• Stars
    star
    161
  • Rank 233,470 (Top 5 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created almost 9 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Burp Plugin for Detecting Weaknesses in Content Security Policies

CSP Bypass

This is a Burp plugin that is designed to passively scan for CSP headers that contain known bypasses as well as other potential weaknesses.

CSP Bypass

Installation

Jython Setup

  1. Download the latest standalone Jython 2.7.x .jar file
  2. In Burp select Extender and then the Options tab, under the Python Environment heading click Select File ... and browse to the Jython .jar file

CSP Bypass Plugin Setup

  1. Execute the build-plugin.sh script, you should see a csp-bypass-plugin.py file appear
  2. In Burp select Extender and then the Extensions tab
  3. Click Add in the window that appears, select Python from the Extension Type dropdown menu
  4. Click Select File ... next to Extension File and select the generated csp-bypass-plugin.py file
  5. Click Next and you're done!

Report Bypasses in Common Domains

To add bypasses simply edit csp_known_bypasses.py with a domain, and an example payload or description of the bypass. Be sure to use the full domain, the plugin will match wildcards (e.g. if a policy allows *.googleapis.com it will match against ajax.googleapis.com). Submit a pull request to get your bypass in the main repository!

More Repositories

1

RootTheBox

A Game of Hackers (CTF Scoreboard & Game Manager)
Python
933
star
2

leakdb

Web-Scale NoSQL Idempotent Cloud-Native Big-Data Serverless Plaintext Credential Search
Go
182
star
3

denim

Automated compiler obfuscation for nim
Go
131
star
4

burp-multiplayer

Burp with Friends
Java
100
star
5

Yoshimi-Botnet

PoC Android smart phone botnet
Python
75
star
6

reasonably-secure-electron

A pattern for reasonably secure Electron applications
TypeScript
71
star
7

electric-scan

Electron based screenshot scanner
TypeScript
63
star
8

ios-hooker

Python script to parse Objective-C header files from iOS applications and generate function hooks.
Python
63
star
9

sliver-py

A Python gRPC Client Library for Sliver
Python
62
star
10

cve-2016-1764

Extraction of iMessage Data via XSS
JavaScript
52
star
11

The-Planetary-Assault-System

Fire and forget password cracking and complexity analysis.
Python
35
star
12

wire-transfer

Encode binary as English text over HTTP(s)
Python
30
star
13

Exploit-Demos

How to write basic memory corruption exploits on Windows
C++
29
star
14

hashlookup

A Python implementation of Crackstion's Hash Lookup
Python
26
star
15

godns

The God Name Server
Go
24
star
16

codename

Generate CIA/NSA style project codenames
Python
23
star
17

MitmFuzzer

A fuzzing script for MitmProxy
HTML
22
star
18

Hotel-kilo

Network aware keylogger: broadcasting on your local area network.
Python
21
star
19

PyTEA

A Python implementation of the Tiny Encryption Algorithm (TEA)
Python
20
star
20

daVinci

A PoC botnet that uses image files distributed via Twitter for a command and control channel.
Python
20
star
21

sliver-script

TypeScript/JavaScript client libraries for Sliver
JavaScript
19
star
22

rosie

Rosie the Pivoter
Go
18
star
23

memmod

Fork of Wireguard's Memmod
Go
16
star
24

Replicant

A password cracking IRC bot
Python
15
star
25

big-rainbow

BigQuery based rainbow tables
Python
13
star
26

CrackPy

Simple multi-threaded brute force password cracking for Python, written in C++
C++
13
star
27

RCrackPy

Python bindings for RCrackI (http://freerainbowtables.com/)
C++
13
star
28

IDA-Python

A collection of IDA Python scripts, useful for reverse engineering
Python
12
star
29

Bitonic-Sort

An example implementation of a parallel bitonic sort algorithm using an OpenMPI CPU cluster.
C++
12
star
30

Fortify-XML-Converter

Convert Fortify XML documents to Excel spreadsheets.
Python
11
star
31

Code-Injection

Examples of DLL injection on Windows
Python
10
star
32

Netnade

Preform DHCP exhaustion attacks using an Arduino device.
Java
9
star
33

swsh

Go
7
star
34

BARTpy

Python bindings for the BART API
Python
7
star
35

gshell

An experiment in cross-platform shells
Go
5
star
36

BTSyncBot

Share BTSync keys via IRC
Python
4
star
37

sliver-ci

Continous Integration Testing for Sliver
TypeScript
4
star
38

PDP8-Simulator

PDP8 simulator written in x86 assembly (MASM32)
Assembly
4
star
39

iPhoneDataprotection

Mirror of the iPhone Data Protection repo
C
4
star
40

Tangela

Browser Security & Crash Tests
HTML
4
star
41

cli-Blackjack

Command line Blackjack game with ascii art
C++
4
star
42

vboxpy

A more palatable Virtual Box CLI
Python
3
star
43

TornadoAppTemplate

A basic Tornado application template
Python
3
star
44

BoostPython-HelloWorld

An example hello world using Boost Python on Linux and built with Make.
C++
3
star
45

Linux-Configs

My configs for AwesomeWM, zsh, and conky
Lua
3
star
46

PACKlib

Password Analysis and Cracking Kit
Python
3
star
47

spray-n-prey

Python
3
star
48

collatz

Collatz Conjecture implemented in Go using arbitrary-precision arithmetic
Go
3
star
49

Objc-Analyzer

Static code analysis tool for iOS/Objective-C applications
Python
3
star
50

BorgBrowser

An adaptive, scriptable Python web browser.
Python
3
star
51

BARTHue

Control Hue Lights Based on the BART Schedule
Python
2
star
52

HelloWorld-AndroidSubstrate

Example Android Substrate function hook
Java
2
star
53

KeyRand

Small Windows application which randomizes keystrokes
AutoHotkey
2
star
54

hue-weather

Hue lights controlled by the weather!
Python
1
star
55

foundations-of-cryptography

Jupyter Notebook
1
star
56

libage

Age compiled as a shared library and wrapped in Python
Python
1
star
57

cryptopals-ocaml

Cryptopals Challenges in OCaml
OCaml
1
star