Copy Drag — Paste Drop

This going to be a small write-up about XSS’ing some contexts that need user interactions by using drag and drop on modern apps, and i think im COVID-19 positive :)

On modern apps almost every website uses XFO deny so it’s impossible to frame the page and trick the user to drag and drop something to the framed page, so we have to find a new way to use some lesser known XSS cases.

Recently there was a nice research about copy-paste XSS https://research.securitum.com/the-curious-case-of-copy-paste/

The problem is that most of the bug bounty companies wouldn’t accept copy paste XSS so instead we can use drag and drop.

Recently i made a silly XSS challenge to demonstrate this case

It’s a simple website with some content then in the bottom we have a WYSIWYG editor Michał already did a nice research on these editors and i have looked at bug bounty programs i saw many of these editors are still using vulnerable versions; mostly in forums.

In browsers we can override the dragged content and change it to anything we want so in my challenge we can trick the user to drag an image/text then redirect the user to the vulnerable, but the problem is the editor is in the bottom of the page.

For this we can use the new Chrome feature Scroll to Text Fragment so we can scroll the page down to where the editor is, after 2 seconds when the user drops the content it will be dropped inside the editor, solution:

https://renwax23.github.io/X/xschals4j.html

Thanks to terjanq he should another technique to scroll the page, by opening a new window then changing its location.hash to an element ID so that the page will be focused and scrolled down to that element which is made by the editor.