00: This should be safe 10: In here, we are dealing with the following CSP header("Content-Security-Policy: script-src https://cdnjs.cloudflare.com 'unsafe-eval'; "); https://book.hacktricks.xyz/pentesting-web/content-security-policy-csp-bypass#third-party-endpoints-+-unsafe-eval 11: Variation of: 10 Content-Security-Policy: script-src https://facebook.com https://google.com 'unsafe-inline' https://*; child-src 'none'; report-uri /Report-parsing-url; The unsafe-inline allows for things like 13: We can load in scripts from cloudflare ... angular is hosted on cloudflare ... Load in angular and you are free to do as you wish:

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}}

Learn: https://book.hacktricks.xyz/pentesting-web/content-security-policy-csp-bypass#third-party-endpoints-+-unsafe-eval Learn: https://medium.com/@bhaveshthakur2015/content-security-policy-csp-bypass-techniques-e3fa475bfe5d 14: Since we can load in data we should mascarade our scripts as data :) 15: Since addthis offers a JSONP endpoint which we can convientantly import thanks to our CSP rules, we can make that endpoint execute any arbitrary JS Juicy ;) This lab is based on https://github.com/zigoo0/JSONBee and https://brutelogic.com.br/blog/csp-bypass-guidelines/ 16: data:text/javascript;base64,alert('This is a CSP bypass attack!')