This tool allows to automatically test for Content Security Policy bypass payloads.

Last update: Nov 22, 2022

Overview

CSPass

This tool allows to automatically test for Content Security Policy bypass payloads.

Usage

[cspass]$ ./cspass.py -h
usage: cspass.py [-h] [--no-colors] [-d] [-a] -t TARGET

Bypass CSP to perform a XSS

optional arguments:
  -h, --help            show this help message and exit
  --no-colors           Disable color mode
  -d, --dynamic         Use dynamic mode
  -a, --all-pages       Looking for vulnerability in all pages could be found

Required argument:
  -t TARGET, --target TARGET
                        Specify the target url

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

Log4j exploit catcher, detect Log4Shell exploits and try to get payloads.

log4j_catcher Log4j exploit catcher, detect Log4Shell exploits and try to get payloads. This is a basic python server that listen on a port and logs i

17 Dec 20, 2021

Deobfuscate Log4Shell payloads with ease

Ox4Shell Deobfuscate Log4Shell payloads with ease. Description Since the release

137 Jan 2, 2023

HatSploit collection of generic payloads designed to provide a wide range of attacks without having to spend time writing new ones.

5 May 10, 2022

RedDrop is a quick and easy web server for capturing and processing encoded and encrypted payloads and tar archives.

RedDrop Exfil Server Check out the accompanying MaverisLabs Blog Post Here! RedDrop Exfil Server is a Python Flask Web Server for Penetration Testers,

53 Nov 1, 2022

Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

About create a target list or select one target, scans then exploits, done! Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool t

108 Dec 4, 2021

A python script to bypass 403-forbidden.

4nought3 A python script to bypass 403-forbidden. It covers methods like Host-Header Injections, Changing HTTP Requests Methods and URL-Injections. Us

11 Aug 27, 2022

Bypass's HCaptcha by overloading their api causing it to throwback a generated uuid. (Released due to exposure)

HCaptcha-Bypass Bypass's HCaptcha by overloading their api causing it to throwback a generated uuid. Not working? If it is not seeming to work for you

17 Aug 23, 2021

ProxyShell POC Exploit : Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write)

ProxyShell Install git clone https://github.com/ktecv2000/ProxyShell cd ProxyShell virtualenv -p $(which python3) venv source venv/bin/activate pip3 i

312 Dec 9, 2022

Bypass 4xx HTTP response status codes.

Forbidden Bypass 4xx HTTP response status codes. To see all the test cases, check the source code - follow the NOTE comments. Script uses multithreadi

165 Dec 28, 2022

Comments

Issue when formatting CSP

Hi, after your presentation for TheBlackSide, I just wanted to try your tool briefly ^^.

There seems to be an issue when formatting CSP. When running your tool, I have this issue: Traceback (most recent call last): File "cspass.py", line 364, in csps = page.format_csp() File "cspass.py", line 192, in format_csp csp[policyname] = " ".join(self.csp[policyname]) TypeError: 'str' object does not support item assignment

I did not read the code thoroughly and do not have a lot of time today, but I think you probably just have an indentation issue in format_csp function (seems to work on my tests when fixing it and it did not seem to break something else (I only saw one call to format_csp)) : "csp = json.dumps(csp,indent=4 )" should not be in the for loop because then it is a string and no more a dictionary, so if you have more than one policy "policyname", it crashes. Just change its indentation (same as your "return csp" line just after).

Thanks for your tool :)
bug

opened by T0t0-0r0 1

Releases(v1.2)

v1.2(Jan 28, 2022)

Features added: - Set cookies in requests - Policies fallback are used - Some patches are detected to reduce false positives

Docker added with 3 vulnerable pages to try CSPass!
Source code(tar.gz)
Source code(zip)

1.1(Nov 1, 2021)

CSPass

This tool allows to automatically test for Content Security Policy bypass payloads.

Usage

[cspass]$ ./cspass.py -h
usage: cspass.py [-h] [--no-colors] [-d] [-a] -t TARGET

Bypass CSP to perform a XSS

optional arguments:
  -h, --help            show this help message and exit
  --no-colors           Disable color mode
  -d, --dynamic         Use dynamic mode
  -a, --all-pages       Looking for vulnerability in all pages could be found

Required argument:
  -t TARGET, --target TARGET
                        Specify the target url

Source code(tar.gz)
Source code(zip)

Owner

Ruulian

GitHub Repository https://0xhorizon.eu/

The RDT protocol (RDT3.0,GBN,SR) implementation and performance evaluation code using socket

소켓을 이용한 RDT protocols (RDT3.0,GBN,SR) 구현 및 성능 평가 코드 입니다. 코드를 실행할때 리시버를 먼저 실행하세요. 성능 평가 코드는 패킷 전송 과정을 제외하고 시간당 전송률을 출력합니다. RDT3.0 GBN SR(버그 발견으로 구현중 입니

0 Dec 20, 2021

Multi Brute Force Facebook - Crack Facebook With Login - Free For Now

✭ SAKERA CRACK Made With ❤️ By Denventa, Araya, Dapunta Author: - Denventa - Araya Dev - Dapunta Khurayra X ⇨ Fitur Login [✯] Login Cookies ⇨ Ins

26 Jan 01, 2023

Lite version of my Gatekeeper backdoor for public use.

MayorSec Backdoor Fully functioning bind-type backdoor This backdoor is a fully functioning bind shell and lite version of my full functioning Gatekee

56 Mar 25, 2022

A small POC plugin for launching dumpulator emulation within IDA, passing it addresses from your IDA view using the context menu.

Dumpulator-IDA Currently proof-of-concept This project is a small POC plugin for launching dumpulator emulation within IDA, passing it addresses from

9 Sep 21, 2022

M.E.A.T. - Mobile Evidence Acquisition Toolkit

M.E.A.T. - Mobile Evidence Acquisition Toolkit Meet M.E.A.T! From Jack Farley - BlackStone Discovery This toolkit aims to help forensicators perform d

1 Nov 11, 2021

Lite - Lite cracker tool for python

Wellcome to tools Results Install Tools

23 Dec 17, 2022

Fast and easy way to rollout on multiple GitLab project file a particular content.

Volatile Fast and easy way to rollout on multiple GitLab project file a particular content. Why ? After looking for a tool to simply enforce a develop

4 Jan 17, 2022

Consolidating and extending hosts files from several well-curated sources. You can optionally pick extensions to block pornography, social media, and other categories.

Take Note! With the exception of issues and PRs regarding changes to hosts/data/StevenBlack/hosts, all other issues regarding the content of the produ

22.1k Jan 02, 2023

This tool allows to automatically test for Content Security Policy bypass payloads.

Related tags

Overview

CSPass

Usage

Contributing

You might also like...

Log4j exploit catcher, detect Log4Shell exploits and try to get payloads.

Deobfuscate Log4Shell payloads with ease

HatSploit collection of generic payloads designed to provide a wide range of attacks without having to spend time writing new ones.

RedDrop is a quick and easy web server for capturing and processing encoded and encrypted payloads and tar archives.

Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

A python script to bypass 403-forbidden.

Bypass's HCaptcha by overloading their api causing it to throwback a generated uuid. (Released due to exposure)

ProxyShell POC Exploit : Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write)

Bypass 4xx HTTP response status codes.

Comments

Issue when formatting CSP

Releases(v1.2)

v1.2(Jan 28, 2022)

1.1(Nov 1, 2021)

CSPass

Usage

Owner

Ruulian

The RDT protocol (RDT3.0,GBN,SR) implementation and performance evaluation code using socket

Multi Brute Force Facebook - Crack Facebook With Login - Free For Now

Lite version of my Gatekeeper backdoor for public use.

A small POC plugin for launching dumpulator emulation within IDA, passing it addresses from your IDA view using the context menu.

M.E.A.T. - Mobile Evidence Acquisition Toolkit

Lite - Lite cracker tool for python

Fast and easy way to rollout on multiple GitLab project file a particular content.

Consolidating and extending hosts files from several well-curated sources. You can optionally pick extensions to block pornography, social media, and other categories.

Visibility and Mitigation for Log4J vulnerabilities

A compact version of EDI-Vetter, which uses the TLS output to quickly vet transit signals.

Automated tool to exploit basic buffer overflow remotely and locally & x32 and x64

Simple tool to create passwords.

(D)arth (S)ide of the (L)og4j (F)orce, the ultimate log4j vulnerabilities assessor

If you are worried about being found perhaps try taking cover under a blanket. Pure Python PowerShell Obfuscator

A proxy for asyncio.AbstractEventLoop for testing purposes

Obfuscate your python code into a string of integers. De-obfuscate also supported.

Tool to decrypt iOS apps using r2frida

BF-Hash - A Python Tool to decrypt hashes by brute force

Source code for "A Two-Stream AMR-enhanced Model for Document-level Event Argument Extraction" @ NAACL 2022

This is a Cryptographied Password Manager, a tool for storing Passwords in a Secure way