How to use Google’s CSP Evaluator to bypass CSP

Have you ever found an XSS only to find out there’s an active CSP that blocks execution of any scripts?
If you want it to work on all browsers, not just IE (which doesn’t support CSP), there’s still a chance to bypass it!

Use Google’s CSP Evaluator to find ways to bypass CSP on websites using Angular libraries or JSONP endpoints.

CSP Evaluator is a powerful and simple to use tool that helps you evaluate how effective these restrictions are. It’s useful for both website owners to improve the security of their website and for bug hunters to find these flaws.

It’s also available as a Chrome Extension.

How to use it

You can either paste the target URL or the CSP itself (which is in the content-security-policy header) into the textbox,
and it will evaluate potential problems in the CSP.

If we enter https://codejam.withgoogle.com/2018/ as our example URL, multiple errors appear:


We can see it found two high severity finding.

The first one is that *.google-analytics.com hosts JSONP endpoints that would allow us to bypass the CSP.

The second one is about *.gstatic.com allowing us to load angular.js.

Bypassing CSP

Since angular.js is hosted on gstatic.com, we are able to load and use Angular and easily bypass the CSP.
This is how it could be done:

<script src="https://www.gstatic.com/fsn/angular_js-bundle1.js"></script>
<div ng-app ng-csp id=p ng-click=$event.view.alert(1)>

More resources

Check out this list of known JSONP, Flash and Angular bypasses on Google’s GitHub page, and add new bypasses to the list:
https://github.com/google/csp-evaluator/tree/master/whitelist_bypasses/json

CSP Evaluator is an open source project by Google, the source code can be found on GitHub:
https://github.com/google/csp-evaluator

UselessCSP.com is listing CSP flaws in many popular websites.

Read more about how CSP works in this Google Developers article: Content Security Policy

ThomasOrlita.com
Follow me on Twitter: @ThomasOrlita

Leave a Reply