platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.
First slide label
Some representative placeholder content for the first slide.
Second slide label
Some representative placeholder content for the second slide.
Third slide label
Some representative placeholder content for the third slide.
Android Browser Same Origin Policy Bypass < 4.4 - CVE-2014-6041
published on 2014-08-31 09:33:00 UTC by Rafay Content:
Introduction
Same Origin Policy (SOP) is one of the most important security mechanisms that are applied in modern browsers, the basic idea behind the SOP is the javaScript from one origin should not be able to access the properties of a website on another origin. The origin is formed by the combination of Scheme, domain and port with the port being an exception to IE. There are some exceptions with SOP such the location property, objects wtih src attribute. However, the fundamental are that different origins should not be able to access the properties of one another.
SOP Bypass
A SOP bypass occurs when a sitea.com is some how able to access the properties of siteb.com such as cookies, location, response etc. Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers. However, they are found once in a while. The following writeup describes a SOP bypass vulnerability i found in my Qmobile Noir A20 running Android Browser 4.2.1, and later verified that Sony+Xperia+Tipo, Samsung galaxy, HTC Wildfire, Motrorolla etc are also affected. To best of my knowledge, the issue occurred due to improper handling of nullbytes by url parser. Update: Other folks have verified this issue to work under Android browser < 4.4. Ref - https://github.com/rapid7/metasploit-framework/pull/3759
As you can see that the code tries accessing the document.domain property of a site loaded into an iframe. If you run the POC at attacker.com on any of the modern browsers, it would return a similar error as attacker.com should not be able to access the document.domain property of rhainfosec.com. Blocked a frame with origin "http://jsbin.com" from accessing a frame with origin "http://www.rhainfosec.com". Protocols, domains, and ports must match.
However, running it on any of the vulnerable smart phones default browsers would alert the document.domain property indicating that the SOP was not able to restrict the access to document.domain property of a site at a different origin.
I created the following POC, so you can mess around with some stuff:
Reading the response
You can read the response of any page by accessing the document.body.innerHTML property.
A lot of websites still use frame busting code to prevent the page from being prevent and since we can only bypass SOP here when the site could be framed. In case, where the site is using a frame busting code, we can bypass it using the sandbox attribute that was introduced as a part of HTML5 specifications.
The initial tests were carried out on android browser 4.2.1 (Qmobile) and below and later verified with Galaxy S3, HTC wildfire, Sony Xperia, Qmobile etc.
The following are some of the smartphones i tested with browserstack.com.
Samsung Galaxy S3
Motrorolla Razr
Sony Xperia Tipo
HTC Evo 3D and Wildfire
Hope you enjoyed it, Until next time. Pass the comments.
Updates
Haru Sugiyama has posted found an additional technique to read local files using this trick, To learn about it, please visit here - http://t.co/mGoVU1RWjf
A Content Security Policy bypass was also posted in browsers prior to 4.4 by abusing nullbytes - https://twitter.com/AndroidTamer/status/521494552574582784