While searching for XSS to RCE exploit chain on the draw.io desktop electron application, I faced a situation where I was able to get an HTML injection which wasn’t sanitized but blocked by a
script-src: selfCSP. The specificity of this application is that everything is loaded locally usingloadFile(it could be eitherloadUrlwithfile://). At the moment of my vulnerability research, as far as I know, there was no universal way to bypass this CSP in this specific context (exceptfile://smb-host/share/xss.jswhich is not working anymore if the user didn’t connect once on the share before). After some times, I came up with an interesting idea that unfortunately wasn’t working on draw.io desktop… Therefore, since the approach was really interesting I decided to write this article to share the tricks with you. Linux local electron application script-src: self bypass
so.cl
Linux local electron application script-src: self bypass
Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer
Linux local electron application script-src: self bypass
Nickname: