Day-3: Bypassing the SOP!💣
FENIL SHAH
Posted on June 19, 2020
Day-3: Yesterday I looked and researched about what actually the SOP is and what actually the SOP does, Today I looked at all the attack vectors for SOP and also watched Nahamsec's Interview with Ngalongc! Nahamsec is one of the famous hackers who frequently does youtube videos as well as goes live on Twitch doing live hacking and interviews and much more. Do check out https://www.twitch.tv/nahamsec!
Attacking the SOP!
There are often ways that an attacker can use to manipulate cross-origin communication because of faulty implementation of one of the SOP relaxing techniques. (Refer Day-2 for Relaxing techniques!)
This faulty implementation of one of the SOP relaxing techniques, may can cause private information to be leaked and often leads to more vulnerabilities such as authentication bypass, account takeover and large data breaches.
I got quite a good result by researching ways of how the attacker can achieve this, Let's talk about some:
1.) XSS!
- XSS is full SOP bypass because attacker can run malicious script executed on the victim page, the script can access the page’s resources and data. For example: running alert(document.cookie), This will return all the cookies and also we can get this with the help of src vector!
2.) Exploiting CORS!
- Exploitable misconfigurations:
- When the site uses weak regex to validate origins. For example, have a look at this blog (Refer to CORS)!
- Another misconfiguration of CORS that can be exploited is setting allowed origins to NULL or
attacker.com
.
- Unexploitable misconfigurations:
- When custom headers are used for authentication, or when there are random, unguessable keys placed in the request or the URL.
3.) Exploiting postMessage:
When using postMessage, both the sender and the receiver of the message should verify the origin of the other side. Vulnerabilities happen when pages enforce poor origin check (weak regex, for example), or lack origin checks altogether.
To exploit this issue, an attacker can create a malicious HTML page that listens for events coming from the vulnerable page. The attacker can then trick victims into triggering the postMessage utilizing a malicious link or fake image and make the victim page send data to the attacker’s page. (Refer Medium blog 1 for more details)
Resources:
Medium blogs:
- https://medium.com/swlh/hacking-the-same-origin-policy-f9f49ad592fc (You need premium subs to read this blog).
- https://medium.com/@minosagap/same-origin-policy-and-ways-to-bypass-250effdc4a12
Hackerone Report: https://hackerone.com/reports/47495
Fedora bypassing SOP docs: SOP DOC
Mozilla web docs: Same-Origin Policy
Tool to Remove SOP issues: Proxrox (This tool removes same-origin policy issues that typically occur during development.)
Nahamsec's Interview with Ngalongc: YouTube
Contact:
Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)
Posted on June 19, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.