0

I'm trying an XSS challenge. I found an exploit that breaks CSP by using a JSONP callback. I can get an alert to pop up by putting something like:

<script src="https://whitelisted.jsonp?callback=alert#1"></script>

But I'm having trouble trying to get it to send an HTTP-request. I've tried putting functions changing window.location, but it doesn't seem to execute any of my anon functions.

Anders
  • 64,406
  • 24
  • 178
  • 215
Alex
  • 1
  • ahh, I got it by using a different jsonp endpoint that allows me to just put window.location.replace – Alex Sep 15 '19 at 02:31
  • 2
    I'm glad you were able to solve your problem. Please write an answer down below that roughly describeds how you solved the problem, in case others run into the same or a similar situation. –  Sep 15 '19 at 10:27

0 Answers0