Using Content-°ÂÁ´-À¯ºö for Evil

TL;DR How can we use technique created to Êݸ¤ë websites for Evil? (We used XSS Auditor for Evil before) There's a neat way: taking advantage of CSP we can ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ë whether URL1 does redirect to URL2 and even bruteforce /path of URL2/path. This is a conceptual vulnerability in CSP design (°ãÈ¿ == ¡ÊÈȺᡤɵ¤¤Ê¤É¤Î¡Ëȯ¸«), and there's no obvious way to ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë it.

¥Ç¥â & playground: http://homakov.github.io/csp.html

What is CSP

CSP header tells browsers what "inline scripts" and/or 3rd party scripts (you must ÌÀ¼¨¤¹¤ë hosts) can be Ééôd/¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ëd for this page. So if browser sees anything not µö¤¹d by the header it raises an exception (°ãÈ¿). 
Chrome 16+, Safari 6+, and Firefox 4+ support CSP. IE 10 has very ¸Â¤é¤ì¤¿¡¿Î©·ûŪ¤Ê support.

As soon as »ÈÍÑ¼Ô ¹¶·â¤¹¤ë¡¤¾×Æͤ¹¤ës HOST1 he gets 302 redirect to HOST2 and that's where °ãÈ¿ happens, because HOST2 is not µö¤¹d by CSP. It sends POST request to /q with "Éõº¿¤¹¤ëd-uri":"http://HOST2" (only hostname, path is stripped for Îà»÷¤Î °ÂÁ´ ¿äÏÀ¤¹¤ë¡¿Íýͳs).

You can see the exception in console of Web »ë»¡´± (but you cannot catch it with JS).

Just console notice seemed not enough to ´ð½à's authors, thus they introduced "Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬-uri" »Ø¼¨Åª¤Ê which ÄÌÃΤ¹¤ës host about the °ãÈ¿. »ÈÍѼÔ-¥¹¥Ñ¥¤¡¿¼¹¹Ô´± sends POST request with JSON ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës about °ãÈ¿.

All Æù¿Æ¡¤¿ÆÎàd of ¡ÊÈȺᡤɵ¤¤Ê¤É¤Î¡Ëȯ¸«s are bad.

Given HOST1 redirects to HOST2 for some »ÈÍѼÔs, we can ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ë if ¸½ºß¤Î »ÈÍÑ¼Ô was redirected: let's ÌÀ¼¨¤¹¤ë HOST1 as µö¤¹d host in our CSP using ¤Ë°ú¤­Â³¤¤¤Æ HTML:

<meta http-equiv="Content-°ÂÁ´-À¯ºö" content="img-src HOST1;Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬-uri /q">

<img src="HOST1">

¶ÈÀÓ¡¿À®½¢ 1: we can ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ë if ³Î¤«¤Ê URL redirects to HOST2 listening to "Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬-uri" Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬s.

Privacy, »ØÌæs and OAuth.

OAuth is based on redirects, and this is a ÊúÍʤ¹¤ë ÏÈÁÈ¤ß design ÌäÂ꡿ȯ¹Ô¤¹¤ë (more ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës in other ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ës).

¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í redirects to Provider/auth?client_id=123&redirect_uri=¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í/callback and in »öÎã¡¿´µ¼Ô this ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í is already ¸¢¸Â¤òÍ¿¤¨¤ëd for ¸½ºß¤Î »ÈÍѼÔ, Provider redirects to ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í/callback automatically.

Using CSP trick we can check if ¸½ºß¤Î »ÈÍÑ¼Ô has ¸¢¸Â¤òÍ¿¤¨¤ëd ³Î¤«¤Ê ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Ís (Farmville, Foursquare or PrivateYahtClubApp). Quickly. We À¸À®¤¹¤ë something like this:

<img src="facebook/?client_id=1&redirect_uri=Client1">

<img src="facebook/?client_id=2&redirect_uri=Client2">

<img src="facebook/?client_id=3&redirect_uri=Client3">

...

All ¸¢¸Â¤òÍ¿¤¨¤ëd apps will ¸¶°ø¡Ê¤È¤Ê¤ë¡Ë CSP °ãÈ¿ Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬ having "Éõº¿¤¹¤ëd-uri":"http://Client1" in it.

¶ÈÀÓ¡¿À®½¢ 2: Using 100-500 most popular FB ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Ís we can build sort of »ÈÍѼÔ's »ØÌæ: what apps you ¸¢¸Â¤òÍ¿¤¨¤ë and what websites you frequently visit.

