Bypassing CSP with JSONP: Introducing JSONPeek and CSP B Gone
Summary
This article introduces two new tools, JSONPeek and CSP B Gone, designed to bypass Content Security Policy (CSP) using JSONP. CSP is a web security mechanism intended to prevent attacks like XSS by restricting resource sources.
IFF Assessment
FOE
The article describes a method and tools for bypassing a security mechanism, which represents an advancement for attackers.
Defender Context
Web application defenders need to be aware of how CSP can be bypassed, especially through legacy techniques like JSONP. Developers should ensure their CSP configurations are robust and consider alternative protection mechanisms if JSONP is a necessary but risky feature.