CSP-Bypass

by moloch--

moloch-- / CSP-Bypass

A Burp Plugin for Detecting Weaknesses in Content Security Policies

129 Stars 32 Forks Last release: Not found 24 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

CSP Bypass

This is a Burp plugin that is designed to passively scan for CSP headers that contain known bypasses as well as other potential weaknesses.

CSP Bypass

Installation

Jython Setup

  1. Download the latest standalone Jython 2.7.x .jar file
  2. In Burp select
    Extender
    and then the
    Options
    tab, under the Python Environment heading click
    Select File ...
    and browse to the Jython .jar file

CSP Bypass Plugin Setup

  1. Execute the
    build-plugin.sh
    script, you should see a
    csp-bypass-plugin.py
    file appear
  2. In Burp select
    Extender
    and then the
    Extensions
    tab
  3. Click
    Add
    in the window that appears, select
    Python
    from the
    Extension Type
    dropdown menu
  4. Click
    Select File ...
    next to
    Extension File
    and select the generated
    csp-bypass-plugin.py
    file
  5. Click
    Next
    and you're done!

Report Bypasses in Common Domains

To add bypasses simply edit cspknownbypasses.py with a domain, and an example payload or description of the bypass. Be sure to use the full domain, the plugin will match wildcards (e.g. if a policy allows

*.googleapis.com
it will match against
ajax.googleapis.com
). Submit a pull request to get your bypass in the main repository!

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.