Thursday, May 24, 2018

CVE-2018-5175: Universal CSP strict-dynamic bypass in Firefox

In this blogpost, I'd like to write about a CSP strict-dynamic bypass vulnerability which is fixed in Firefox 60.

https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5175
A mechanism to bypass Content Security Policy (CSP) protections on sites that have a script-src policy of 'strict-dynamic'. If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the require.js library that is part of Firefox’s Developer Tools, and then use a known technique using that library to bypass the CSP restrictions on executing injected scripts.

What is the "strict-dynamic"?


maybe you should read CSP spec :) https://www.w3.org/TR/CSP3/#strict-dynamic-usage
But for practicing writing in English, I'll explain about strict-dynamic. If you know about strict-dynamic, you don't have to read this section.

The well-known CSP restricts the loading of resources by whitelisting domains.
For example, the following CSP setting allows to load JavaScript only from its own origin and trusted.example.com:
Content-Security-Policy: script-src 'self' trusted.example.com
Thanks to this CSP, even if the page has an XSS vulnerability, the page is prevented to execute JavaScript from the inline scripts or JavaScript file of evil.example.org. It looks safe enough, however, if trusted.example.com has any scripts for bypassing CSP, it is still possible to execute JavaScript. More specifically, if trusted.example.com has a JSONP endpoint, it might be bypassed, like this:
<script src="//trusted.example.com/jsonp?callback=alert(1)//"></script>
If this endpoint reflects the user input passed to the callback parameter to the callback function name directly, it can be used as an arbitrary script as follows:
alert(1)//({});
In additon, it is known that AngularJS also can be used for bypassing CSP. This bypass possibility becomes more realistic, especially if domains hosting many JavaScript files, such as CDN, are allowed.

That way, in the whitelist, it is sometimes difficult to operate the CSP safely. To resolve this problem, strict-dynamic was designed. This is the example of usage:
Content-Security-Policy: script-src 'nonce-secret' 'strict-dynamic'
This CSP means that the whitelist will be disabled and only scripts having the "secret" string in the nonce attribute will load.
<!-- This will load -->
<script src="//example.com/assets/A.js" nonce="secret"></script>

<!-- This will not load -->
<script src="//example.com/assets/B.js"></script>
The A.js might want to load and use another JavaScript. To allow this, the CSP spec permits to load without the proper nonce attribute if the js having the proper nonce loads an another js in specific conditions.  With the word written in the spec, the non-"parser-inserted" script element can be allowed to execute JavaScript.

Below are concrete examples of what type of JavaScript are permitted:
/* A.js */

//This will load
var script=document.createElement('script');
script.src='//example.org/dependency.js';
document.body.appendChild(script);

//This will not load
document.write("<scr"+"ipt src='//example.org/dependency.js'></scr"+"ipt>");
When loading using createElement(), it's a non-"parser-inserted" script element and the loading is allowed. On the other hand, when loading using document.write(), it is a "parser-inserted" script element and it is not loaded.

Up to this point, I explained about strict-dynamic roughly.

By the way, the strcit-dynamic is bypassable in some cases. In the next, I'll introduce about a known strict-dynamic bypass.

Known strict-dynamic bypass


It is known that strict-dynamic also can be bypassed if a specific library is used in the target page.

By Google's Sebastian Lekies, Eduardo Vela Nava, and Krzysztof Kotowicz, affected libraries are listed here:

Let's look into the strict-dynamic bypass of require.js on this list.
Let's say the target page uses CSP with strict-dynamic, loads require.js and has a simple XSS. In this situation, if the following script element is inserted, an attacker can execute arbitrary JavaScript without the proper nonce.
<meta http-equiv="Content-Security-Policy" content="default-src 'none';script-src 'nonce-secret' 'strict-dynamic'">
<!-- XSS START -->
<script data-main="data:,alert(1)"></script>
<!-- XSS END -->
<script nonce="secret" src="require.js"></script>
When the require.js finds a script element with a data-main attribute, it loads a script specified in the data-main attribute from the equivalent code as below:
var node = document.createElement('script');
node.src = 'data:,alert(1)';
document.head.appendChild(node);
As described before, the strict-dynamic is allowed to load JavaScript from createElement() without the proper nonce.

That way, you can bypass the CSP strict-dynamic in some cases using the behavior of already loaded JavaScript code.

Firefox's vulnerability was caused by this behavior of require.js.
In the next section, I'll explain the vulnerability.

