├── .github ├── FUNDING.yml └── ISSUE_TEMPLATE │ ├── feature_request.md │ └── bug_report.md ├── .gitignore ├── CONTRIBUTING.md ├── LICENSE ├── README.md └── csp.go /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | liberapay: EdOverflow 2 | custom: https://www.buymeacoffee.com/edoverflow 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ### Go ### 2 | # Binaries for programs and plugins 3 | *.exe 4 | *.exe~ 5 | *.dll 6 | *.so 7 | *.dylib 8 | 9 | # Test binary, built with `go test -c` 10 | *.test 11 | 12 | # Output of the go coverage tool, specifically when used with LiteIDE 13 | *.out 14 | 15 | # Dependency directories (remove the comment below to include it) 16 | # vendor/ 17 | 18 | ### Go Patch ### 19 | /vendor/ 20 | /Godeps/ 21 | 22 | script/ 23 | *.tgz 24 | *.zip 25 | csp 26 | 27 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | I welcome contributions from the public. 4 | 5 | ### Using the issue tracker 💡 6 | 7 | The issue tracker is the preferred channel for bug reports and features requests. 8 | 9 | ### Issues and labels 🏷 10 | 11 | The bug tracker utilizes several labels to help organize and identify issues. 12 | 13 | ### Guidelines for bug reports 🐛 14 | 15 | Use the GitHub issue search — check if the issue has already been reported. 16 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: [e.g. iOS] 28 | - Version [e.g. 22] 29 | 30 | **Additional context** 31 | Add any other context about the problem here. 32 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 EdOverflow 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # csp 2 | 3 | Given a list of hosts, this small utility fetches all whitelisted domains from the hosts' CSPs. I use this for reconnaissance 4 | purposes while bug bounty hunting. 5 | 6 | Buy Me A Coffee 7 | 8 | # Usage 9 | 10 | ``` 11 | $ cat hosts.txt 12 | http://example.com/ 13 | $ cat hosts.txt | csp 14 | example.com 15 | subdomain.example.com 16 | ... 17 | ``` 18 | 19 | Set concurrency level using the `-c` flag. 20 | 21 | ``` 22 | $ csp -h 23 | Usage of csp: 24 | -c int 25 | set the concurrency level (default 20) 26 | $ cat hosts.txt | csp -c 2 27 | ... 28 | ``` 29 | 30 | # Installation 31 | 32 | ``` 33 | $ go get -u github.com/edoverflow/csp 34 | ``` 35 | 36 | You can also [download a binary](https://github.com/EdOverflow/csp/releases) and put it in your `$PATH` (e.g. in `/usr/bin/`). 37 | 38 | # Contributing 39 | 40 | I welcome contributions from the public. 41 | 42 | ### Using the issue tracker 💡 43 | 44 | The issue tracker is the preferred channel for bug reports and features requests. 45 | 46 | ### Issues and labels 🏷 47 | 48 | The bug tracker utilizes several labels to help organize and identify issues. 49 | 50 | ### Guidelines for bug reports 🐛 51 | 52 | Use the GitHub issue search — check if the issue has already been reported. 53 | 54 | # Credit 55 | 56 | Thank you to [@TomNomNom](https://github.com/tomnomnom), [@jimen0](https://github.com/jimen0), and [@003random](https://github.com/003random) for their help. 57 | -------------------------------------------------------------------------------- /csp.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "crypto/tls" 6 | "errors" 7 | "flag" 8 | "fmt" 9 | "io" 10 | "io/ioutil" 11 | "net/http" 12 | "os" 13 | "regexp" 14 | "strings" 15 | "sync" 16 | "time" 17 | ) 18 | 19 | /* 20 | Given a list of hosts, this small utility fetches all whitelisted 21 | domains from the hosts' CSPs. I use this for reconnaissance 22 | purposes while bug bounty hunting. 23 | 24 | $ cat hosts.txt 25 | http://example.com/ 26 | $ cat hosts.txt | csp 27 | example.com 28 | subdomain.example.com 29 | ... 30 | */ 31 | 32 | // Forgive me, Father, for I have sinned. 33 | var r = regexp.MustCompile("(([a-zA-Z](-?[a-zA-Z0-9])*)\\.)+[a-zA-Z]{2,}") 34 | 35 | // Consider using https://github.com/tike/csp in future. 36 | 37 | // requestCSP requests and extracts CSP for a given URL. 38 | func requestCSP(client *http.Client, url string) ([]string, error) { 39 | req, err := http.NewRequest(http.MethodGet, url, nil) 40 | if err != nil { 41 | return nil, fmt.Errorf("could not create request: %v", err) 42 | } 43 | 44 | resp, err := client.Do(req) 45 | if err != nil { 46 | return nil, fmt.Errorf("could not send request: %v", err) 47 | } 48 | if resp == nil { 49 | return nil, errors.New("received nil response, cannot analyze") 50 | } 51 | defer resp.Body.Close() 52 | 53 | _, err = io.Copy(ioutil.Discard, resp.Body) 54 | if err != nil { 55 | return nil, fmt.Errorf("could not discard response body: %v", err) 56 | } 57 | 58 | csp := resp.Header.Get("Content-Security-Policy") 59 | results := r.FindAllString(csp, -1) 60 | 61 | return results, nil 62 | } 63 | 64 | func main() { 65 | concurrency := flag.Int("c", 20, "set the concurrency level") 66 | flag.Parse() 67 | 68 | urlsChannel := make(chan string) 69 | 70 | var wg sync.WaitGroup 71 | wg.Add(*concurrency) 72 | for i := 0; i < *concurrency; i++ { 73 | go func() { 74 | defer wg.Done() 75 | 76 | // Stolen from my mentor, TomNomNom! 🐑 77 | var tr = &http.Transport{ 78 | MaxIdleConns: 30, 79 | IdleConnTimeout: time.Second, 80 | DisableKeepAlives: true, 81 | TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, 82 | } 83 | 84 | client := &http.Client{ 85 | Transport: tr, 86 | Timeout: 2 * time.Second, 87 | } 88 | 89 | for url := range urlsChannel { 90 | res, err := requestCSP(client, url) 91 | if err != nil { 92 | fmt.Fprintf(os.Stderr, "could not get CSP: %v\n", err) 93 | continue 94 | } 95 | 96 | // Ensure we do not print out an empty string. 97 | if len(res) > 0 { 98 | fmt.Println(strings.Join(res, "\n")) 99 | } 100 | } 101 | }() 102 | } 103 | 104 | /* 105 | Read input from stdin. 106 | $ cat hosts.txt | csp 107 | */ 108 | sc := bufio.NewScanner(os.Stdin) 109 | for sc.Scan() { 110 | host := strings.ToLower(sc.Text()) 111 | urlsChannel <- host 112 | } 113 | 114 | if err := sc.Err(); err != nil { 115 | fmt.Fprintf(os.Stderr, "Failed to read input: %v\n", err) 116 | } 117 | 118 | close(urlsChannel) 119 | wg.Wait() 120 | } 121 | --------------------------------------------------------------------------------