Another CSP nonce bypass, this time for reflected XSS: http://sebastian-lekies.de/csp/attacker2.php …. I will collect more bypasses here: https://goo.gl/t5VLIX
-
-
Replying to @slekies
At first glance I believe https://github.com/w3c/webappsec-csp/issues/98 … from
@arturjanc would cover this specific case. (cc@mikewest)1 reply 0 retweets 1 like -
Replying to @randomdross @slekies and
Here markup is stolen,nonce is extracted,then injected.The mitigation wouldn't work here I think.
1 reply 0 retweets 0 likes -
Replying to @molnar_g @randomdross and
why? It seems like that proposal addresses Sebastian's concern for this PoC
2 replies 0 retweets 0 likes -
Replying to @sirdarckcat @molnar_g and
For the second PoC it would work, but I think gabor is referring to the first one.
6 replies 0 retweets 0 likes -
Replying to @slekies @sirdarckcat and
there are others where it would not work.
1 reply 0 retweets 0 likes -
right, I couldn't get the XXE idea to work yet. XXE isn't as cool as it used to be :-)
1 reply 0 retweets 1 like -
Replying to @sirdarckcat @molnar_g
I wonder if there are framework-based ways. E.g with custom tags in polymer or expressions in angular.
1 reply 0 retweets 0 likes -
yes, but CSP is useless in those cases already
1 reply 0 retweets 0 likes -
maybe you should add those to the list, actually..
1 reply 0 retweets 0 likes
You might also want to look at https://csp.withgoogle.com/docs/faq.html#caveats … which covers similiar attacks, though at higher level
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.