Universal strict-dynamic bypass(CVE-2018-5175)


Firefox implements some browser features using legacy extensions. The legacy extensions means XUL/XPCOM-based extensions that was removed in Firefox 57, not WebExtensions. Even on the latest Firefox 60, the browser internals still uses this mechanism.

In this bypass, we use a resource of the legacy extension which is used in browser internals. In WebExtensions, by setting a web_accessible_resources key in the manifest, the listed resources become accessible from any web pages. The legacy extension has a similar option named contentaccessible flag. In this bypass, it could be used for bypassing CSP because a require.js of browser's internal resource was accessible from any web pages due to the contentaccessible=yes flag.

Let's look into the manifest. If you are using 64bit Firefox on Windows, you can see the manifest from the following URL:

jar:file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox/browser/omni.ja!/chrome/chrome.manifest
content branding browser/content/branding/ contentaccessible=yes
content browser browser/content/browser/ contentaccessible=yes
skin browser classic/1.0 browser/skin/classic/browser/
skin communicator classic/1.0 browser/skin/classic/communicator/
content webide webide/content/
skin webide classic/1.0 webide/skin/
content devtools-shim devtools-shim/content/
content devtools devtools/content/
skin devtools classic/1.0 devtools/skin/
locale branding ja ja/locale/branding/
locale browser ja ja/locale/browser/
locale browser-region ja ja/locale/browser-region/
locale devtools ja ja/locale/ja/devtools/client/
locale devtools-shared ja ja/locale/ja/devtools/shared/
locale devtools-shim ja ja/locale/ja/devtools/shim/
locale pdf.js ja ja/locale/pdfviewer/
overlay chrome://browser/content/browser.xul chrome://browser/content/report-phishing-overlay.xul
overlay chrome://browser/content/places/places.xul chrome://browser/content/places/downloadsViewOverlay.xul
overlay chrome://global/content/viewPartialSource.xul chrome://browser/content/viewSourceOverlay.xul
overlay chrome://global/content/viewSource.xul chrome://browser/content/viewSourceOverlay.xul
override chrome://global/content/license.html chrome://browser/content/license.html
override chrome://global/content/netError.xhtml chrome://browser/content/aboutNetError.xhtml
override chrome://global/locale/appstrings.properties chrome://browser/locale/appstrings.properties
override chrome://global/locale/netError.dtd chrome://browser/locale/netError.dtd
override chrome://mozapps/locale/downloads/settingsChange.dtd chrome://browser/locale/downloads/settingsChange.dtd
resource search-plugins chrome://browser/locale/searchplugins/
resource usercontext-content browser/content/ contentaccessible=yes
resource pdf.js pdfjs/content/
resource devtools devtools/modules/devtools/
resource devtools-client-jsonview resource://devtools/client/jsonview/ contentaccessible=yes

resource devtools-client-shared resource://devtools/client/shared/ contentaccessible=yes
The yellow part is the part that makes the file accessible from any web sites. These two lines are for creating a resource: URI. The resource devtools devtools/modules/devtools/ of first line is mapping devtools/modules/devtools/ directory ( It exists on jar:file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox/browser/omni.ja!/chrome/devtools/modules/devtools/ )  to resource://devtools/ .
We can now access files under the directory by opening resource://devtools/ using Firefox. Likewise, the next line is mapping to resource://devtools-client-jsonview/. This URL becomes web-accessible by the contentaccessible=yes flag and we can now load the files placed under this directory from any web pages.
This directory has a require.js which is used for bypassing CSP. Just loading this require.js to the page where the CSP strict-dynamic is used, you can bypass strict-dynamic.
<meta http-equiv="Content-Security-Policy" content="default-src 'none';script-src 'nonce-secret' 'strict-dynamic'">
<!-- XSS START -->
<script data-main="data:,alert(1)"></script>
<script  src="resource://devtools-client-jsonview/lib/require.js"></script>
<!-- XSS END -->
From this code, data: URL will be loaded as a JavaScript resource and it will pop up an alert dialog. 

You might think, "Hmm, why is the require.js loaded? It should be blocked by CSP because the script element does not have the proper nonce."

Actually, no matter how strictly you set CSP rules, the web-accessible resources of the extension is loaded ignoring the CSP. This behavior is mentioned in the CSP spec:

Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets. These kinds of features generally advance the user’s priority over page authors, as espoused in [HTML-DESIGN].
Firefox's resource: URI also had this rule. Thanks to this, users can use the extension's features as expected even on the page where the CSP is set, but on the other hand, this privilege sometimes can be used for bypassing the CSP, like this bug's case.
Of course, this issue is not limited to browser internal resources. Even on general browser extensions, the same thing happens if there are web-accessible resources that can be used for bypassing CSP.

