Level 5: CSP Bypass - unsafe-inline blocked
CSP is
script-src 'self' (no unsafe-inline, no unsafe-eval). There is a JSONP-like endpoint at /index.php?jsonp_callback=XYZ. Use it to bypass CSP!Content Security Policy
CSP: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'Available endpoint:
/index.php?jsonp_callback=FUNCTION_NAME
Show Hint
Load the JSONP endpoint as a script source:
<script src="/index.php?jsonp_callback=alert(1)//"></script>. The JSONP endpoint is on the same origin (self) so CSP allows it.