Thursday, May 24, 2018

CVE-2018-5175: Universal CSP strict-dynamic bypass in Firefox

In this blogpost, I'd like to write about a CSP strict-dynamic bypass vulnerability which is fixed in Firefox 60.

https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5175
A mechanism to bypass Content Security Policy (CSP) protections on sites that have a script-src policy of 'strict-dynamic'. If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the require.js library that is part of Firefox’s Developer Tools, and then use a known technique using that library to bypass the CSP restrictions on executing injected scripts.

What is the "strict-dynamic"?


maybe you should read CSP spec :) https://www.w3.org/TR/CSP3/#strict-dynamic-usage
But for practicing writing in English, I'll explain about strict-dynamic. If you know about strict-dynamic, you don't have to read this section.

The well-known CSP restricts the loading of resources by whitelisting domains.
For example, the following CSP setting allows to load JavaScript only from its own origin and trusted.example.com:
Content-Security-Policy: script-src 'self' trusted.example.com
Thanks to this CSP, even if the page has an XSS vulnerability, the page is prevented to execute JavaScript from the inline scripts or JavaScript file of evil.example.org. It looks safe enough, however, if trusted.example.com has any scripts for bypassing CSP, it is still possible to execute JavaScript. More specifically, if trusted.example.com has a JSONP endpoint, it might be bypassed, like this:
<script src="//trusted.example.com/jsonp?callback=alert(1)//"></script>
If this endpoint reflects the user input passed to the callback parameter to the callback function name directly, it can be used as an arbitrary script as follows:
alert(1)//({});
In additon, it is known that AngularJS also can be used for bypassing CSP. This bypass possibility becomes more realistic, especially if domains hosting many JavaScript files, such as CDN, are allowed.

That way, in the whitelist, it is sometimes difficult to operate the CSP safely. To resolve this problem, strict-dynamic was designed. This is the example of usage:
Content-Security-Policy: script-src 'nonce-secret' 'strict-dynamic'
This CSP means that the whitelist will be disabled and only scripts having the "secret" string in the nonce attribute will load.
<!-- This will load -->
<script src="//example.com/assets/A.js" nonce="secret"></script>

<!-- This will not load -->
<script src="//example.com/assets/B.js"></script>
The A.js might want to load and use another JavaScript. To allow this, the CSP spec permits to load without the proper nonce attribute if the js having the proper nonce loads an another js in specific conditions.  With the word written in the spec, the non-"parser-inserted" script element can be allowed to execute JavaScript.

Below are concrete examples of what type of JavaScript are permitted:
/* A.js */

//This will load
var script=document.createElement('script');
script.src='//example.org/dependency.js';
document.body.appendChild(script);

//This will not load
document.write("<scr"+"ipt src='//example.org/dependency.js'></scr"+"ipt>");
When loading using createElement(), it's a non-"parser-inserted" script element and the loading is allowed. On the other hand, when loading using document.write(), it is a "parser-inserted" script element and it is not loaded.

Up to this point, I explained about strict-dynamic roughly.

By the way, the strcit-dynamic is bypassable in some cases. In the next, I'll introduce about a known strict-dynamic bypass.

Known strict-dynamic bypass


It is known that strict-dynamic also can be bypassed if a specific library is used in the target page.

By Google's Sebastian Lekies, Eduardo Vela Nava, and Krzysztof Kotowicz, affected libraries are listed here:

Let's look into the strict-dynamic bypass of require.js on this list.
Let's say the target page uses CSP with strict-dynamic, loads require.js and has a simple XSS. In this situation, if the following script element is inserted, an attacker can execute arbitrary JavaScript without the proper nonce.
<meta http-equiv="Content-Security-Policy" content="default-src 'none';script-src 'nonce-secret' 'strict-dynamic'">
<!-- XSS START -->
<script data-main="data:,alert(1)"></script>
<!-- XSS END -->
<script nonce="secret" src="require.js"></script>
When the require.js finds a script element with a data-main attribute, it loads a script specified in the data-main attribute from the equivalent code as below:
var node = document.createElement('script');
node.src = 'data:,alert(1)';
document.head.appendChild(node);
As described before, the strict-dynamic is allowed to load JavaScript from createElement() without the proper nonce.

That way, you can bypass the CSP strict-dynamic in some cases using the behavior of already loaded JavaScript code.

Firefox's vulnerability was caused by this behavior of require.js.
In the next section, I'll explain the vulnerability.

