Home Cyber Crime CSP bypass: How one Chrome XSS bug took 2.5 years and an...

CSP bypass: How one Chrome XSS bug took 2.5 years and an HTML spec change to fix


Ben Dickson

21 June 2021 at 12:55 UTC

Up to date: 21 June 2021 at 13:13 UTC

Browser flaw enabled XSS assaults on protected pages

A Content Security Policy bug in Chrome took 2.5 years and an HTML spec change to fix

The Chromium crew has patched a 2.5-year-old bug that made it attainable to stage cross-site scripting (XSS) assaults on internet pages, even when they’d been configured to stop XSS assaults.

Found by Jun Kokatsu, browser safety researcher at Microsoft, the bug allowed artful attackers to bypass Content material Safety Coverage (CSP), an HTTP header that restricts exterior sources loaded and run on the internet web page.

Blob assault

In a proof-of-concept, Kokatsu confirmed that if an online utility creates a Blob URL with attacker-controlled knowledge, it might result in XSS assaults – even when the location is protected with strict CSP insurance policies. Blobs are uncooked knowledge that may be learn as textual content or streams.

As a result of method iframes (embedded HTML pages) inherit headers and insurance policies from their dad or mum web page, an attacker might exploit the bug to bypass the CSP guidelines and execute malicious code on the web page.

Read more of the latest cross-site scripting (XSS) news

For instance, a latest XSS vulnerability in chat.mozilla.org occurred because of making a Blob URL from a Blob object handed by an attacker.

“This XSS might have been nonetheless exploitable even when they’d CSP,” Kokatsu advised The Every day Swig in written feedback.

Kokatsu additionally mentioned that the assault could possibly be staged on different URL schemes, together with and URLs.

A patch two years within the making

Kokatsu found the bug in December 2018. It was initially dismissed as something of a non-issue, however the Chromium crew later acknowledged its severity and applied new container safety insurance policies within the Chromium specification.

“Not many individuals understand that cross-origin pages can navigate iframes or home windows opened by them,” Kokatsu mentioned. “This understanding is required to grasp the assault, and the issue house of coverage inheritance points within the CSP’s specification.”

Nonetheless, because of its complexity, it took greater than two years to get the bug mounted. “CSP must inherit policy to local scheme, as a result of these schemes (e.g., , , , ) don’t have response headers,” Kokatsu mentioned.

YOU MIGHT ALSO LIKE Google abandons plans to simplify URLs in Chrome following real-world testing

Whereas a few of the schemes had been comparatively straightforward to unravel, Blob URLs had been particularly tough to patch as a result of it’s exhausting to trace which doc created the URL.

“Subsequently, they needed to make a brand new idea in HTML’s specification to trace this info,” Kokatsu mentioned.

The brand new HTML specification, Policy Container, gives extra granular management over the insurance policies inherited throughout HTML paperwork and their embedded parts. It presently applies to CSP and Referrer Coverage solely. Kokatsu says it must be utilized to different insurance policies as nicely.

The complexity of iframe safety

Utilizing iframes has been fraught with safety considerations. “The flexibility to hyperlink different pages or body different pages has been one of many advantages of the online. Nonetheless, it does add complexity to the ecosystem each from browser safety and internet safety,” Kokatsu mentioned.

Browser distributors are consistently attempting to develop new specs and instruments to mitigate assaults via embedded frames. A few of these specs embody X-Frame-options, iframe sandbox, and Permission Policy.

“Whereas threats to/from iframes will proceed, I’m hopeful that over time we will mitigate many assaults, and transfer to a safer internet,” Kokatsu mentioned.

“As assault[s] advance, what’s vital is to grasp what’s working, and the place we want extra particular mitigation, after which apply extra protection on these spots.”

MORE CUTTING-EDGE RESEARCH Blind regex injection: Theoretical exploit offers new means of forcing web apps to spill secrets

Source link