XSS (Static Nonce in CSP)

Scenario: The application is using a Content-Security-Policy (CSP) that blocks inline scripts from executing. There is a possibility of a Stored XSS as the application is not performing input validation or output encoding.

The following is the portion of CSP header:

Content-Security-Policy: ... script-src 'self' 'unsafe-eval' 'nonce-G3cdmbi5XK1gg-JadtzFMw' 'https://<trusted-url>' ...

From the above policy, we can note the following:

1. 'self': Can only load JavaScript from the same origin of app and scripts from external URL's will be blocked.

2. No 'unsafe-inline': we cannot execute inline scripts such as:

<script>
	doSomething();
</script>

OR

<button onClick="doSomething();">Do It</button>

Note: alert('XSS'); is also an example of a function call such as doSomething(); Both would be blocked.

3. 'nonce ...': Scripts with the specified nonce value can be executed.

Observation: After browsing the application for a while and observing the value of CSP header, we can conclude that the application does not rotate the nonce value with each HTTP request. This would increase the execution rate of our payload.

XSS Payload: The following payload successfully executed:

<script nonce="nonce-G3cdmbi5XK1gg-JadtzFMw">alert(document.domain);</script>

References:

unsafe-inline ⟶ CSP Guide

CSP Nonce ⟶ Examples and Guide