[Webkit-unassigned] [Bug 192628] New: Service Worker <script> interception allows exploiting unexploitable XSSI

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 12 08:52:40 PST 2018 

https://bugs.webkit.org/show_bug.cgi?id=192628

            Bug ID: 192628
           Summary: Service Worker <script> interception allows exploiting
                    unexploitable XSSI
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Service Workers
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: prakashsharma97 at hotmail.com

What is XSSI?
> Cross Site Script Inclusion (XSSI) is an attack technique (or a vulnerability) that enables attackers to steal data of certain types across origin boundaries, by including target data using SCRIPT tag in an attacker's Web page.

Steps to reproduce:
Please visit https://cm2.pw/poc/chrome/xssi and you should see an alert with email.

Things worth noting here are;
- The initial <script> url, if requested directly, doesn't produce any output
- We're using Service Worker to intercept the request and send POST request instead
- The returned content is valid JavaScript. Thus we're able to read `email`.
- We can also add request headers like 'Accept', added for demonstration purpose.


Actual results:
<script> can be intercepted to send custom request like POST with other headers.

It's now possible to read cross-domain responses if it's a valid JavaScript no matter the request method (i.e Simple requests). Further, we can observe several applications respond with 'Content-type' specified in 'Accept' header. Service Worker now makes them prone to XSSI as it allows sending 'Accept' (safelisted) header with <script> tag and read side effects, if any.


Expected results:
<script> is expected to send default request with default headers.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181212/a25c4bae/attachment.html>

More information about the webkit-unassigned mailing list