-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Hook URL object creation #45
Conversation
I haven't looked through the patch or done any testing yet (only read info above), but I'm pretty confident that only hooking text/html is insufficient. You can get same-origin script execution in svg and xml documents, for example (potentially others as well?) |
Another thing that would need to be considered -- you can create a Worker from a Blob (doesn't matter what the mimetype of the blob used for the worker is), and can also call workerJs = `
postMessage(URL.createObjectURL(new Blob(["<script>alert(document.domain)</script>"], {type: "text/html"})));
`
workerBlob = new Blob([workerJs], {type: "text/plain"})
w = new Worker(URL.createObjectURL(workerBlob))
w.onmessage = (msg) => {
console.log(msg);
f = document.createElement("iframe");
document.body.appendChild(f)
f.src = msg.data;
} |
Yea I'm not 100% confident about |
Oh wow, that's very clever, I did not consider that... |
f = document.createElement('iframe');
document.body.appendChild(f);
svg = `<svg xmlns="http://www.w3.org/2000/svg">
<script>
alert(window.origin);
</script>
</svg>`
bloburl = URL.createObjectURL(new Blob([svg], {type: "image/svg+xml"}))
f.src = bloburl
f = document.createElement('iframe');
document.body.appendChild(f);
xslt = `<?xml version="1.0"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:template match="/asdf">
<HTML>
<BODY>
<script>alert(window.origin);</script>
</BODY>
</HTML>
</xsl:template>
</xsl:stylesheet>`
xml = `<?xml version='1.0'?>
<?xml-stylesheet type="text/xsl" href="data:text/xml;base64,${btoa(xslt)}" ?>
<asdf>meep</asdf>`
bloburl = URL.createObjectURL(new Blob([xml], {type: "text/xml"}))
f.src = bloburl |
Thanks for the demonstrations, this is definitely a problem and this solution is clearly far from being complete. |
This is a fix attempt to issue #43 introduced by @arxenix where Snow can be bypassed by leveraging an iframe with src to a
blob:
URI.Fixing this was tricky so I'll walk through the PR:
URL.createObjectURL
.text/html
which can be used to load a new same origin malicious realm).text/html
I simply return the new URL as it cannot bypass Snow.URL.createObjectURL
also accepts MediaSource objects which cannot be synchronously fetched with XHR and are not a threat to Snow, I make sure to mark all new Blobs and Files with a non-writable non-configurable property that safely indicates this is a blob/file so attackers won't be able to hide that fact.