🛠️ CSP (Content Security Policy)
<meta>html tag. It is mainly used to protect against Cross Site Scripting (XSS), Click Jacking attacks and Code Injection attacks.
The Content-Security-Policy if made up of directives, separated with a semicolon
;. Here is an example :
If the CSP is weak, there are a few techniques to bypass it.
Dangling markup injection is a technique that can be used to capture data cross-domain in situations where a full Cross Site Scripting (XSS) exploit is not possible, due to input filters or other defenses. It can often be exploited to capture sensitive information that is visible to other users, including CSRF tokens that can be used to perform unauthorized actions on behalf of the user.
A lot of useful payloads can be found here :
Here is a list of various JSONP endpoints that can be used to perform code injections :