Vaulting over a .innerHTML sink in a Locked-Down CSP

Vaulting over a .innerHTML sink in a Locked-Down CSP

This article discusses a successful Content Security Policy (CSP) bypass exploit, demonstrating how to execute a script through an iframe’s srcdoc attribute despite restrictions on script execution in a web application.

Keypoints :

  • Author: Syed Mushfik Hasan Tahsin, a 20-year-old cyber security enthusiast from Bangladesh.
  • Focus on Bug Bounty activities and exploring web vulnerabilities.
  • A CSP bypass was discovered that initially seemed trivial but revealed complexities during testing.
  • The target had an input for template names that was sanitized, but a delete button led to an unsanitized confirmation modal.
  • Experimenting with an injected XSS payload resulted in a successful reflection but no visible alert due to CSP restrictions.
  • The Content-Security-Policy did not allow for inline scripts, preventing normal XSS techniques.
  • The article discusses the use of the tag sourced from whitelisted URLs like Google Maps.
  • Despite being injected without errors, tags did not execute due to handling by the .innerHTML property.
  • A workaround was found using the tag with the srcdoc attribute to execute scripts.
  • Successful payload: .
  • Exploit execution displayed the cookies successfully in a popup.
  • The article serves as a detailed reference for understanding web vulnerabilities and testing methodologies.
  • Author shares links to social media and a YouTube channel for further engagement.

Full Story: https://infosecwriteups.com/vaulting-over-a-innerhtml-sink-in-a-locked-down-csp-a628be8ba9dc?source=rss—-7b722bfd1b8d—4