This tool allows to automatically test for Content Security Policy bypass payloads.

Related tags

Security related resourcespythoncontentsecuritywebpolicycontent-security-policypentest
Overview

CSPass

This tool allows to automatically test for Content Security Policy bypass payloads.

Usage

[cspass]$ ./cspass.py -h
usage: cspass.py [-h] [--no-colors] [-d] [-a] -t TARGET

Bypass CSP to perform a XSS

optional arguments:
  -h, --help            show this help message and exit
  --no-colors           Disable color mode
  -d, --dynamic         Use dynamic mode
  -a, --all-pages       Looking for vulnerability in all pages could be found

Required argument:
  -t TARGET, --target TARGET
                        Specify the target url

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

You might also like...
Log4j exploit catcher, detect Log4Shell exploits and try to get payloads.

log4j_catcher Log4j exploit catcher, detect Log4Shell exploits and try to get payloads. This is a basic python server that listen on a port and logs i

EntropyQueen 17 Dec 20, 2021
Deobfuscate Log4Shell payloads with ease
Deobfuscate Log4Shell payloads with ease

Ox4Shell Deobfuscate Log4Shell payloads with ease. Description Since the release

Oxeye 137 Jan 2, 2023
HatSploit collection of generic payloads designed to provide a wide range of attacks without having to spend time writing new ones.

HatSploit collection of generic payloads designed to provide a wide range of attacks without having to spend time writing new ones.

EntySec 5 May 10, 2022
RedDrop is a quick and easy web server for capturing and processing encoded and encrypted payloads and tar archives.
RedDrop is a quick and easy web server for capturing and processing encoded and encrypted payloads and tar archives.

RedDrop Exfil Server Check out the accompanying MaverisLabs Blog Post Here! RedDrop Exfil Server is a Python Flask Web Server for Penetration Testers,

null 53 Nov 1, 2022
Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells
Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

About create a target list or select one target, scans then exploits, done! Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool t

Nano 108 Dec 4, 2021
A python script to bypass 403-forbidden.
A python script to bypass 403-forbidden.

4nought3 A python script to bypass 403-forbidden. It covers methods like Host-Header Injections, Changing HTTP Requests Methods and URL-Injections. Us

null 11 Aug 27, 2022
Bypass's HCaptcha by overloading their api causing it to throwback a generated uuid. (Released due to exposure)

HCaptcha-Bypass Bypass's HCaptcha by overloading their api causing it to throwback a generated uuid. Not working? If it is not seeming to work for you

Dropout 17 Aug 23, 2021
ProxyShell POC Exploit : Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write)

ProxyShell Install git clone https://github.com/ktecv2000/ProxyShell cd ProxyShell virtualenv -p $(which python3) venv source venv/bin/activate pip3 i

Poming huang 312 Dec 9, 2022
Bypass 4xx HTTP response status codes.
Bypass 4xx HTTP response status codes.

Forbidden Bypass 4xx HTTP response status codes. To see all the test cases, check the source code - follow the NOTE comments. Script uses multithreadi

Ivan Šincek 165 Dec 28, 2022
Comments
  • Issue when formatting CSP

    Issue when formatting CSP

    Hi, after your presentation for TheBlackSide, I just wanted to try your tool briefly ^^.

    There seems to be an issue when formatting CSP. When running your tool, I have this issue: Traceback (most recent call last): File "cspass.py", line 364, in csps = page.format_csp() File "cspass.py", line 192, in format_csp csp[policyname] = " ".join(self.csp[policyname]) TypeError: 'str' object does not support item assignment

    I did not read the code thoroughly and do not have a lot of time today, but I think you probably just have an indentation issue in format_csp function (seems to work on my tests when fixing it and it did not seem to break something else (I only saw one call to format_csp)) : "csp = json.dumps(csp,indent=4 )" should not be in the for loop because then it is a string and no more a dictionary, so if you have more than one policy "policyname", it crashes. Just change its indentation (same as your "return csp" line just after).

    Thanks for your tool :)

    bug 
    opened by T0t0-0r0 1
Releases(v1.2)

  • v1.2(Jan 28, 2022)

    Features added: - Set cookies in requests - Policies fallback are used - Some patches are detected to reduce false positives

    Docker added with 3 vulnerable pages to try CSPass!

    Source code(tar.gz)
    Source code(zip)

  • 1.1(Nov 1, 2021)

    CSPass

    This tool allows to automatically test for Content Security Policy bypass payloads.

    Usage

    [cspass]$ ./cspass.py -h
usage: cspass.py [-h] [--no-colors] [-d] [-a] -t TARGET

Bypass CSP to perform a XSS

optional arguments:
  -h, --help            show this help message and exit
  --no-colors           Disable color mode
  -d, --dynamic         Use dynamic mode
  -a, --all-pages       Looking for vulnerability in all pages could be found

Required argument:
  -t TARGET, --target TARGET
                        Specify the target url
    Source code(tar.gz)
    Source code(zip)
Owner
Ruulian
Ruulian
GitHub Repository https://0xhorizon.eu/
A DOM-based G-Suite password sprayer and user enumerator

A DOM-based G-Suite password sprayer and user enumerator

Mayk 1 Apr 07, 2022
Security offerings for AWS Control Tower

Caylent Security Catalyst Reference Architecture Examples This repository contains solutions for Caylent's Security Catalyst. The Security Catalyst is

Steven Connolly 1 Oct 22, 2021
GitGuardian Shield: protect your secrets with GitGuardian

Detect secret in source code, scan your repo for leaks. Find secrets with GitGuardian and prevent leaked credentials. GitGuardian is an automated secrets detection & remediation service.

