Bypassing CSP by Abusing JSONP Endpoints

This blog post discusses a technique that can be used to bypass CSP (Content Security Policy).

Background

What is CSP?

“Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.” — Mozilla Developer Documentations

What is JSONP?

JSON with Padding (JSONP) is a technique used to request and retrieve data from a server without worrying about cross-domain, bypassing the Same-Origin Policy (SOP).

The Attack

The concept works as the following:

JavaScript Magic

JavaScript is a very dynamic language. It dynamically allows us to do many things we should not do, and are not supposed to do.

What to Do?

Developers That are Responsible for JSONP endpoints

Restricts the callback name to certain keywords, or disallow non alphanumeric from returning within the response. Furthermore, you should think about protecting against the Rosetta Flash exploit.

Penetration Testers

Whenever you face a Content Security Policy on an application, review all white-listed domains, and search for JSONP endpoints.

Blue Teams

Review your white-listed domains for domains that hold JSONP endpoints. This can be a bypass for your CSP policy.

Thoughts of a hacker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store