Jump to content
Nytro

Nonce-based CSP + Service Worker = CSP bypass?

Recommended Posts

Nonce-based CSP + Service Worker = CSP bypass?

 
Service Worker is a great technology that allows you to develop web app's offline experience and increase performance of your website.
 
But this also means that a web page is cached. And if your website has a nonce-based CSP, then your CSP will also be cached. This means, no matter how random the nonce is (and you serve different nonces for every request), as long as Service Worker sees that the request is same, it'll respond with cached content, which always have the same CSP nonce.
 
To see if this can be exploited, I made a CSP bypass challenge.
 
Above page uses Strict CSP, and Service Worker code was taken from Google's SW intro page (second example you see when you click the link).
 
So it should be safe against XSS bugs, right? :)
 
Well, challenge was made in a way that it's possible to bypass Strict CSP, and I'm hoping that people will find this CSP bypass in real websites someday :)
 
The challenge has 2 injection points.
  1. location.hash (Service Worker doesn't see the hash)
  2. Referrer passed to server (Service Worker doesn't see this either)
There are many other sources of XSS that Service Worker doesn't use as a key for a request (e.g. Stored XSS payload can't be keyed either).
 
Intended solution was following.
 
Gareth wrote a great post about leaking information using <base> tag's target attribute even under Strict CSP. I used similar trick, which is iframe's name. I used referrer to inject iframe and name attribute leaked nonce of the legit script tag, and simply used a leaked nonce to execute script, through location.hash. This is possible because Service Worker doesn't care about changes in location.hash so it'll still serve cached content.
 
On the other hand, @lbherrera_ solved the challenge using CSS.
 
He used referrer to inject <input> tag and set nonce as a value, and then brute-forced nonce character one by one using CSS. When when brute-force identifies a character, it'll send a request to his server, which will set the cookie with a matched nonce character, and save whole nonce this way. After whole nonce is stolen, he would use the location.hash to perform XSS with proper nonce.
 
Conclusion:
  1. Service Worker might help bypass nonce-based CSP
  2. Always fix XSS bugs even if XSS is blocked by CSP. Time to time, I find CSP bypass in the browser as well (e.g. this). All mitigations have bypasses :)

 

Sursa: https://shhnjk.blogspot.com/2019/09/nonce-based-csp-service-worker-csp.html

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...