CSP and Bypasses

This blog post aims to demonstrate what CSP is and why CSP is implemented. And how attackers can bypass CSP. In this article, I will include how you can bypass some directives to achieve XSS on the target application.

CSP Bypass - Inline code root-me (web-client)

Hunting nonce-based CSP bypasses with dynamic analysis

Bypassing CSP via ajax.googleapis.com

XSS bypassing CSP and using DOM clobbering

Bypassing CSP with JSONP Endpoints - Hurricane Labs

Bypass CSP by Abusing XSS Filter in Edge, by Xiaoyin Liu

DVWA - CSP Bypass - Braincoke

How Browser Extensions Routinely Bypass a CSP

GitHub - buffermet/CSP-bypass: Bypass Content-Security-Policy to phish data.

Content Security Policy (CSP) and Its Bypasses