It seems that Firefox folks fixed this bug by applying page's CSP to the resource: URI.

In the end of article


I wrote about a CSP strict-dynamic bypass vulnerability of Firefox.

FYI, I found this issue when I was looking for another solution of Cure53 CNY XSS Challenge 2018's third level which I made. In this challenge, I used another trick to bypass strict-dynamic. Please check it if you are interested.

Also, I created a different version of this XSS Challenge and I'm still waiting your answer :)

Lastly, I'd like to thank Google's research which made me notice this bug. Thank you!

65 comments:

  1. Hi! I'm Mason Ethan, working as a senior academic writer. I have four years of expertise assisting students with agroforestry assignment help. I've successfully finished a number of academic projects and am knowledgeable in all aspects of the agroforestry curriculum. If you require support or are having difficulties, please do not hesitate to contact me. We will assist you.

    ReplyDelete
  2. Thanks for sharing this best stuff with us! Keep sharing! I am new in the blog writing. All types blogs and posts are not helpful for the readers. Here the author is giving good thoughts and suggestions to each and every reader through this article. Quality of the content is the main element of the essay writing help blog and this is the way of writing and presenting.

    ReplyDelete
    Replies
    1. It is very informative information. thanks for sharing this blog. searching for best quality leather jackets like Spider man tuxedo with comfortable and fashionable design. visit now at vava store.

      Delete
  3. Wow, this is really interesting reading. I am glad I found this and got to read it. Great job on this content.I like it.
    토토사이트링크

    ReplyDelete
  4. Very nice guys! This is so tasty and look good! I would lie to try it, but maybe you also can try something new! Check this https://topswriting.com/review/essaypro cool service for essay writing and homework! You can say, save your time and money! Just write to them online paper writer and be happy! They really know how to do it!

    ReplyDelete
  5. Students can use auditing assignments to assist them with various research and studies linked to the subject or branch. It undoubtedly also includes information on the auditing branch or field. The auditing assignment help online students in focusing and concentrating on a range of ideas.

    ReplyDelete
  6. Your blogs are great.Are you also searching for Cheap Nursing Writing Services? we are the best solution for you. We are best known for delivering nursing writing services to students without having to break the bank.whatsapp us:+1-(951)-468-9855

    ReplyDelete
  7. Thanks for the best blog. it was very useful for me.keep sharing such ideas in the future as well. thesis writing services

    ReplyDelete


  8. Nice Information For irish Student. Assignment Help is ideal for you if you are under a time constraint and need 100% accurate solutions within the given time frame. Get quick, precise, detailed, and high-quality assignment solutions on any complicated topic and subject. You can easily boost your grades with assignment help from professional academic experts.

    ReplyDelete
  9. Stunning site! Do you have any accommodating clues for trying essayists? I’m wanting to begin my own site soon yet I’m somewhat lost on everything. Would you prompt beginning with will smith blue Cotton Jacket a free stage like or go for a paid alternative? There are such a large number of alternatives out there that I’m totally overpowered .. Any thoughts? Welcome it!

    ReplyDelete
  10. All students easy to get with us. We have a professional team of academic writers that is well expert in the writing work and they can write all projects. We know, writing work a very difficult, and all students is not prepared for this work so this is why we are helping them and providing online academic help services. Narrative Essay Topics.

    ReplyDelete
  11. Good day! This post couldn’t be written any better! Reading this post reminds me of my good old room mate! help with essay uk He always kept talking about this. I will forward this page to him. Pretty sure he will have a good read. Thank you for sharing!

    ReplyDelete
  12. We possess a team of experienced, professional and well-trained academic authors who can write my dissertation for you. All the dissertations written with our help have been carefully evaluated by a team of specialists in psychology, sociology, economics and other disciplines.

    ReplyDelete
  13. I prefer this blog because it has much more informative stuff.
    Bridgerton Velvet Black Tailcoat

    ReplyDelete
  14. Very interesting. I Wish to see much more like this. The Ballad of Ricky Bobby Faux Leather Jacket Thanks for sharing your information!

    ReplyDelete
  15. This blog is a complete all you want to know.
    Dauntless Black Jacket

    ReplyDelete
  16. This comment has been removed by the author.

