SOP Bypass using object tag and a javascript: URI in the data attribute
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
People
(Reporter: kirtiar15502, Unassigned)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Firefox for Android
Steps to reproduce:
Step 1:- Open the HTML attached as a PoC named SOP MF Bypass.
Step 2:- After opening it will load bing.com and after a second it will show pop-up of the location.
Actual results:
PoC code:-
<script>
window.onload = function()
{
object = document.createElement("object");
object.setAttribute("data", "http://www.bing.com");
document.body.appendChild(object);
object.onload = function() {
object.setAttribute("data", "javascript:alert(document.location)");
object.innerHTML = "foobar";
}
}
</script>
The above code creates an object with data attribute, which loads up a URL from another origin in this case "http://www.bing.com", however, once it's loaded, we replace bing.com with "javascript:alert(document.domain)". The interesting thing here is that the last line is essential for the POC to work object.innerHTML = "foobar"; so that the navigation request is performed
Vulnerable Code
bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url)
{
ASSERT(document());
ASSERT(document()->frame());
if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames)
return false;
KURL completeURL = document()->completeURL(url);
The above function is responsible for loading up the frame URL, if you take a close look at the code, you would find out that there is no validation for javascript scheme, which allows us to execute javaScript in context of the frame that was loaded.
Expected results:
It should have blocked from going further and replacing the javascript to be executed.
|
||
Comment 2•5 years ago
|
||
Haven't tried to reproduce but this looks pretty bad. Nika, can you or someone else on the DOM team take a look?
Reporter: I suppose the same thing doesn't work with an iframe instead of object tag?
|
|
||
Updated•5 years ago
|
|
|
||
Comment 3•5 years ago
|
||
Thanks Nika for looking further than I did.
So... in no particular order:
-
Please use more descriptive bug summaries in future.
-
This is a webkit exploit from 2011 (cf. https://nvd.nist.gov/vuln/detail/2011-3881 ). The accompanying text is copied word for word from https://www.rafaybaloch.com/2017/06/a-tale-of-another-sop-bypass-in-android.html . The source example in comment #0 is not Firefox code. You did not give credit or link to the original, or explain any differences, and you seem to have just copy-pasted stuff relating to webkit without realizing Firefox is different. Please change that for your future reports. Adapting other people's work to find new issues is great, but be ready to explain how what you're doing is different, what it's based on, and what the precise problem is. This helps the entire community learn, including the people in whose products you report issues. If you don't link to the old issues, projects you report to will find them anyway and will just be annoyed you wasted their time.
-
the exploit in comment #0 doesn't work in Firefox. The alert from the quoted code shows the location of the parent document (ie the one with the exploit code), so the javascript isn't running in the context of the frame that has bing.com loaded in it, but in the context of the attacker's page. There is no same-origin-principle violation. Although Chrome shows no alert here, it's not really clear why they don't, and purely showing an alert or running JS in the parent frame is not a security issue.
-
the exploit you added as an attachment also doesn't work in Firefox, and shows no alert at all.
As a result, I'm closing this report as invalid.
Description
•