GitGuardian 1.2k Dec 27, 2022
Create a secure tunnel from a custom domain to localhost using Fly and WireGuard.

Fly Dev Tunnel Developers commonly use apps like ngrok, localtunnel, or cloudflared to expose a local web service at a publicly-accessible URL. This i

170 Dec 11, 2022
对naabu的端口扫描结果,调用nmap进行指纹识别

naabu2nmap 对naabu的端口扫描结果,调用nmap进行指纹识别

Se7en 12 Nov 22, 2022
A simple python-function, to gain all wlan passwords from stored wlan-profiles on a computer.

Wlan Fetcher Windows10 Description A simple python-function, to gain all wlan passwords from stored wlan-profiles on a computer. Usage This Script onl

2 Nov 20, 2021
CVE-2021-43798Exp多线程批量验证脚本

Grafana V8.*任意文件读取Exp--多线程批量验证脚本 漏洞描述 Grafana是一个开源的度量分析与可视化套件。经常被用作基础设施的时间序列数据和应用程序分析的可视化,它在其他领域也被广泛的使用包括工业传感器、家庭自动化、天气和过程控制等。其 8.*版本任意文件读取漏洞,该漏洞目前为0d

2 Dec 16, 2021
Windows Virus who destroy some impotants files on C:\windows\system32\

psychic-robot Windows Virus who destroy some importants files on C:\windows\system32\ Signatures of psychic-robot.PY (python file) : Bkav Pro : ASP.We

H-Tech-Dev36 1 Jan 06, 2022
MTBLLS Ethical Hacking Tool Announcement of v2.0

MTBLLS Ethical Hacking Tool Announcement of v2.0 MTBLLS is a Free and Open-Source Ethical Hacking Tool developed by GhostTD (SkyWtkh) The tool can onl

Ghost 2 Mar 19, 2022
This python script will automate the testing for the Log4J vulnerability for HTTP and HTTPS connections.

Log4J-Huntress-Automate-Script This python script will automate the testing for the Log4J vulnerability for HTTP and HTTPS connections. Pre-Requisits

1 Dec 16, 2021
Python exploit code for CVE-2021-4034 (pwnkit)

Python3 code to exploit CVE-2021-4034 (PWNKIT). This was an exercise in "can I make this work in Python?", and not meant as a robust exploit. It Works

Joe Ammond 92 Dec 29, 2022
PyPasser is a Python library for bypassing reCaptchaV3 only by sending 2 requests.

PyPasser is a Python library for bypassing reCaptchaV3 only by sending 2 requests. In 1st request, gets token of captcha and in 2nd request,

253 Jan 05, 2023
MayorSec DNS Enumeration Tool

MayorSecDNSScan MSDNSScan is used to identify DNS records for target domains and check for zone transfers. There really isn't much special about it, a

Joe Helle 68 Dec 12, 2022
Anti-Nuke capabilities, powerful moderation features, auto punishments, captcha-verification and more.

Server-Security-Discord-Bot Anti-Nuke capabilities, powerful moderation features, auto punishments, captcha-verification and more. Installation Instal

20 Apr 07, 2022
Python DNS Lookup: The Domain Name System (DNS) is basically the phonebook of the Internet

-Python-DNS-Lookup- ✨ 🌟 Python DNS Lookup ✨ 🌟 The Domain Name System (DNS) is

Ronnie Atuhaire 2 Feb 14, 2022
C++ fully undetected shellcode launcher

charlotte c++ fully undetected shellcode launcher ;) releasing this to celebrate the birth of my newborn description 13/05/2021: c++ shellcode launche

894 Dec 25, 2022
Denial Attacks by Various Methods

Denial Service Attack Denial Attacks by Various Methods IIIIIIIIIIIIIIIIIIII PPPPPPPPPPPPPPPPP VVVVVVVV VVVVVVVV I::

Baris Dincer 9 Nov 26, 2022
CVE-2021-22205& GitLab CE/EE RCE

Vuln Impact An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files tha

Al1ex 213 Dec 30, 2022
This is a simple tool to create ZIP payloads using a provided wordlist for the symlink attack (present in some file upload vulnerabilities)

zip-symlink-payload-creator This is a simple tool to create ZIP payloads using a provided wordlist for the symlink attack (present in some file upload

stark0de 6 Aug 18, 2022
A brute Force tool for Facebook

EliBruter A brute Force tool for Facebook Installing this tool -- $ pkg upgrade && update $ pkg install python $ pkg install python3 $ pkg install gi

Eli Hacks 3 Mar 29, 2022