSPs You Won't Guess What Happened Next" by Michele Spagnuolo (Google)

3. Using Dangling markup to bypass CSP

Excellent writeup by PortSwigger's Gareth Heyes

4. Advanced iframe CSP bypasses

A superb rundown of multiple iframe techniques to bypass CSP's protection against XSS and data exfiltration.

5. Open Redirects CSP bypass

Leveraging open-redirect implementation edge cases to bypass allowlists (see scenario 9)

Another Great Resource

Legacy Angular 1.x libraries are easily manipulated to run injected content from the DOM as javascript.

Since these files exist all over the web, many allowlists are susceptible to this bypass.

How to avoid CSP bypasses

Make sure that you use a proper CSP generator, that will combine multiple techniques to avoid bypasses AND run proper monitoring in case an attack does slip through.

Looking for an enterprise-grade CSP solution? Book a RapidSec demo today.

If you think I can improve this article, please let me know @Shai_Alon.