First, I think many people know that a html file uploaded on dropbox shows with rendering, and without any escaping.
It means that, if we write down a JavaScript code to the html file, we can easily execute a JavaScript code on the html page without any problem.

But, the script is executed on a sandbox domain,
The important session is a httponly cookie, so we can't easily steal the user session.

In this situation, I can set any cookie on domain. (not
It means that it may be able to influence on
If main dropbox page do something using the cookie on, then maybe I can do something on 

I found a some nice thing, flash.
After cookies, "flash" and "bang", are given, dropbox page draws a pop-up box which is containing a text in "flash".
But, "bang" was a problem. It seems like a hmac of "flash".
So, I need to find "bang" value of my custom "flash"

I found a function which unlinks device in security setting page.
If I unlink a some device, then it shows me a flash message, which is containing device name.
So, I set the device name (iphone name) to a XSS text, and I unlinked it. 

Now, I can set "flash" and "bang" value to any text.

Then, set the malicious cookie in a html. After that, make victim to move page to (trigger flash message).

document.cookie="bang=QUFEZGthYS1CaTNfWUpYcDUwdjNxemVHSHlhSHJkU3BEdnhKRUxOZVZ3b2ZoUQ%3D%3D;; Path=/;";
2VkIHN1Y2Nlc3NmdWxseS4%3D;; Path=/";

There is a CSP.
But, on IE or safari, the script is executed.

+) Currently, common XSS on is out of scope for bounty.
+) Now, I think a flash depends on only one session. 

2015/05/02 Fixed, A bounty of $1,331

posted by tunz