Exploiting CSP Wildcards for Google Domains

attack ships on fire

Feb 29

TL;DR The Google developer documentation includes CSP examples which use domain wildcards (which have been widely cut & pasted), and additionally there are numerous endpoints within the Google eTLDs which are vulnerable to Javascript XSS. These can be combined into an effective attack against any domain with an HTML injection vector that would be otherwise unexploitable.

3 Comments

attack ships on fire

Mar 1Author

Oh dear. ;)

<script src=https://www.google.com/complete/search?client=firefox&q=why&jsonp=%28alert%281%29%29></script>

Expand full comment

"they have updated the CSP documentation so that it no longer has the wildcards": which documentation? For maps, they still show the wilcards

Expand full comment

#nojs-banner { position: fixed; bottom: 0; left: 0; padding: 16px 16px 16px 32px; width: 100%; box-sizing: border-box; background: red; color: white; font-family: -apple-system, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 13px; line-height: 13px; } #nojs-banner a { color: inherit; text-decoration: underline; } This site requires JavaScript to run correctly. Please turn on JavaScript or unblock scripts