reddit hackernews mail facebook facebook linkedin


A ready to use JSONP endpoints/payloads to help bypass Content Security Policy.

The main idea behind this tool is to find the JSONP endpoint(s) that would help you bypass content security policy for your target website in an automated way. JSONBee takes an input of a url name, parses the CSP (Content-Security-Policy), and automatically suggest the XSS payload that would bypass the CSP. It mainly focuses on JSONP endpoints gathered during my bug bounty hunting activities, and could be used to bypass the CSP.

JSONBee relies on 3 methods to gather the JSONP endpoints:
- The repository within this project;
- Google dorks;
- Internet archive (