Full Disclosure mailing list archives
Re: CSP Bypass on Android prior to 4.4
From: E Boogie <evanjjohns () gmail com>
Date: Mon, 13 Oct 2014 22:24:50 -0400
Hello again Full disclosure, One final email. A couple things to note about this. I've been testing A LOT on A LOT of different browsers and Android Devices.. The more I test, the more It becomes clear that my \u0000 vulnerability is not legit and there is a different much larger CSP issues at play here. (I did a lot of testing before reporting but there is a lot going on here that caused me to mess up here). First - The issue is not that CSP can be bypassed using a \u0000 string. The issue is that mobile browsers are not enforcing a "Content-Security-Policy" header. Many are instead supporting "X-Webkit-CSP", even on extremely new devices/versions. This causes a ton of confusion and 0 sites I surveyed returned anything but a "Content-Security-Policy" header (so no User-Agent tricks for getting the right one). There are also a ton of legacy browsers that don't support any CSP header... Browsers are also occasionally not enforcing paths, which are mentioned in the current spec as soon to be part of the CSP standard. This is less of an issue but still quite important. Many sites are including this Sorry about a bit of an inaccurate report. However, with this, it looks even worse for CSP than my weird \u0000 bug. If you are on an "Android Browser" or any browser that isn't one of the big three (chrome, safari, firefox [forget IE]), on any Android version you may be at risk. Evan _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CSP Bypass on Android prior to 4.4 E Boogie (Oct 11)
- Re: CSP Bypass on Android prior to 4.4 E Boogie (Oct 13)
- Re: CSP Bypass on Android prior to 4.4 E Boogie (Oct 13)
- Message not available
- Fwd: Re: CSP Bypass on Android prior to 4.4 Vitor Ventura (Oct 14)
- Re: CSP Bypass on Android prior to 4.4 E Boogie (Oct 13)