lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 13 Oct 2014 14:30:30 -0400
From: E Boogie <evanjjohns@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] CSP Bypass on Android prior to 4.4

I've done a little more testing and what I've found is pretty startling.

I tested on a Galaxy Note 2 running Android 4.4.2 and the CSP bypass worked.

I also tested on an old version of Safari on an iPad (Safari/7534.48.3) and
the CSP bypass also worked.

If you are so kind, please use ejj.io/test.php to test this for me. If it
worked, please press the "IT WORKED" button.

This way I can compile a large finger print of browsers/phones/versions the
CSP bypass worked on (based on user-agent)

Evan J.

On Sat, Oct 11, 2014 at 4:09 PM, E Boogie <evanjjohns@...il.com> wrote:

> I've found a Content Security Policy bypass similar and related to the same origin policy bypass in CVE-2014-6041. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041
>
> I've tested this on an Android 4.3 tablet running a bunch of different browsers, including Inbrowser, Firefox, and the default Android browser on an emulator for Android 4.3.1.
>
> HTML PoC:
>
> <input type=button value="test" onclick="
>   a=document.createElement('script');
>   a.id='AA';
>   a.src='\u0000https://js.stripe.com/v2/';
>   document.body.appendChild(a);
>   setTimeout(function(){if(typeof(document.getElementById('AA'))!=='undefined'){alert(Stripe);}else{ alert(2);}}, 400);
>   return false;">
>
>
> The content security policy rule that should block this is
> script-src 'self' https://js.stripe.com/v3/ ;
>
> The PoC worked if you see a popup containing stripes e(){} object. I set the Timeout kind of short, so you may have to press the button twice before you see the popup.
>
> I have a PoC test page at ejj.io/test.php
>
> Cheers,
> Evan J
>
> --
> Evan J Johnson
>
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