From a201142cb5f4c420b46f958aeb4cd8f90fbf6e8e Mon Sep 17 00:00:00 2001
From: EdOverflow <EdOverflow@users.noreply.github.com>
Date: Sat, 28 Oct 2017 19:16:27 +0200
Subject: [PATCH] Add CSP bypass via JSONP endpoints section.

---
 cheatsheets/xss.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/cheatsheets/xss.md b/cheatsheets/xss.md
index 5301942..10979af 100644
--- a/cheatsheets/xss.md
+++ b/cheatsheets/xss.md
@@ -311,3 +311,21 @@ __ javascript:alert(document.domain)
 ```js
 {{constructor.constructor('alert(1)')()}}
 ```
+
+**Content Security Policy (CSP) bypass via JSONP endpoints**
+
+Grab the target's CSP:
+
+```
+curl -I http://example.com | grep 'Content-Security-Policy'
+```
+
+Either paste the CSP into https://csp-evaluator.withgoogle.com/ or just submit the target's address into the "Content Security Policy" field. The CSP Evaluator will notify you if one of the whitelisted domains has JSONP endpoints.
+
+![image](https://user-images.githubusercontent.com/18099289/32136707-a1c12510-bc12-11e7-8a80-8a22b3e94232.png)
+
+Now we can use a Google dork to find some JSONP endpoints on the domains listed above.
+
+```
+site:example.com inurl:callback
+```