JSONBee – A Ready To Use JSONP Endpoints/Payloads To Help Bypass Content Security Policy Of Different Websites

A waiting to make use of JSONP endpoints to lend a hand bypass content material safety coverage of various internet sites.
The software used to be offered throughout HackIT 2020 in Kiev. The presentation may also be discovered right here (now not certain why structure of the slides is screwed :D): https://www.slideshare.internet/Hacken_Ecosystem/ebrahem-hegazy-bug-hunters-manual-for-bypassing-contentsecuritypolicy
website online in an automatic approach. JSONBee takes an enter of a url identify (i.e., parses the CSP (Content-Security-Policy), and mechanically counsel the XSS payload that may bypass the CSP. It principally makes a speciality of JSONP endpoints amassed throughout my computer virus bounty looking actions, and may well be used to circumvent the CSP.
JSONBee depends on 3 the right way to collect the JSONP endpoints:

  • The repository inside of this challenge;
  • Google dorks;
  • Internet archive (

The software isn’t but totally finished as I’m nonetheless including some validations and contours too. However, the repository might be hosted right here so that anybody can use it until the software is waiting.
The repo accommodates ready-to-use payloads that may bypass CSP for, and extra.
Bypasing Content-Security coverage: lets in * in its CSP coverage (script-src directive), thus, underneath payload would paintings like a allure to execute JavaScript on ">
If you got here throughout a website online that trusts any of the domain names in jsonp.txt report in its script-src directive, then pickup a payload that fits the area and feature a laugh 🙂

How are you able to lend a hand?
You are all welcome to give a contribution by means of including hyperlinks to websites that makes use of JSONP endpoins/callbacks to make the repo larger and extra usefull for computer virus hunters, pentesters, and safety researchers.

Download JSONBee