appsec

371 readers

3 users here now

A community for all things related to application security.

founded 2 years ago

MODERATORS

laszlok

Bypassing CSP via DOM clobbering (portswigger.net)

submitted 2 years ago by N7x to c/appsec

1 comments fedilink hide all child comments

You might have found HTML injection, but unfortunately identified that the site is protected with CSP. All is not lost, it might be possible to bypass CSP using DOM clobbering, which you can now detect using DOM Invader! In this post we’ll show you how.

We’ve based the test case on a bug bounty site, so you’re likely to encounter similar code in the wild. If you’re unfamiliar with DOM clobbering then head over to our Academy to learn about this attack class and solve the labs.

you are viewing a single comment's thread
view the rest of the comments

[–] N7x 1 points 2 years ago

Always nice to see some content from PortSwigger

permalink
fedilink
source