Not usual CSP bypass case

CSP default-src ‘self’ — bypass using the error page.

INTRODUCTION

During one of the penetration tests, I managed to chain three application issues that finally enabled the execution of the Stored XSS vulnerability.

The vulnerability combines three flaws in the application:

1. Unrestricted file upload.
2. Misconfigured Content Security Policy.
3. Application error response body controlled by the user.

1. UNRESTRICTED FILE UPLOAD

The application allows users to upload images, and there is a whitelist of extensions that can be uploaded (.png | .jpg). All uploaded files are stored in the web-root folder of the server. For instance:

• https://example.com/74d673a21b5f5d54cbc22fc3b24bcb5e.iix

The first issue is that it is possible to specify the uploaded file's content type, even if the extension in the request is (.png | .jpg).

The trick is to use a part of a JPG file at the bottom of the content:

ÿØÿàJFIFÿáVExifMM*>F(ÿâ°ICC_PROFILE lcms0mntrRGB XYZ

One thing to keep in mind, that casually the SVG file content starts with:

<?xml version="1.0" standalone="no"?>…