CSPBypass
CSPBypass.com, a tool designed to help ethical hackers bypass restrictive Content Security Policies (CSP) and exploit XSS (Cross-Site Scripting) vulnerabilities on sites where injections are blocked by CSPs that only allow certain whitelisted domains.
Install / Use
/learn @renniepak/CSPBypassREADME
CSP Bypass
Welcome to CSPBypass.com, a tool designed to help ethical hackers bypass restrictive Content Security Policies (CSP) and exploit XSS (Cross-Site Scripting) vulnerabilities on sites where injections are blocked by CSPs that only allow certain whitelisted domains.
Website
Visit CSPBypass.com to search for existing CSP bypass gadgets that allow you to gain XSS, or contribute your own findings.
Offline Usage
Build the Docker image and run it locally to serve the static UI with the bundled dataset:
docker build -t cspbypass .
docker run --rm -p 8080:80 cspbypass
Browse to http://localhost:8080/ and you can query the dataset without any external calls.
What is a "CSP Bypass gadget"?
Modern websites often use Content Security Policies (CSP) to protect against XSS attacks by restricting the sources of executable scripts and other content. In those cases, even when an attacker can inject HTML/javascript into a site, the CSP blocks the payload, allowing only certain whitelisted domains or resources to load.
A CSP bypass gadget is a technique that allows the attacker to execute JavaScript despite the restrictive policy, exploiting loopholes in the policy configuration. These are often JSONP endpoints or Javascript libraries hosted on any of the whitelisted domains.
Purpose
This project is purely for ethical purposes. The tool and techniques shared here are intended to help security researchers, ethical hackers, and penetration testers identify potential CSP misconfigurations, responsibly disclose vulnerabilities, and improve web security overall.
Note: Always ensure that you have permission to test any website or system and follow all applicable laws and responsible disclosure practices.
Responsible Disclosure
This tool is intended to help protect web applications by identifying weaknesses in their CSP configuration. If you discover a new vulnerability, always follow responsible disclosure practices to report the issue to the site owner or developer before making it public.
How to Contribute
We welcome contributions from the community! If you've discovered a new CSP bypass gadget, we would love for you to share it.
Here’s how you can contribute:
- Check that the domain used in your bypass is listed here: https://cspbypass.com/csp-domains.html. This list is curated to domains commonly found in real-world CSP headers, if your domain isn't on it, we won't be able to merge the contribution.
- Fork this repository.
- Add your CSP bypass gadget in the appropriate format:
The minimum viable PoC is an alert box without the ability to pass any arguments, or an alert box showing arbitrary data (caused by a JSONP response). However, if you have the possibility to pass arguments (likewww.example.com[TAB]<script src=https://www.example.com?cb=alert(1)></script>alert(1)), please submit a PoC that reflects that. Please try to keep data.tsv in alphabetical order. This helps to spot duplicates. Add your handle in credits.txt if you like to be credited on cspbypass.com - Submit a pull request with your findings.
Your contributions will help make the web safer for everyone by improving understanding of CSPs and how they can be strengthened against bypass techniques.
csp_domains.json
This file contains every domain extracted from Content-Security-Policy headers across a full Common Crawl dataset. Specifically, all script-src directives were collected, falling back to default-src where no script-src was present.
The website at csp-domains.html only displays domains appearing in 10 or more CSPs for readability. The full unfiltered list is published here for anyone who finds it useful.
Contact
For any inquiries, reach out to @renniepak.nl on Bluesky.
