Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

README.md

CSP Bypass

This is a Burp plugin that is designed to passively scan for CSP headers that contain known bypasses as well as other potential weaknesses.

CSP Bypass

Installation

Jython Setup

  1. Download the latest standalone Jython 2.7.x .jar file
  2. In Burp select Extender and then the Options tab, under the Python Environment heading click Select File ... and browse to the Jython .jar file

CSP Bypass Plugin Setup

  1. Execute the build-plugin.sh script, you should see a csp-bypass-plugin.py file appear
  2. In Burp select Extender and then the Extensions tab
  3. Click Add in the window that appears, select Python from the Extension Type dropdown menu
  4. Click Select File ... next to Extension File and select the generated csp-bypass-plugin.py file
  5. Click Next and you're done!

Report Bypasses in Common Domains

To add bypasses simply edit csp_known_bypasses.py with a domain, and an example payload or description of the bypass. Be sure to use the full domain, the plugin will match wildcards (e.g. if a policy allows *.googleapis.com it will match against ajax.googleapis.com). Submit a pull request to get your bypass in the main repository!

About

A Burp Plugin for Detecting Weaknesses in Content Security Policies

Topics

Resources

Releases

No releases published

Languages

You can’t perform that action at this time.