CSP Bypass
This is a Burp plugin that is designed to passively scan for CSP headers that contain known bypasses as well as other potential weaknesses.
Installation
Jython Setup
- Download the latest standalone Jython 2.7.x .jar file
- In Burp select
Extender
and then theOptions
tab, under the Python Environment heading clickSelect File ...
and browse to the Jython .jar file
CSP Bypass Plugin Setup
- Execute the
build-plugin.sh
script, you should see acsp-bypass-plugin.py
file appear - In Burp select
Extender
and then theExtensions
tab - Click
Add
in the window that appears, selectPython
from theExtension Type
dropdown menu - Click
Select File ...
next toExtension File
and select the generatedcsp-bypass-plugin.py
file - Click
Next
and you're done!
Report Bypasses in Common Domains
To add bypasses simply edit csp_known_bypasses.py with a domain, and an example payload or description of the bypass. Be sure to use the full domain, the plugin will match wildcards (e.g. if a policy allows *.googleapis.com
it will match against ajax.googleapis.com
). Submit a pull request to get your bypass in the main repository!