search

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!
https://lavamoat.github.io/snow/demo/
MIT License
102 stars 9 forks source link

Snow can be bypassed with frameSet #74

Closed magicmac closed 1 year ago

magicmac commented 1 year ago

It seems that I'm inspired :) Here's another one using a frameset. Top access directly.

iFrame = document.createElement('iframe');
iFrame.srcdoc = '<frameset><frame src="javascript:alert.call(top, 1 )"></frameset>';
document.body.appendChild(iFrame);

Happy patching!

magicmac commented 1 year ago

By the way, @weizman, I've just realized I'm too old, that's why I recalled frameSet, but no worries, nobody that was born after 2000's will know it, so no hurries =) :P

weizman commented 1 year ago

Hi again @magicmac!

In my defense, I was well aware of frameset in this project already as can be seen here.

This vulnerability is actually more specific than you think, and quite strange actually!

When injecting srcdoc html, I hook into that and make sure to protect it. I do so, by loading the html of the srcdoc into a fake element, and then apply Snow protections to any "realmable" elements. I use the standard template element to accomplish the task.

HOWEVER, it turns out rendering the <frameset> element within a template element is impossible for some reason! Maybe because it's so old? 😅

If you try to load <frameset><frame src="javascript:alert.call(top, 1 )"></frameset> into a template element, you end up with zero children!

To fix that, I transitioned into using a regular DOM element instead of the template one, which identifies the frameset element at parsing correctly.

That was enough to patch this super specific and cool vulnerability #75

Thanks again @magicmac!

magicmac commented 1 year ago

Haha =) I'm glad that you already played with that. I believe that the frameset element is not only old, but deprecated, discouraged and disliked! I don't know why it's not rendering in templates but I remember I had problems in the past rendering them after the body element. Either way, I will come back in a few weeks once the online version is patched and play again with it! It's an immense challenge that you are trying to achieve, and it's fun to play with it :)

Either way, congrats and thank you for trying to make the web safer! =)