Universal strict-dynamic bypass(CVE-2018-5175)


Firefox implements some browser features using legacy extensions. The legacy extensions means XUL/XPCOM-based extensions that was removed in Firefox 57, not WebExtensions. Even on the latest Firefox 60, the browser internals still uses this mechanism.

In this bypass, we use a resource of the legacy extension which is used in browser internals. In WebExtensions, by setting a web_accessible_resources key in the manifest, the listed resources become accessible from any web pages. The legacy extension has a similar option named contentaccessible flag. In this bypass, it could be used for bypassing CSP because a require.js of browser's internal resource was accessible from any web pages due to the contentaccessible=yes flag.

Let's look into the manifest. If you are using 64bit Firefox on Windows, you can see the manifest from the following URL:

jar:file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox/browser/omni.ja!/chrome/chrome.manifest
content branding browser/content/branding/ contentaccessible=yes
content browser browser/content/browser/ contentaccessible=yes
skin browser classic/1.0 browser/skin/classic/browser/
skin communicator classic/1.0 browser/skin/classic/communicator/
content webide webide/content/
skin webide classic/1.0 webide/skin/
content devtools-shim devtools-shim/content/
content devtools devtools/content/
skin devtools classic/1.0 devtools/skin/
locale branding ja ja/locale/branding/
locale browser ja ja/locale/browser/
locale browser-region ja ja/locale/browser-region/
locale devtools ja ja/locale/ja/devtools/client/
locale devtools-shared ja ja/locale/ja/devtools/shared/
locale devtools-shim ja ja/locale/ja/devtools/shim/
locale pdf.js ja ja/locale/pdfviewer/
overlay chrome://browser/content/browser.xul chrome://browser/content/report-phishing-overlay.xul
overlay chrome://browser/content/places/places.xul chrome://browser/content/places/downloadsViewOverlay.xul
overlay chrome://global/content/viewPartialSource.xul chrome://browser/content/viewSourceOverlay.xul
overlay chrome://global/content/viewSource.xul chrome://browser/content/viewSourceOverlay.xul
override chrome://global/content/license.html chrome://browser/content/license.html
override chrome://global/content/netError.xhtml chrome://browser/content/aboutNetError.xhtml
override chrome://global/locale/appstrings.properties chrome://browser/locale/appstrings.properties
override chrome://global/locale/netError.dtd chrome://browser/locale/netError.dtd
override chrome://mozapps/locale/downloads/settingsChange.dtd chrome://browser/locale/downloads/settingsChange.dtd
resource search-plugins chrome://browser/locale/searchplugins/
resource usercontext-content browser/content/ contentaccessible=yes
resource pdf.js pdfjs/content/
resource devtools devtools/modules/devtools/
resource devtools-client-jsonview resource://devtools/client/jsonview/ contentaccessible=yes

resource devtools-client-shared resource://devtools/client/shared/ contentaccessible=yes
The yellow part is the part that makes the file accessible from any web sites. These two lines are for creating a resource: URI. The resource devtools devtools/modules/devtools/ of first line is mapping devtools/modules/devtools/ directory ( It exists on jar:file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox/browser/omni.ja!/chrome/devtools/modules/devtools/ )  to resource://devtools/ .
We can now access files under the directory by opening resource://devtools/ using Firefox. Likewise, the next line is mapping to resource://devtools-client-jsonview/. This URL becomes web-accessible by the contentaccessible=yes flag and we can now load the files placed under this directory from any web pages.
This directory has a require.js which is used for bypassing CSP. Just loading this require.js to the page where the CSP strict-dynamic is used, you can bypass strict-dynamic.
<meta http-equiv="Content-Security-Policy" content="default-src 'none';script-src 'nonce-secret' 'strict-dynamic'">
<!-- XSS START -->
<script data-main="data:,alert(1)"></script>
<script  src="resource://devtools-client-jsonview/lib/require.js"></script>
<!-- XSS END -->
From this code, data: URL will be loaded as a JavaScript resource and it will pop up an alert dialog. 

You might think, "Hmm, why is the require.js loaded? It should be blocked by CSP because the script element does not have the proper nonce."

Actually, no matter how strictly you set CSP rules, the web-accessible resources of the extension is loaded ignoring the CSP. This behavior is mentioned in the CSP spec:

Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets. These kinds of features generally advance the user’s priority over page authors, as espoused in [HTML-DESIGN].
Firefox's resource: URI also had this rule. Thanks to this, users can use the extension's features as expected even on the page where the CSP is set, but on the other hand, this privilege sometimes can be used for bypassing the CSP, like this bug's case.
Of course, this issue is not limited to browser internal resources. Even on general browser extensions, the same thing happens if there are web-accessible resources that can be used for bypassing CSP.

