CSP Bypass Demo using XSS Polyglot attack

I have written a detailed blog about this demo: Here

Install:

npm install

or

yarn install

Start server:

npm start

or

yarn start

Instruction:

Upload file from `payloads` directory or make a polyglot file of your own

Check for the file in /uploads directory

Refresh server

Type rs on the server running pty session

Enter uploader name

Go to /list directory and give the basic attack sequence: <script src="../uploads/eviljs"></script> XSS triggered.

Change the CSP:

You can try changing the preset CSP from the server.js file[under the /lists section]. This is all about demo.

Credits:

This is all possible through the wonderful talk Funky File Formats by Ange Albertini

Name		Name	Last commit message	Last commit date
Latest commit History 14 Commits
payloads		payloads
.gitignore		.gitignore
README.md		README.md
index.html		index.html
package.json		package.json
server.js		server.js

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

payloads

payloads

.gitignore

.gitignore

README.md

README.md

index.html

index.html

package.json

package.json

server.js

server.js

Repository files navigation

CSP Bypass Demo using XSS Polyglot attack

Install:

Start server:

Instruction:

Upload file from `payloads` directory or make a polyglot file of your own

Check for the file in /uploads directory

Refresh server

Enter uploader name

Change the CSP:

Credits:

About

Releases

Packages

Languages

rachejazz/csp-xss-demo

Folders and files

Latest commit

History

Repository files navigation

CSP Bypass Demo using XSS Polyglot attack

Install:

Start server:

Instruction:

Upload file from payloads directory or make a polyglot file of your own

Check for the file in /uploads directory

Refresh server

Enter uploader name

Change the CSP:

Credits:

About

Resources

Stars

Watchers

Forks

Languages

Upload file from `payloads` directory or make a polyglot file of your own