Bug Bounty Stories #3: Docstring Injection to XSS

So the weekend came and I was pretty excited to drive this issue forward to a potential XSS so I can in turn convert this to RCE if possible!

And hastily I crafted a simple looking XSS payload and put it in the docstring and bam… nothing happened :/

And since it was not the browser, I couldn’t even see the console logs :(

Now? Code dive? No that’s too tedious. Then?

I turned onto my friend — Google — and looked up on how I can see the console messages and indeed I found the answers I was looking for!

So now I had ability to view console log messages. I tried my XSS payload again and found that it was being blocked due to a CSP (Content Security Policy)!!!

That was quite reassuring though. Atleast I am 1 step ahead and managed to confirm XSS can happen (if I bypass CSP ofcourse!)

So now my goal was to bypass the CSP policy and then I have XSS on the code editor! I looked at the CSP carefully and having a lot of experience in breaking CSP policies, I was sure I can definitely find a way to break this one too…

I looked and looked and looked but found nothing sadly…

The CSP looked pretty secure — no unsafe inline, use of nonces that update and are pretty random, looked quite big and non-bruteforcable!

Now I felt like I can only do HTML/CSS injection but nothing else, no JS, no FUN :(

But then suddenly I found a way to bypass that CSP policy!

How? You can read more on that part here:

Ofcourse that counts as the first issue — CSP bypass.

Next one is the Content Injection, which this post addresses ;)

So once the CSP was bypassed due to the having current timestamp as the prefix leading to bruteforce attacks on them, the road to XSS was straight forward! And now I had full content injection — HTML, CSS and JS injection!

The application was quite protected in terms of restricting access to the nodejs integrations and thus RCE was not possible, sad but what can I do haha…