What is CSP Bypass?

What is CSP Bypass?

CSP (Content Security Policy) is a browser security feature that tries to stop attacks like XSS (Cross-Site Scripting) by controlling what scripts a webpage is allowed to run.

A CSP bypass means:

An attacker finds a way to run malicious JavaScript even though CSP is enabled.

So the website tried to block scripts, but attacker still executed code.

1️⃣ First understand CSP (simple)

A website sends this header:

Content-Security-Policy: script-src 'self'

Meaning:

  • Only scripts from same website allowed
  • Block external scripts
  • Block inline scripts

So normally this attack should fail:

<script>alert(1)</script>

Browser blocks it.

2️⃣ Then what is CSP bypass?

A CSP bypass is a trick to execute script despite CSP.

This happens because:

  • CSP is misconfigured
  • Too permissive
  • Allows unsafe sources

3️⃣ Real-world simple example

Weak CSP

script-src 'self' https://cdn.example.com

If attacker uploads malicious JS to that CDN:

https://cdn.example.com/evil.js

Browser allows it → attack works.

That is CSP bypass.

4️⃣ Common CSP Bypass Techniques

A. Using allowed domains

If CSP allows:

script-src https://trusted.com

Attacker uploads script there.

Then inject:

<script src="https://trusted.com/evil.js"></script>

Runs successfully.

B. Using inline event handlers

If CSP allows:

unsafe-inline

Attacker can run:

<img src=x onerror=alert(1)>

5️⃣ CSP Bypass in DVWA (Classroom Demo)

DVWA has CSP bypass lab.

Go to:

DVWA → CSP Bypass

Security level: low

Try payload:

<script>alert(1)</script>

Blocked.

Then try:

<img src=x onerror=alert(1)>

Leave a Reply

Your email address will not be published. Required fields are marked *