This article discusses a successful Content Security Policy (CSP) bypass exploit, demonstrating how to execute a script through an iframeβs srcdoc attribute despite restrictions on script execution in a web application.
Keypoints :
- Author: Syed Mushfik Hasan Tahsin, a 20-year-old cyber security enthusiast from Bangladesh.
- Focus on Bug Bounty activities and exploring web vulnerabilities.
- A CSP bypass was discovered that initially seemed trivial but revealed complexities during testing.
- The target had an input for template names that was sanitized, but a delete button led to an unsanitized confirmation modal.
- Experimenting with an injected XSS payload resulted in a successful reflection but no visible alert due to CSP restrictions.
- The Content-Security-Policy did not allow for inline scripts, preventing normal XSS techniques.
- The article discusses the use of the
tag sourced from whitelisted URLs like Google Maps. - Despite being injected without errors,
tags did not execute due to handling by the .innerHTML property. - A workaround was found using the
tag with the srcdoc attribute to execute scripts. - Successful payload:
. - Exploit execution displayed the cookies successfully in a popup.
- The article serves as a detailed reference for understanding web vulnerabilities and testing methodologies.
- Author shares links to social media and a YouTube channel for further engagement.