Bypassing Content Security Policy via ajax.googleapis.com

by Dawid Czagan

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen.

In a free video Dawid Czagan (Nullcon instructor) will show you step by step how your CSP can be bypassed by hackers.

Watch this free video and feel the taste of Dawid Czagan’s training Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation (Nullcon 2023, 11-12 March; detailed description is here)


Author

Dawid Czagan

Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among the top hackers at HackerOne. Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, and other companies. Due to the severity of many bugs, he received numerous awards for his findings.