Skip to content

rachejazz/csp-xss-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
payloads
payloads
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
index.html
index.html
 
 
package.json
package.json
 
 
server.js
server.js
 
 

Repository files navigation

CSP Bypass Demo using XSS Polyglot attack

I have written a detailed blog about this demo: Here

Install:

npm install

or

yarn install

Start server:

npm start

or

yarn start

Instruction:

Upload file from payloads directory or make a polyglot file of your own

Check for the file in /uploads directory

Refresh server

Type rs on the server running pty session

Enter uploader name

Go to /list directory and give the basic attack sequence: <script src="../uploads/eviljs"></script> XSS triggered.

Change the CSP:

You can try changing the preset CSP from the server.js file[under the /lists section]. This is all about demo.

Credits:

This is all possible through the wonderful talk Funky File Formats by Ange Albertini

About

Test your CSP directives with file upload demo.

Resources

Readme
Activity

Stars

3 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages