H4R3L's "Cookie XSS" affecting almost every Zoom page and subdomain demonstrates the effectiveness of experimenting with escape characters in cookie values.
It all started when @H4R3L discovered a CSP Nonce cookie that was being used in every page with a CSP policy.
Because Zoom takes their security seriously, there was a CSP policy on almost every page!
By sending the a test cookie it was clear no sanitization was being done as these values were being reflected in the CSP header and script nonces themselves.
When attempting to escape the nonce with a double quote, a random nonce was generated every time.
However when a double quote was used at the end of the cookie it didn’t trigger a random nonce!
But unfortunately it wasn’t reflected either.
With this new info it was clear that this was not usual sanitization or filtering behavior but probably cookie string parsing.
To confirm this, they inserted a payload within quotes, escaping a mid-string double quote and the escaped quote was reflected in the output.
With this confirmed, they were then able to get their XSS payload to work which triggered about 40 alerts, because the nonce was reflected insecurely in about 40 scripts on the page!
Read the full write up here on how they chained this relatively useless XSS with another relatively useless XSS to get a session takeover on Zoom: https://loom.ly/IzaViBQ
#infosec #bugbounty #bugbounties #cybersecurity #criticalthinking #CTBBpodcast #bugbountytips #bugbountyhunters #hacking #hackers
