Home

Awesome

Cross-Site Content (Data) Hijacking (XSCH) PoC Project

License

Released under AGPL (see LICENSE for more information).

Description

This project can be used to provide a proof of concept for:

Note: .XAP files can be renamed to any other extension but they cannot be load cross-domain anymore. It seems Silverlight finds the file extension based on the provided URL and ignores it if it is not .XAP. This can still be exploited if a website allows users to use ";" or "/" after the actual file name to add a ".XAP" extension.

Usage

Note: .XAP files can be renamed to any other extension but they cannot be load cross-domain anymore. It seems Silverlight finds the file extension based on the provided URL and ignores it if it is not .XAP. This can still be exploited if a website allows users to use ";" or "/" after the actual file name to add a ".XAP" extension.

Note: When Silverlight requests a .XAP file cross-domain, the content type must be: application/x-silverlight-app.

Note: PDF files can only be used in Adobe Reader viewer (they will not work with Chrome and Firefox built-in PDF viewers)

Note: Reading static contents or data that is publicly accessible cannot be considered as an issue. It is important to remove false-positive results from your advisories. Note that the use of an astresik ("*") character alone in the "Access-Control-Allow-Origin" header is not an issue.

Usage Example:

Generic Recommendation to Solve the Security Issue

The file types allowed to be uploaded should be restricted to only those that are necessary for business functionality.

The application should perform filtering and content checking on any files which are uploaded to the server. Files should be thoroughly scanned and validated before being made available to other users. If in doubt, the file should be discarded.

Adding the "Content-Disposition: Attachment" and "X-Content-Type-Options: nosniff" headers to the response of static files will secure the website against Flash or PDF-based cross-site content-hijacking attacks. It is recommended that this practice be performed for all of the files that users need to download in all the modules that deal with a file download. Although this method does not fully secure the website against attacks using Silverlight or similar objects, it can mitigate the risk of using Adobe Flash and PDF objects, especially when uploading PDF files is permitted.

Flash/PDF (crossdomain.xml) or Silverlight (clientaccesspolicy.xml) cross-domain policy files should be removed if they are not in use and there is no business requirement for Flash or Silverlight applications to communicate with the website.

Cross-domain access should be restricted to a minimal set of domains that are trusted and will require access. An access policy is considered weak or insecure when a wildcard character is used especially in the value of the "uri" attribute.

Any "crossdomain.xml" file which is used for Silverlight applications should be considered weak as it can only accept a wildcard ("*") character in the domain attribute.

Browser caching should be disabled for the corssdomain.xml and clientaccesspolicy.xml files. This enables the website to easily update the file or restrict access to the Web services if necessary. Once the client access policy file is checked, it remains in effect for the browser session so the impact of non-caching to the end-user is minimal. This can be raised as a low or informational risk issue based on the content of the target website and security and complexity of the policy file(s).

CORS headers should be reviewed to only be enabled for static or publicly accessible data. Otherwise, the "Access-Control-Allow-Origin" header should only contain authorised addresses. Other CORS headers such as "Access-Control-Allow-Credentials" should only be used when they are required. Items within the CORS headers such as "Access-Control-Allow-Methods" or "Access-Control-Allow-Headers" should be reviewed and removed if they are not required.

Note: Using "Referer" header cannot be a solution as it is possible to set this header for example by sending a POST request using Adobe Reader and PDF (see the "xfa-manual-ContentHijacking.pdf" file in the "objects" directory). Update: Setting the "referer" header has been addressed by Adobe unless you also find a bypass for it ;)

Project Page

See the project page for the latest update/help: https://github.com/nccgroup/CrossSiteContentHijacking

Author

Soroush Dalili (@irsdl) from NCC Group

References

Even uploading a JPG file can lead to Cross Domain Data Hijacking (client-side attack)! https://soroush.secproject.com/blog/2014/05/even-uploading-a-jpg-file-can-lead-to-cross-domain-data-hijacking-client-side-attack/

Multiple PDF Vulnerabilities - Text and Pictures on Steroids http://insert-script.blogspot.co.at/2014/12/multiple-pdf-vulnerabilites-text-and.html

HTTP Communication and Security with Silverlight http://msdn.microsoft.com/en-gb/library/cc838250(v=vs.95).aspx

Explanation Of Cross Domain And Client Access Policy Files For Silverlight http://www.devtoolshed.com/explanation-cross-domain-and-client-access-policy-files-silverlight

Cross-domain policy file specification http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html

Setting a crossdomain.xml file for HTTP streaming http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

Exploiting CVE-2011-2461 on google.com http://blog.mindedsecurity.com/2015/03/exploiting-cve-2011-2461-on-googlecom.html