    ReplyDelete
  17. Very helpful post. I read this article from start to end and found this very interesting. Fur Jackets

    ReplyDelete
  18. College is an important phase in your life. If you are serious about your studies, you should be ready to work hard. College is a time to develop yourself, to learn new things, and to grow. College life is always full of pressure. There are homework help services, tests, presentations, and lots of studying to do. In fact, it can be a little overwhelming for anyone, especially for the college students who are in the midst of their college years.

    ReplyDelete
  19. Muy buena 안전토토사이트 publicación de artículo. Realmente espero leer más. Excelente.

    ReplyDelete
  20. Great post. Articles that have meaningful and insightful comments are more enjoyable, at least to me. It’s interesting to read what other people thought and how it relates to them or their clients, as their perspective could possibly help you in the future. Creepshow Halloween Jacket

    ReplyDelete
  21. Initially everyone feels doubt regarding the online assignment service but after taking help from them they get to know that Nursing assignment help are the best thing to opt for.

    ReplyDelete
  22. Nice article, it was really good and I got more knowledge from this post. I hope you more interesting post will update here, keep doing...
    Abogado De Trafico En Virginia
    online solicitation of a minor

    ReplyDelete
  23. Thanks for sharing a valuable article. I really appreciate your time and effort. Looking forward to read more of your article. fecaakure cut off mark for social science

    ReplyDelete
  24. Your thesis was well-researched and presented in a clear manner, which makes it easy to understand. wonder white jacket

    ReplyDelete
  25. The Universal CSP strict-dynamic bypass in Firefox is a serious issue for online security. It is crucial for developers to be aware of this vulnerability and take appropriate measures to prevent any potential threats. For those struggling to understand the technical details, seeking law assignment help from professionals can provide a deeper insight and assistance in ensuring their website's security.

    ReplyDelete
  26. SOIL MODIFICATION services in houston, texas These services involve improving the quality and health of soil through various methods, such as adding organic matter, adjusting pH levels, and addressing nutrient deficiencies. These services are often used in agriculture and landscaping to improve crop yields and plant growth.

    ReplyDelete
  27. In addition to implementing strong security measures, regular vulnerability assessments and penetration testing are also necessary to ensure that web applications are adequately protected. This is where the services of professional companies likeInterior Car Cleaning Ottawa can help to ensure that your car's interior is always kept clean and well-maintained.

    ReplyDelete
  28. It's important for website developers to be aware of this potential vulnerability in their CSP policies and take steps to prevent HTML injection flaws. Additionally, organizations can implement security measures such as regularly patching known vulnerabilities and using trusted security products likelegrand products abu dhabi to help mitigate risks and protect their users' data.

    ReplyDelete
  29. When it comes to protecting against injection flaws and CSP bypasses. For E-commerce web development dubai this is particularly crucial as they deal with sensitive customer data and financial transactions. Hiring an experienced web development team in Dubai to implement strong security measures can help prevent such vulnerabilities and ensure a secure online shopping experience for customers.

    ReplyDelete
  30. Very interesting. I wish to see much more like this. Thanks for sharing your information. Beth Dutton Pendleton Jacket


    ReplyDelete
  31. For Edmonton foundation repair, Ramma Foundation Repair provides trustworthy and qualified services. You can rely on their knowledgeable crew to tackle any foundation problems you might be having in your house or place of business.

    ReplyDelete
  32. It's a security measure that restricts the loading of resources by whitelisting domains in a Content Security Policy (CSP). leadingit company in Dubaiprovides excellent cybersecurity services that can help businesses implement and maintain CSP to protect their websites from attacks.

    ReplyDelete
  33. Cabo San Lucas Villas offers luxurious villa rentals in Cabo with private chefs for an exceptional experience of comfort and luxury. Indulge in the ultimate vacation experience with cabo house rentals with chef services.

    ReplyDelete
  34. My friend uses this blog and helps them with their studies. Thanks for sharing. Vinyl Fence Installation Spring Hill, FL

    ReplyDelete
  35. The discovery of a mechanism to bypass Content Security Policy on websites highlights the need for strong web security measures. With industrial fencing services Edmonton, you can protect your physical premises and also ensure that your online presence is secure. Don't let your business be vulnerable to attacks, invest in robust security measures today.

    ReplyDelete
  36. Introducing "Mrauto Approved" - Your trusted destination for hassle-free Auto financing alberta. Get on the road to your dream car with our reliable and convenient auto financing solutions tailored to meet your needs.

