Open matanber opened 2 months ago
Hi @matanber , please see https://github.com/LavaMoat/snow/issues/158#issuecomment-2094736819
And as for this specific bypass - good one.
I remember realizing this can be done at some point after merging the original solution, so I can't say I'm surprised.
But I think it's clever to see that :)
Snow overrides the
URL.createObjectURL
function to only allow creation of Blob URLs if the blob type is included in a specific whitelist that Snow keeps. However, if the blob isn't an "artificial blob" (wasn't created using theBlob()
constructor), this check isn't performed, and the blob URL is created regardless of the blob type. Because an attacker can get access to a non-artificial blobs with an arbitrary content and type using theResponse.prototype.blob
function, this can be exploited in order to create URLs for arbitrary blobs. Here is a short demo for that:This can be then used to bypass Snow, using a PoC such as the following: