Cross Domain Data Access via JavaScript: window.open

By YGN Ethical Hacker Group -

The Analysis

In 2008, we prepared a quick short demo  about "Cross-Domain Autcomplete Data Access" or "How Bad Guys Steal your Login Info Smartly". 

Let's learn about another not-so-old cross-domain vulnerability in Firefox 4 - Firefox 11 discovered by Jordi Chancel, Eddy Bordi, and Chris McGowen.  The bug relied on the Firefox's  processing of the JavaScript "window.open()" API.   The proof-of-concept exploit comprised of two components:
  • A client-side page that does a redirection trick with JavaScript API - history.back(), history.forward() and 
  • A server-side page that does a redirection trick with  JavaScript API - history.forward()  and a server-side timing redirection to an ARBITRARY web site 
Brandon the explained the root cause in a simple way in the  Bugzilla post:
When using window.open and some APIs to navigate the opened document, it is possible to navigate the opened document to a different site, while the location bar doesn't stay in sync with the new location.
The visible part was attacker's controlled web site with contents from his targeted web site. The background end result was being able to inject his controlled scripts into his targeted web sites. 

As we can learn from Chris's demo,  the execution of the JavaScript at the localhost was actually triggered at an off-site site, www.google.com, according to his mentioned script domain.domain property.   

The vulnerability went far beyond the URL spoofing.  In a normal URL spoofing vulnerability, the script execution ties only to the localhost itself. 

The issue was filed under Mozilla Advisory 2012-27 and CVE-2012-0474.

Lesson Learnt

Apparently, this window.open trick was used as URL spoofing test vector since the early days of Firefox 1.x/2.x and Internet Explorer 6.x.  It is surprised to see new versions of Firefox re-introduced the old issue. 

Finding zero-day or browser-based flaws give invaluable advantage to attackers as they do not need to exploit web applications; hence decreasing the chance of their attack being noticed and increasing the likelihoods of their attack against victims being successful.

It has been recommended to use a single-browser based approach on accessing critical web sites.  This advice was not feasible for those web 2.0 applications which have plethora of complex third-party integration. For example, you have to use your Google account to post comments or purchase applications from Google store.  

However, critical applications such as Banking should not rely third-party systems to do their operations so users can use the "single-browser, single domain" approach to safely use the service. 



Comments

Post a Comment

Popular posts from this blog

XSS: Gaining access to HttpOnly Cookie in 2012

By YGN Ethical Hacker Group -
Image
Update 2016/02: We were asked by a lot if this still works.  Shortly after our disclosure, this issue has been patched. ------ The Background - The Past Gaining access to  HttpOnly cookie  was first attempted by means of XST,  Cross Site Tracing  vulnerability. Soon after the popularity of XST, the TRACE method has been disabled by most web servers.  Later, browsers' implementation of XMLHttpRequest also blocked "TRACE" method (i.e.  xmlhttp.open('TRACE', url, true) ].  Later,  a flawed implementation in Firefox's  XMLHttpRequest which can be used to access set-cookie response header was fixed.   JS Debugger pointing out "TRACE" method as invalid arugment   JS Debugger pointing out "TRACE" method as illegal value A Sla.ckers.org forum member, LeverOne, posted ways to access HttpOnly cookie through the use of Java API and applet.  I reproduced his techniques. When the first method was tried, the Java Runtime did no
Read more

Jumping out of Touch Screen Kiosks

By YGN Ethical Hacker Group -
Image
Background: Nowadays, the use of large touch screen kiosks has been prevalent.  They are to replace tradition paper-based brochures and to provide more interactive means to consumers. In restaurants, you can see a variety of food menu that can be accessible in large touch screen LCD monitor.  In your local Telcos, you can see a variety of mobile and Internet subscriptions plans.   Behind these touch screen menus are running standalone or browser-mode Adobe Flash applications which are second-to-none for interactivity and scalablity and ease of update. Data could be pulled from somewhere round their centralized web severs. Weakness: Jumping out We cannot use  iKat  at first as we do not have access to any keyboard facility. However, the trick is no-brainer. Do long press on any locations and relieve.  You should see the usual Flash context menu like: Touch "Global Settings".  A web browser window will pop up and redirect to the Adobe URL,  http://www.macromedia.c
Read more