About
- Parking some slick CSP bypasses and techniques to work around CSP. No analysis here for now
- Some links may not even be related to bypassing CSP, but it may touch some part of XSS exploitation that might be good to know.
Researches
lcamtuf
Post-XSS- Bypass browser’s mitigation against dangling markup injection
form-action
trick and other methods: Leaking sensitive data through<form>
and misconfigured CSP policy. Mentions defenses of browsers against dangling markup injection and how to effectively bypass them. Also, it includes a collection of CSS techniques to leak data on websites with strict CSPs.
Tools
- CSP Bypass Search
- Google CSP Evaluator, though JSONP endpoints here are outdated