window.location.replace URI entries remain in Omnibox history list
Reported by
jchiar...@gmail.com,
Oct 20 2016
|
||||
Issue descriptionVULNERABILITY DETAILS window.location.replace is not being honored on search bar. Preconditions: a) Web application using OAuth 2 implicit grant flow: https://tools.ietf.org/html/rfc6749#section-4.2 b) Computer sharing is frequent, for example classroom context. Description of attack: 1.After successful authentication using OAuth implicit grant flow, control is returned from authorization server to client application using a 302 redirect (Example: http://localhost/#access_token=the-token) 2.Observe that a valid token for the application is included in the hash. 3.Client application does location replace to remove the token from URL, and prevent it from getting into browser history. 4.User logouts from the application. 5.Browser history does not include the token (see image: browser-history-ok.PNG). 6.However, it’s possible to extract the token from search bar (see image: browser-searchbar-attack-complete.PNG) In this scenario: 1.teacher can logout from the application. 2.later a student could get the teacher token using the search bar. 3.student can impersonate the teacher, until token expires. VERSION Chrome Version: 54.0.2840.59 m (64-bit) stable Operating System: Microsoft Windows 10 Pro - 10.0.14393 Build 14393 REPRODUCTION CASE 1. place index.html and server.js in the same folder 2. open a console window in the folder and run "node server". 3. open chrome, clear all history. open dev tools, set preserve log in network tab. 4. go to http://localhost:8000 5. that will send the browser to "mock auth server" 6. "mock auth server" will redirect back to the application. 302 location: http://localhost:8000/#access_token=the-token 7. window.location.replace will change the url to http://localhost:8000/# at this point if you open the browser history you won't see "#access_token=the-token" fragment (browser-history-ok.PNG). However if you try to input "http://localhost:8000/#" on the search bar you will see the token (browser-searchbar-attack-complete.PNG). copy the token, attack complete. note could not reproduce on other major browsers, just chrome.
,
Oct 20 2016
Under Chrome's security guidelines, this isn't something that should be tracked as a security issue: https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- It would be interesting to understand whether window.location.replace() is expected to preclude a URI's use in the Omnibox visited list.
,
Oct 20 2016
I don't entirely agree. This attack does not require any ddl tampering nor use of "malicious DLL on a computer in a place where Chrome will find it and load it, or by hooking APIs". its applicable without admin rights, or changes in the machine. The scenario is likely to happen in environments of highly sensitive data. think about schools, kids sharing machines. hospital worker shifts. etc. Finally this is not happening on other major browser.
,
Oct 21 2016
,
Oct 21 2016
Re #3: The point here is that all physically-local attacks are out of scope, not just those that involve replacing DLLs. If I have physical access to your PC and am logged in with your user-account, I can install a keylogger, I can install a malicious Chrome extension, I can open your databases with a hex dumper, I can examine the contents of memory, etc. All of these attacks will work on every browser. In an environment with highly sensitive data, user information is isolated by a proper security boundary (e.g. the Windows Logon Account).
,
Jun 20 2017
Hey, when I try this, the URL before location.replace and the URL after both appear in the History. Can anyone confirm that location.replace indeed doesn't appear in your history?
,
Jun 20 2017
In general though, the server should invalidate the secret token on logout. It doesn't make sense for the token to remain active (and just hidden via location.replace) after logout. |
||||
►
Sign in to add a comment |
||||
Comment 1 by jchiar...@gmail.com
, Oct 20 201624.4 KB
24.4 KB View Download