This tool allows to automatically test for Content Security Policy bypass payloads.

Last update: Nov 22, 2022

Overview

CSPass

This tool allows to automatically test for Content Security Policy bypass payloads.

Usage

[cspass]$ ./cspass.py -h
usage: cspass.py [-h] [--no-colors] [-d] [-a] -t TARGET

Bypass CSP to perform a XSS

optional arguments:
  -h, --help            show this help message and exit
  --no-colors           Disable color mode
  -d, --dynamic         Use dynamic mode
  -a, --all-pages       Looking for vulnerability in all pages could be found

Required argument:
  -t TARGET, --target TARGET
                        Specify the target url

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

Log4j exploit catcher, detect Log4Shell exploits and try to get payloads.

log4j_catcher Log4j exploit catcher, detect Log4Shell exploits and try to get payloads. This is a basic python server that listen on a port and logs i

17 Dec 20, 2021

Deobfuscate Log4Shell payloads with ease

Ox4Shell Deobfuscate Log4Shell payloads with ease. Description Since the release

137 Jan 2, 2023

HatSploit collection of generic payloads designed to provide a wide range of attacks without having to spend time writing new ones.

5 May 10, 2022

RedDrop is a quick and easy web server for capturing and processing encoded and encrypted payloads and tar archives.

RedDrop Exfil Server Check out the accompanying MaverisLabs Blog Post Here! RedDrop Exfil Server is a Python Flask Web Server for Penetration Testers,

53 Nov 1, 2022

Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

About create a target list or select one target, scans then exploits, done! Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool t

108 Dec 4, 2021

A python script to bypass 403-forbidden.

4nought3 A python script to bypass 403-forbidden. It covers methods like Host-Header Injections, Changing HTTP Requests Methods and URL-Injections. Us

11 Aug 27, 2022

Bypass's HCaptcha by overloading their api causing it to throwback a generated uuid. (Released due to exposure)

HCaptcha-Bypass Bypass's HCaptcha by overloading their api causing it to throwback a generated uuid. Not working? If it is not seeming to work for you

17 Aug 23, 2021

ProxyShell POC Exploit : Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write)

ProxyShell Install git clone https://github.com/ktecv2000/ProxyShell cd ProxyShell virtualenv -p $(which python3) venv source venv/bin/activate pip3 i

312 Dec 9, 2022

Bypass 4xx HTTP response status codes.

Forbidden Bypass 4xx HTTP response status codes. To see all the test cases, check the source code - follow the NOTE comments. Script uses multithreadi

165 Dec 28, 2022

Comments

Issue when formatting CSP

Hi, after your presentation for TheBlackSide, I just wanted to try your tool briefly ^^.

There seems to be an issue when formatting CSP. When running your tool, I have this issue: Traceback (most recent call last): File "cspass.py", line 364, in csps = page.format_csp() File "cspass.py", line 192, in format_csp csp[policyname] = " ".join(self.csp[policyname]) TypeError: 'str' object does not support item assignment

I did not read the code thoroughly and do not have a lot of time today, but I think you probably just have an indentation issue in format_csp function (seems to work on my tests when fixing it and it did not seem to break something else (I only saw one call to format_csp)) : "csp = json.dumps(csp,indent=4 )" should not be in the for loop because then it is a string and no more a dictionary, so if you have more than one policy "policyname", it crashes. Just change its indentation (same as your "return csp" line just after).

Thanks for your tool :)
bug

opened by T0t0-0r0 1

Releases(v1.2)

v1.2(Jan 28, 2022)

Features added: - Set cookies in requests - Policies fallback are used - Some patches are detected to reduce false positives

Docker added with 3 vulnerable pages to try CSPass!
Source code(tar.gz)
Source code(zip)

1.1(Nov 1, 2021)

CSPass

This tool allows to automatically test for Content Security Policy bypass payloads.

Usage

[cspass]$ ./cspass.py -h
usage: cspass.py [-h] [--no-colors] [-d] [-a] -t TARGET

Bypass CSP to perform a XSS

optional arguments:
  -h, --help            show this help message and exit
  --no-colors           Disable color mode
  -d, --dynamic         Use dynamic mode
  -a, --all-pages       Looking for vulnerability in all pages could be found

Required argument:
  -t TARGET, --target TARGET
                        Specify the target url

Source code(tar.gz)
Source code(zip)

Owner

Ruulian

GitHub Repository https://0xhorizon.eu/

Automated tool to exploit basic buffer overflow remotely and locally & x32 and x64

Automated tool to exploit basic buffer overflow (remotely or locally) & (x32 or x64)

5 Oct 09, 2022

A Python & JavaScript Obfuscator made in Python 3.

Python Code Obfuscator A script that converts code into full on random numerical expressions. Simple Scripts: Python Mode... Input: Function that deco

3 Mar 24, 2022

ONT Analysis Toolkit (OAT)

A toolkit for monitoring ONT MinION sequencing, followed by data analysis, for viral genomes amplified with tiled amplicon sequencing.

6 Jun 14, 2022

Keystroke logging, often referred to as keylogging or keyboard capturing

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware

2 Jan 11, 2022

A semi-automatic osint/recon framework.

