lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CA+wDdVYATv9ceGwe-=WjFPrCgNEeJomR1RinN=7UrrfuUw2y6w@mail.gmail.com>
Date: Mon, 13 Oct 2014 22:24:50 -0400
From: E Boogie <evanjjohns@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] CSP Bypass on Android prior to 4.4

Hello again Full disclosure,

One final email. A couple things to note about this.

I've been testing A LOT on A LOT of different browsers and Android
Devices.. The more I test, the more It becomes clear that my \u0000
vulnerability is not legit and there is a different much larger CSP issues
at play here. (I did a lot of testing before reporting but there is a lot
going on here that caused me to mess up here).

First - The issue is not that CSP can be bypassed using a \u0000 string.
The issue is that mobile browsers are not enforcing a
"Content-Security-Policy" header. Many are instead supporting
"X-Webkit-CSP", even on extremely new devices/versions. This causes a ton
of confusion and 0 sites I surveyed returned anything but a
"Content-Security-Policy" header (so no User-Agent tricks for getting the
right one). There are also a ton of legacy browsers that don't support any
CSP header...

Browsers are also occasionally not enforcing paths, which are mentioned in
the current spec as soon to be part of the CSP standard. This is less of an
issue but still quite important. Many sites are including this

Sorry about a bit of an inaccurate report. However, with this, it looks
even worse for CSP than my weird \u0000 bug. If you are on an "Android
Browser" or any browser that isn't one of the big three (chrome, safari,
firefox [forget IE]), on any Android version you may be at risk.
Evan

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists