Gratipay: CSP Policy Bypass and javascript execution

ID H1:241192
Type hackerone
Reporter athuljayaram
Modified 2017-06-18T17:40:27


Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website — covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

Content-Security-Policy-Report-Only: default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self';img-src *;font-src 'self' data:;block-all-mixed-content;report-uri;

in that their is also a report-uri which sends a report on CSP Violation as POST in case of CSP violation to;

I have a captured CSP post request in case of violation

PUT /r/default/csp/reportOnly HTTP/1.1 Host: Connection: close Content-Length: 738 Origin: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.24 Safari/537.36 Content-Type: application/csp-report Accept: / DNT: 1 Referer: Accept-Language: en-GB,en-US;q=0.8,en;q=0.6

{"csp-report":{"document-uri":"","referrer":"","violated-directive":"connect-src","effective-directive":"connect-src","original-policy":"default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self';img-src *;font-src 'self' data:;block-all-mixed-content;report-uri;","disposition":"report","blocked-uri":"","line-number":8,"column-number":26577,"source-file":"","status-code":0,"script-sample":""}}

I like to use $.get(''); as input to show the CSP policy bypass

by using $.get(''); I was able to bypass allowed CSP policy though is not allowed an approved origin of content, still I am able to fetch it and it didn't issue a POST request (report-uri attribute of CSP) which sends a report in case of any CSP violation ,

So using $.get request it didn't send a CSP report it read the remote content and executed the javascript

SOLUTION Update your javascript libraries mainly jquery elements to the latest version