Mirrors/bugbounty-cheatsheet
2
0
Fork 0
mirror of https://github.com/EdOverflow/bugbounty-cheatsheet.git synced 2024-11-21 18:53:01 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add CSP bypass via JSONP endpoints section.

Browse source
This commit is contained in:
EdOverflow 2017-10-28 19:16:27 +02:00 committed by GitHub
parent 8ca83f2dee
commit a201142cb5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
cheatsheets/xss.md
View file

@ -311,3 +311,21 @@ __ javascript:alert(document.domain)
```js
{{constructor.constructor('alert(1)')()}}
```
**Content Security Policy (CSP) bypass via JSONP endpoints**
Grab the target's CSP:
```
curl -I http://example.com | grep 'Content-Security-Policy'
```
Either paste the CSP into https://csp-evaluator.withgoogle.com/ or just submit the target's address into the "Content Security Policy" field. The CSP Evaluator will notify you if one of the whitelisted domains has JSONP endpoints.
![image](https://user-images.githubusercontent.com/18099289/32136707-a1c12510-bc12-11e7-8a80-8a22b3e94232.png)
Now we can use a Google dork to find some JSONP endpoints on the domains listed above.
```
site:example.com inurl:callback
```