First, I think many people know that a html file uploaded on dropbox shows with rendering, and without any escaping.
But, the script is executed on a sandbox domain, dl-web.dropbox.com.
The important session is a httponly cookie, so we can't easily steal the user session.
In this situation, I can set any cookie on dropbox.com domain. (not www.dropbox.com)
It means that it may be able to influence on www.dropbox.com.
If main dropbox page do something using the cookie on dropbox.com, then maybe I can do something on www.dropbox.com
I found a some nice thing, flash.
After cookies, "flash" and "bang", are given, dropbox page draws a pop-up box which is containing a text in "flash".
But, "bang" was a problem. It seems like a hmac of "flash".
So, I need to find "bang" value of my custom "flash"
I found a function which unlinks device in security setting page.
If I unlink a some device, then it shows me a flash message, which is containing device name.
So, I set the device name (iphone name) to a XSS text, and I unlinked it.
Now, I can set "flash" and "bang" value to any text.
Then, set the malicious cookie in a html. After that, make victim to move page to www.dropbox.com (trigger flash message).
<script> document.cookie="bang=QUFEZGthYS1CaTNfWUpYcDUwdjNxemVHSHlhSHJkU3BEdnhKRUxOZVZ3b2ZoUQ%3D%3D; Domain=dropbox.com; Path=/;"; document.cookie="flash=b2s6PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KGRvY3VtZW50LmRvbWFpbik%2BIHVubGlua 2VkIHN1Y2Nlc3NmdWxseS4%3D; Domain=dropbox.com; Path=/"; location.href="https://dropbox.com/forgot"; </script>
There is a CSP.
But, on IE or safari, the script is executed.
+) Currently, common XSS on dl-web.dropbox.com is out of scope for bounty.
+) Now, I think a flash depends on only one session.
2015/05/02 Fixed, A bounty of $1,331