Content-Security-Policy should apply to Flash-initiated requests.
Reported by
ma7h1a...@gmail.com,
Aug 16 2017
|
|||||||||
Issue descriptionAFFECTED PRODUCTS -------------------- chrome 60.0.3112.90 DESCRIPTION -------------------- If a flash file wants to send a cross-domain request via URLLoader it must check crossdomain.xml under the target site first to confirm if it could send the cross-domain request. but at this time it violate CSP and load secretcookie.attacker.com/crossdomain.xml,which could leak information by dns protocol. PoC -------------------- poc.html,which enable the content security policy,please put it on the local httpserver and set a cookie for test tester.swf,which use URLLoder to send a cross-domain request. tester.as is the source file of tester.swf attack.gif shows the total attack. this attacks shows that your secret cookie is sent to a remote server bypass the content security policy SOLUTION -------------------- block the flash request if it violate the CSP. CREDIT -------------------- This vulnerability was discovered by mathiaswu of Tencent's Xuanwu Lab.
,
Aug 16 2017
As far as I know, CSP doesn't really aim to provide "data leak prevention" against DNS queries (e.g. does it currently restrict <link rel="dns-prefetch"> in any way?), but I'm not an expert here. This is quite similar to the original filer's Issue 749395.
,
Aug 16 2017
yes, but the most different thing between this issue and Issue 749395 is that it really load resource on victim.com, rather than navigate to a new page. (data leak is just one way to show it bypass csp,not all of this issue)
,
Aug 16 2017
for accuracy,let me talk about the following situation 1.flash use URLLoader to load resource from attacker 2.flash use externalInterface to write content get in step1 into current html page. 3.then,it finally load resource bypass CSP. so this issue do not just related to dns query(sorry for my poor english) (http request is also send and get result!) I'll write a exploit to show u, please wait
,
Aug 16 2017
1. target resource http://www.math1as.com/target.html 2. csp set to default-src:'self' 3. victim's site load target resource , ignore CSP settings attack2.gif shows the total bypass could you please correct the Summary?
,
Aug 16 2017
Ah, so the claim is that "Flash URLRequest not constrained by Content-Security-Policy"? If so, that sounds more like Issue 122218 .
,
Aug 16 2017
yes,i guess so. and seems like it should respect the connect-src CSP directive.
,
Aug 25 2017
I'll andypaicu@ close it if it's considered as WAI and a feature request.
,
Aug 26 2017
,
Oct 9 2017
It might actually be possible to lock down Flash in Chrome in various ways now that we only have PPAPI. That said, we're also in the process of removing Flash, so it's not clear to much how much value there is in figuring out how to teach the PPAPI context about the document's CSP and to ask Flash to categorize its various request types. I'll open this up and mark it available. If we can find some time to poke at Flash's innards, there's value in doing so.
,
Nov 10 2017
,
Feb 18 2018
,
Aug 1
,
Aug 26
Issue 877743 has been merged into this issue. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ma7h1a...@gmail.com
, Aug 16 2017164 bytes
164 bytes View Download
1.0 KB
1.0 KB Download
565 bytes
565 bytes View Download
3.7 MB
3.7 MB View Download