Smog Framework A semi-automatic osint/recon framework. Requirements git Python = 3.8 How to use it

22 Oct 17, 2022

A brute force tool for password-protected zip file

Bzip A brute force tool for password-protected zip file/folder(s). Note that this tool can only crack .zip files. Please DO not misuse. Installation g

3 Nov 13, 2021

Security tool to test different bypass of forbidden

notForbidden Security tool to test different bypass of forbidden Usage python3 notForbidden.py URL Features Bypass with different methods (POST, OPT

6 Sep 08, 2022

Python library to remotely extract credentials on a set of hosts.

1.5k Dec 31, 2022

Generate obfuscated meterpreter shells

Generator Evade AV with obfuscated payloads Installation must install dotnet prior to running the script with net45 Running ./generator.py -ip Your-I

219 Nov 28, 2022

CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection

CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection Usage usage: cve-2021-26084_confluence_rce.py [-h] --url URL [--cmd CMD] [--shell] CVE-2021-2

92 Jul 20, 2022

python driver for fingerprint machine (ZKTeco biometrics)

fpmachine python driver for fingerprint machine (ZKTeco biometrics) support until now 2 model supported and tested ZMM100_TFT and ZMM220_TFT install p

4 Oct 06, 2022

SeaSurf is a Flask extension for preventing cross-site request forgery (CSRF).

Flask-SeaSurf SeaSurf is a Flask extension for preventing cross-site request forgery (CSRF). CSRF vulnerabilities have been found in large and popular

183 Dec 28, 2022

High level cheatsheet that was designed to make checks on the OSCP more manageable

High level cheatsheet that was designed to make checks on the OSCP more manageable. This repository however could also be used for your own studying or for evaluating test systems like on HackTheBox

89 Jan 01, 2023

Separate handling of protected media in Django, with X-Sendfile support

Django Protected Media Django Protected Media is a Django app that manages media that are considered sensitive in a protected fashion. Not only does t

46 Nov 12, 2022

This enforces signatures for CVE-2021-44228 across all policies on a BIG-IP ASM device

f5-waf-enforce-sigs-CVE-2021-44228 This enforces signatures for CVE-2021-44228 across all policies on a BIG-IP ASM device Overview This script enforce

5 Mar 31, 2022

A simple Outline Server Access Key Copy and Paste Web Interface

Outline Keychain A simple Outline Server Access Key Copy and Paste Web Interface Developed for key and password export and copy & paste for other Shad

1 Dec 28, 2021

This is a Crypto asset tracker that I built to aid my personal journey in cryptocurrencies.

Wallet Tracker This is a Crypto asset tracker that I built to aid my personal journey in cryptocurrencies. build docker build -t wallet-tracker . run

2 Mar 21, 2022

Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.

DOME - A subdomain enumeration tool Check the Spanish Version Dome is a fast and reliable python script that makes active and/or passive scan to obtai

329 Jan 01, 2023

Linus-png.github.io - Versionsverwaltung & Open Source Hausaufgabe

Let's Git - Versionsverwaltung & Open Source Hausaufgabe Herzlich Willkommen zu

1 Jan 24, 2022

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities Which is a great tool for web pentesters. Coded in python3, CLI. WebScan is capable of scanni

12 Dec 02, 2022

This tool allows to automatically test for Content Security Policy bypass payloads.

Related tags

Overview

CSPass

Usage

Contributing

You might also like...

Log4j exploit catcher, detect Log4Shell exploits and try to get payloads.

Deobfuscate Log4Shell payloads with ease

HatSploit collection of generic payloads designed to provide a wide range of attacks without having to spend time writing new ones.

RedDrop is a quick and easy web server for capturing and processing encoded and encrypted payloads and tar archives.

Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

A python script to bypass 403-forbidden.

Bypass's HCaptcha by overloading their api causing it to throwback a generated uuid. (Released due to exposure)

ProxyShell POC Exploit : Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write)

Bypass 4xx HTTP response status codes.

Comments

Issue when formatting CSP

Releases(v1.2)

v1.2(Jan 28, 2022)

1.1(Nov 1, 2021)

CSPass

Usage

Owner

Ruulian

Automated tool to exploit basic buffer overflow remotely and locally & x32 and x64

A Python & JavaScript Obfuscator made in Python 3.

ONT Analysis Toolkit (OAT)

Keystroke logging, often referred to as keylogging or keyboard capturing

A semi-automatic osint/recon framework.

A brute force tool for password-protected zip file

Security tool to test different bypass of forbidden

Python library to remotely extract credentials on a set of hosts.

Generate obfuscated meterpreter shells

CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection

python driver for fingerprint machine (ZKTeco biometrics)

SeaSurf is a Flask extension for preventing cross-site request forgery (CSRF).

High level cheatsheet that was designed to make checks on the OSCP more manageable

Separate handling of protected media in Django, with X-Sendfile support

This enforces signatures for CVE-2021-44228 across all policies on a BIG-IP ASM device

A simple Outline Server Access Key Copy and Paste Web Interface

This is a Crypto asset tracker that I built to aid my personal journey in cryptocurrencies.

Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.

Linus-png.github.io - Versionsverwaltung & Open Source Hausaufgabe

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities