Re: CSP Bypass on Android prior to 4.4

[E Boogie <evanjjohns () gmail com>]

Hello again Full disclosure,

One final email. A couple things to note about this.

I've been testing A LOT on A LOT of different browsers and Android
Devices.. The more I test, the more It becomes clear that my \u0000
vulnerability is not legit and there is a different much larger CSP issues
at play here. (I did a lot of testing before reporting but there is a lot
going on here that caused me to mess up here).

First - The issue is not that CSP can be bypassed using a \u0000 string.
The issue is that mobile browsers are not enforcing a
"Content-Security-Policy" header. Many are instead supporting
"X-Webkit-CSP", even on extremely new devices/versions. This causes a ton
of confusion and 0 sites I surveyed returned anything but a
"Content-Security-Policy" header (so no User-Agent tricks for getting the
right one). There are also a ton of legacy browsers that don't support any
CSP header...

Browsers are also occasionally not enforcing paths, which are mentioned in
the current spec as soon to be part of the CSP standard. This is less of an
issue but still quite important. Many sites are including this

Sorry about a bit of an inaccurate report. However, with this, it looks
even worse for CSP than my weird \u0000 bug. If you are on an "Android
Browser" or any browser that isn't one of the big three (chrome, safari,
firefox [forget IE]), on any Android version you may be at risk.
Evan

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/