    ReplyDelete
  37. "Masato Kinugawa's Security Blog" offers valuable insights and expertise in the field of security, helping readers navigate the complexities of safeguarding information and systems. Similarly, Exploration catering in houston texas caters to the unique needs of exploratory missions, providing nourishing meals and logistical support to sustain teams in remote and challenging environments.

    ReplyDelete
  38. Upgrade your living space without breaking the bank, thanks to santander home improvement loans, offering competitive rates and flexible repayment options to suit your budget and goals.

    ReplyDelete
  39. Ensure a secure and successful event with Dinner catering services in Houston texas. Whether you're hosting a corporate gathering or a special occasion, trust the experts at our catering partner to deliver an exceptional dining experience.

    ReplyDelete
  40. Nice post! Thanks for taking the time in sharing this great article in here.
    Visit us for getting Online Classes in Bahrain. Thank You!

    ReplyDelete
  41. The discussion around bypassing Content Security Policy (CSP) protections highlights the ongoing challenges in web security. It's a reminder of the need for robust defenses against vulnerabilities. Similarly, for projects involving structural changes, trust a demolition expert in Edmonton to manage the process safely and efficiently.

    ReplyDelete
  42. Slick, suave, and undeniably stylish—Tom Cruise Green Jacket dominates the screen and the fashion game

    ReplyDelete
  43. Learn about the CVE-2018-5175 vulnerability while experiencing the Best Barber Shop in Canada. Stay informed about cybersecurity while enjoying our expert grooming services. Unveil a new level of sophistication and self-assurance with every visit.

    ReplyDelete

  44. I have read your article, it is very informative and helpful for me.I admire the valuable information you offer in your articles.
    Federal Criminal Defense Lawyer

    ReplyDelete
  45. Monster Rabbit is renowned for its premium products, including the sought-after "royal epimedium sex honey." With a commitment to quality and purity, Monster Rabbit offers a unique blend of natural ingredients that are cherished for their potential benefits. Experience vitality and wellness with Monster Rabbit's exclusive honey formulations.

    ReplyDelete
  46. Addressing security vulnerabilities is crucial for a robust online experience. Just as in cybersecurity, where we prioritize safety, ourIndustry Leading Degassing Solutionemphasizes the highest standards, ensuring optimal performance and reliability in diverse applications.

    ReplyDelete
  47. America Jackets is here for you to get in trend with amazing outfits and style. This is the best platform for you to shop online anytime, anywhere. Ted Lasso Tracksuit

    ReplyDelete
  48. قهوة عربية, also known as "Qahwa" or "Gahwa," is a traditional Middle Eastern beverage, brewed with cardamom and served in small cups. It's known for its strong, aromatic flavor and is often enjoyed as a symbol of hospitality and social gatherings in the Arab world.

    ReplyDelete
  49. This comment has been removed by the author.

    ReplyDelete
  50. "🚨 Cybersecurity Alert: CVE-2018-5175 🚨 Kudos to the Firefox security team for swiftly addressing the universal CSP strict-dynamic bypass! 💻🔐 Staying one step ahead in the ever-evolving landscape of web security. Your commitment to user safety is commendable! 🙌🔒 #Firefox #CyberSecurity #CVE20185175"

    divorce center new york ny

    ReplyDelete
  51. Masato Kinugawa's Security Blog isn't just a repository of information; it's a hub for thought leadership and education. Dive into tutorials, case studies, and educational content designed to empower cybersecurity practitioners, students, and industry professionals.
    abogados de quiebras

    ReplyDelete
  52. Firefox's reliance on legacy extensions showcases the challenge of evolving browser technology. While navigating the complexities of browser internals, embrace the enduring reliability of a leather jacket – a timeless choice that stands the test of technological shifts with effortless style.

    ReplyDelete
  53. Benedetta bags exude timeless elegance with their exquisite craftsmanship and luxurious materials, making them a statement accessory for the modern sophisticate.

    ReplyDelete
  54. Explore Tempo School of Music for the finest piano lessons Houston. Our experienced instructors offer personalized guidance to help you master the piano with ease and confidence. Join us and unlock your musical potential today!

    ReplyDelete
  55. Discover the authentic healing touch of thai massage karachi, where skilled therapists combine ancient techniques to release tension and restore balance. Immerse yourself in a journey of relaxation and rejuvenation at our Thai Massage Center.

    ReplyDelete
  56. Understanding potential security vulnerabilities like bypassing CSP protections is crucial for maintaining the integrity of web applications. Stay protected online and keep your digital assets moisturized with our Moisturizer & Creams Collection for a smooth browsing experience.

    ReplyDelete