{"detect":{"cwe":"CWE-79","exploit_examples":["/csp-bypass/?q=%3Cscript%20src=%22/csp-bypass/jsonp?cb=alert(1)//%22%3E%3C/script%3E"],"notes":"Detecting *just the CSP* as misconfigured is also valid \u2014 the presence of a reflective JSONP endpoint on the same origin neutralizes script-src 'self'.","owasp":"A03:2021 \u2014 Injection (XSS)","scanner_should_fire":true,"sinks":["jinja Markup(user_input) + <script src=/jsonp?cb=...>"],"subtype":"csp-bypass-via-same-origin-jsonp","success_markers":["alert(1)"],"tags":["csp","script-src-self","jsonp-callback","bypass"]},"lab_url":"/csp-bypass/","sink":"Markup() / |safe","slug":"csp-bypass","source_url":"/source/csp-bypass","summary":"CSP looks restrictive (script-src 'self') but same-origin /jsonp is a callback bypass.","title":"Reflected XSS behind a CSP that has a JSONP endpoint on-origin","vulnerable":true}