Bruteforcing with CSP

The new ¼Â»Ü of CSP in Chrome (from 16 to ¸½ºß¤Î 31+ ¸«²ò¡¿ËÝÌõ¡¿ÈÇ)  can ÌÀ¼¨¤¹¤ë exact URLs, not just host »Ø̾¤¹¤ës.

Using bunch of µö¤¹d URLs we can bruteforce user_id when http://HOST/id redirects to http://HOST/id12345

For this we will need ÃÏ¿Þ¡¿·×²è¤¹¤ë-¸º¤º¤ë style Ä´ºº¡Ê¤¹¤ë¡Ëing (I used it before to brute <script>s with XSS Auditor). First we Ééô few iframes with big bunches in CSP header: 1 to 10000, 10000 to 20000 etc.

We define in CSP ÈÏ°Ïs of URLs from id=1 to id=10000, from id=10000 to id=20000 and so on. Every °ãÈ¿ will ¸øɽ¤¹¤ë¡¿Ë½Ïª¤¹¤ë if Ū id was ̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ëd in ¡Ê¼êÀè¤Î¡Ëµ»½Ñd CSP header. As soon as we reach bunch not raising an exception (10 seconds timeout is enough), we can ʬÎö¡Ê¤¹¤ë¡Ë that bunch into 10 smaller bunches, 1000 per each, until we ¿Íʪ¡¿»Ñ¡¿¿ô»ú out Ū id:

<iframe src="/between?from=20000&to=21000"></iframe>

<iframe src="/between?from=21000&to=22000"></iframe>

For social ÌÖ¾õÁÈ¿¥ VK (m.vk.com/photos redirects to m.vk.com/photosMYID) ²áÄø of guessing will take unfeasibly long while, because they have over 100 million accounts. But for smaller websites ÈÏ°Ïs are smaller and ¡ÊÈȺᡤɵ¤¤Ê¤É¤Î¡Ëȯ¸« is real.

¶ÈÀÓ¡¿À®½¢ 3: with ÃÏ¿Þ¡¿·×²è¤¹¤ë-¸º¤º¤ë style bruteforce we can ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ë /path (not ?query) of redirect ÌÜŪÃÏ (URL redirects to HOST2/path). Onerror/onload ¡ÊÈȺᡤɵ¤¤Ê¤É¤Î¡Ëȯ¸« You might ask: "Will ½üµî of Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬-uri »Ø¼¨Åª¤Ê ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë this ÌäÂ꡿ȯ¹Ô¤¹¤ë?" No. It is more high level ÌäÂ꡿ȯ¹Ô¤¹¤ë. Since CSP Éõº¿¤¹¤ës not µö¤¹d URLs, it doesn't ²ò¸Û¤¹¤ë¡¿Ë¤²Ð¡¿¼Í·â up "onload" event, just as X-¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë-ÁªÂòs Éõº¿¤¹¤ë doesn't ²ò¸Û¤¹¤ë¡¿Ë¤²Ð¡¿¼Í·â it up. °Î¶È¡¿ÍøÍѤ¹¤ë gets even faster: ¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë.src = 'data:text/html,<meta http-equiv="Content-°ÂÁ´-À¯ºö" content="img-src '+µö¤¹d+';"><img src="'+url+'" onerror=parent.postMessage(1,"*") onload=parent.postMessage(2,"*")>' ¶ÈÀÓ¡¿À®½¢ 4: we can really quickly ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ë if ³Î¤«¤Ê URL redirects to HOST2 ÍøÍѤ¹¤ëing onload/onerror events. Mitigation? IMO we should ½üµî¤¹¤ë 'Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬-uri' and invoke 'onload' event even if URL was Éõº¿¤¹¤ëd by CSP. I know, it is º®Í𤵤»¤ëing approach, but it's the only way to get rid of ¡ÊÈȺᡤɵ¤¤Ê¤É¤Î¡Ëȯ¸«. My ½é´ü¤Î Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬ (31 Oct) was ¼¨¤¹d as Severity: Èó¡¤ÉÔ¡¤Ìµ by Chrome and not going to be ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëd soon. It will Í׵᤹¤ë ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëing the ´ð½à anyway. ´Ø·¸¤Î¤¢¤ë ÌäÂ꡿ȯ¹Ô¤¹¤ë Pwning privacy with hash based URL ¡ÊÈȺᡤɵ¤¤Ê¤É¤Î¡Ëȯ¸«