It seems that Firefox folks fixed this bug by applying page's CSP to the resource: URI.

In the end of article


I wrote about a CSP strict-dynamic bypass vulnerability of Firefox.

FYI, I found this issue when I was looking for another solution of Cure53 CNY XSS Challenge 2018's third level which I made. In this challenge, I used another trick to bypass strict-dynamic. Please check it if you are interested.

Also, I created a different version of this XSS Challenge and I'm still waiting your answer :)

Lastly, I'd like to thank Google's research which made me notice this bug. Thank you!

48 comments:

  1. Outstanding post, your writing style and way of presentation made me impressed every time I read your articles. Thank you for sharing. computer network assignment help

    ReplyDelete
  2. Hi! I'm Mason Ethan, working as a senior academic writer. I have four years of expertise assisting students with agroforestry assignment help. I've successfully finished a number of academic projects and am knowledgeable in all aspects of the agroforestry curriculum. If you require support or are having difficulties, please do not hesitate to contact me. We will assist you.

    ReplyDelete
  3. Thanks for sharing this best stuff with us! Keep sharing! I am new in the blog writing. All types blogs and posts are not helpful for the readers. Here the author is giving good thoughts and suggestions to each and every reader through this article. Quality of the content is the main element of the essay writing help blog and this is the way of writing and presenting.

    ReplyDelete
  4. Wow, this is really interesting reading. I am glad I found this and got to read it. Great job on this content.I like it.
    토토사이트링크

    ReplyDelete
  5. Very nice guys! This is so tasty and look good! I would lie to try it, but maybe you also can try something new! Check this https://topswriting.com/review/essaypro cool service for essay writing and homework! You can say, save your time and money! Just write to them online paper writer and be happy! They really know how to do it!

    ReplyDelete
  6. Students can use auditing assignments to assist them with various research and studies linked to the subject or branch. It undoubtedly also includes information on the auditing branch or field. The auditing assignment help online students in focusing and concentrating on a range of ideas.

    ReplyDelete
  7. Your blogs are great.Are you also searching for Cheap Nursing Writing Services? we are the best solution for you. We are best known for delivering nursing writing services to students without having to break the bank.whatsapp us:+1-(951)-468-9855

    ReplyDelete
  8. Wow! Awesome blog you posted here. Really informative and easy to read. I visited your blog for the first time but I must say great words you choose in your blog. Like you I am also here to promote my Assignment help online website organically. So kindly visit my blog and give me suggestions on how I can improve my website more.

    ReplyDelete
  9. Thanks for the best blog. it was very useful for me.keep sharing such ideas in the future as well. thesis writing services

    ReplyDelete


  10. Nice Information For irish Student. Assignment Help is ideal for you if you are under a time constraint and need 100% accurate solutions within the given time frame. Get quick, precise, detailed, and high-quality assignment solutions on any complicated topic and subject. You can easily boost your grades with assignment help from professional academic experts.

    ReplyDelete
  11. Stunning site! Do you have any accommodating clues for trying essayists? I’m wanting to begin my own site soon yet I’m somewhat lost on everything. Would you prompt beginning with will smith blue Cotton Jacket a free stage like or go for a paid alternative? There are such a large number of alternatives out there that I’m totally overpowered .. Any thoughts? Welcome it!

    ReplyDelete
  12. All students easy to get with us. We have a professional team of academic writers that is well expert in the writing work and they can write all projects. We know, writing work a very difficult, and all students is not prepared for this work so this is why we are helping them and providing online academic help services. Narrative Essay Topics.

    ReplyDelete
  13. Good day! This post couldn’t be written any better! Reading this post reminds me of my good old room mate! help with essay uk He always kept talking about this. I will forward this page to him. Pretty sure he will have a good read. Thank you for sharing!

    ReplyDelete
  14. We possess a team of experienced, professional and well-trained academic authors who can write my dissertation for you. All the dissertations written with our help have been carefully evaluated by a team of specialists in psychology, sociology, economics and other disciplines.

    ReplyDelete
  15. I prefer this blog because it has much more informative stuff.
    Bridgerton Velvet Black Tailcoat

    ReplyDelete
  16. Very interesting. I Wish to see much more like this. The Ballad of Ricky Bobby Faux Leather Jacket Thanks for sharing your information!

    ReplyDelete
  17. This blog is a complete all you want to know.
    Dauntless Black Jacket

    ReplyDelete
  18. This comment has been removed by the author.

