Help - Content Security Policy (CSP) Bypass

About

Content Security Policy (CSP) is used to define where scripts and other resources can be loaded or executed from. This module will walk you through ways to bypass the policy based on common mistakes made by developers.

None of the vulnerabilities are actual vulnerabilities in CSP, they are vulnerabilities in the way it has been implemented.

---

Objective

Bypass Content Security Policy (CSP) and execute JavaScript in the page.

---

Low Level

Examine the policy to find all the sources that can be used to host external script files.

Spoiler: Scripts can be included from Pastebin, try storing some JavaScript on there and then loading it in.

Medium Level

The CSP policy tries to use a nonce to prevent inline scripts from being added by attackers.

Spoiler: Examine the nonce and see how it varies (or doesn't).

High Level

The page makes a JSONP call to source/jsonp.php passing the name of the function to callback to, you need to modify the jsonp.php script to change the callback function.

Spoiler: The JavaScript on the page will execute whatever is returned by the page, changing this to your own code will execute that instead

Impossible Level

This level is an update of the high level where the JSONP call has its callback function hardcoded and the CSP policy is locked down to only allow external scripts.