You know that feeling when you discovered an XSS only to find out there’s an active CSP that blocks execution of any scripts?
If you want it to work on all browsers, not just IE (which doesn’t support CSP), there’s still a chance to bypass it!

Use Google’s CSP Evaluator to find ways to bypass CSP on websites using Angular libraries or JSONP endpoints.

csp-evaluator.withgoogle.com

It’s a really powerful and simple to use tool that helps you evaluate how effective these restrictions are,
useful for both website owners to improve security of their website and for bug hunters to find these flaws.

Also available as a Chrome Extension.

You can either paste the target URL or the CSP itself (which is in the content-security-policy header) into the textbox,
and it will evaluate potential problems in the CSP.

If we enter https://codejam.withgoogle.com/2018/ as our example URL, multiple errors appear:

We can see it found two high severity finding.

The first one is that *.google-analytics.com hosts JSONP endpoints, that would allow us to bypass the CSP.

The second one is about *.gstatic.com allowing us to load angular.js.
That means we would be able to load and use Angular and simply bypass the CSP.
This is how it could be done:

<script src="https://www.gstatic.com/fsn/angular_js-bundle1.js"></script>
<div ng-app ng-csp id=p ng-click=$event.view.alert(1)>

 

You can check out this list of known JSONP, Flash and Angular bypasses on Google’s GitHub page, and add new bypasses to the list:
https://github.com/google/csp-evaluator/tree/master/whitelist_bypasses/json

CSP Evaluator is an open source project by Google, the source code can be found on GitHub:
https://github.com/google/csp-evaluator

UselessCSP.com is listing CSP flaws in many popular websites.

Read more about how CSP works in this Google Developers article: Content Security Policy

 

ThomasOrlita.cz
Follow me on Twitter: @ThomasOrlita

 

More articles:
Reflected XSS in Google Code Jam
Stored XSS in WebComponents.org
Stored Angular XSS in Mall.cz
Angular XSS vulnerability in McDonalds.com
List of web vulnerabilities I found