    ReplyDelete
  19. Very helpful post. I read this article from start to end and found this very interesting. Fur Jackets

    ReplyDelete
  20. College is an important phase in your life. If you are serious about your studies, you should be ready to work hard. College is a time to develop yourself, to learn new things, and to grow. College life is always full of pressure. There are homework help services, tests, presentations, and lots of studying to do. In fact, it can be a little overwhelming for anyone, especially for the college students who are in the midst of their college years.

    ReplyDelete
  21. Muy buena 안전토토사이트 publicación de artículo. Realmente espero leer más. Excelente.

    ReplyDelete
  22. Great post. Articles that have meaningful and insightful comments are more enjoyable, at least to me. It’s interesting to read what other people thought and how it relates to them or their clients, as their perspective could possibly help you in the future. Creepshow Halloween Jacket

    ReplyDelete
  23. Initially everyone feels doubt regarding the online assignment service but after taking help from them they get to know that Nursing assignment help are the best thing to opt for.

    ReplyDelete
  24. Nice article, it was really good and I got more knowledge from this post. I hope you more interesting post will update here, keep doing...
    Abogado De Trafico En Virginia
    online solicitation of a minor

    ReplyDelete
  25. Thanks for sharing a valuable article. I really appreciate your time and effort. Looking forward to read more of your article. fecaakure cut off mark for social science

    ReplyDelete
  26. Your thesis was well-researched and presented in a clear manner, which makes it easy to understand. wonder white jacket

    ReplyDelete
  27. The Universal CSP strict-dynamic bypass in Firefox is a serious issue for online security. It is crucial for developers to be aware of this vulnerability and take appropriate measures to prevent any potential threats. For those struggling to understand the technical details, seeking law assignment help from professionals can provide a deeper insight and assistance in ensuring their website's security.

    ReplyDelete
  28. SOIL MODIFICATION services in houston, texas These services involve improving the quality and health of soil through various methods, such as adding organic matter, adjusting pH levels, and addressing nutrient deficiencies. These services are often used in agriculture and landscaping to improve crop yields and plant growth.

    ReplyDelete
  29. In addition to implementing strong security measures, regular vulnerability assessments and penetration testing are also necessary to ensure that web applications are adequately protected. This is where the services of professional companies likeInterior Car Cleaning Ottawa can help to ensure that your car's interior is always kept clean and well-maintained.

    ReplyDelete
  30. It's important for website developers to be aware of this potential vulnerability in their CSP policies and take steps to prevent HTML injection flaws. Additionally, organizations can implement security measures such as regularly patching known vulnerabilities and using trusted security products likelegrand products abu dhabi to help mitigate risks and protect their users' data.

    ReplyDelete
  31. When it comes to protecting against injection flaws and CSP bypasses. For E-commerce web development dubai this is particularly crucial as they deal with sensitive customer data and financial transactions. Hiring an experienced web development team in Dubai to implement strong security measures can help prevent such vulnerabilities and ensure a secure online shopping experience for customers.

    ReplyDelete
  32. Very interesting. I wish to see much more like this. Thanks for sharing your information. Beth Dutton Pendleton Jacket


    ReplyDelete
  33. For Edmonton foundation repair, Ramma Foundation Repair provides trustworthy and qualified services. You can rely on their knowledgeable crew to tackle any foundation problems you might be having in your house or place of business.

    ReplyDelete
  34. It's a security measure that restricts the loading of resources by whitelisting domains in a Content Security Policy (CSP). leadingit company in Dubaiprovides excellent cybersecurity services that can help businesses implement and maintain CSP to protect their websites from attacks.

    ReplyDelete
  35. Cabo San Lucas Villas offers luxurious villa rentals in Cabo with private chefs for an exceptional experience of comfort and luxury. Indulge in the ultimate vacation experience with cabo house rentals with chef services.

    ReplyDelete
  36. My friend uses this blog and helps them with their studies. Thanks for sharing. Vinyl Fence Installation Spring Hill, FL

    ReplyDelete
  37. Thanks for sharing beautiful content. I got information from your blog. keep sharing
    fatal accidente de semirremolque

    ReplyDelete
  38. The discovery of a mechanism to bypass Content Security Policy on websites highlights the need for strong web security measures. With industrial fencing services Edmonton, you can protect your physical premises and also ensure that your online presence is secure. Don't let your business be vulnerable to attacks, invest in robust security measures today.

    ReplyDelete
  39. Introducing "Mrauto Approved" - Your trusted destination for hassle-free Auto financing alberta. Get on the road to your dream car with our reliable and convenient auto financing solutions tailored to meet your needs.

    ReplyDelete