Skip to content
← Cheat Sheets

CSP Bypass Cheat Sheet

CSP Bypass Cheat Sheet

Read the policy first

Look for: script-src, default-src, object-src, base-uri, require-trusted-types-for.

Common weak configurations

SignalOften allows
'unsafe-inline'Inline scripts, many event handlers
'unsafe-eval'eval, Function, some frameworks
Missing object-srcPlugin/object vectors
strict-dynamic + nonce leakScripts loaded by trusted scripts
JSONP / allowlisted CDNsScript gadgets on third-party hosts

Vectors to try (authorized targets only)

  • JSONP endpoints on allowlisted domains
  • Angular / Vue template injection when CSP allows inline templates
  • Base tag to change script origins (base-uri absent)
  • DOM clobbering to bypass script gadgets
  • CSS injection when style-src is loose (legacy IE / old browsers)

Use the in-app CSP analyzer to map categories before picking templates.