Backchannel Leaks on Strict Content-Security Policy- 3 mins
Content-Security Policy (CSP) is one of the most vital protection layers in client-side web security. A strict policy should not allow external communications to non-permitted hosts. This blog post demonstrates a bypass I found in Chrome and Firefox that permits backchannel communication leaks by requesting non-permitted domains.
This discussion led me to conduct research on methods for issuing backchannel communications with non-permitted hosts.
The first step for the research is to set up the testing bed. I prepared an application with a strict Content-Security Policy. The policy is:
Content-Security-Policy: default-src 'self'
This should block all requests (outbound connections) from unauthorized origins and hosts.
The tests were focused on the latest versions of Chrome and Firefox as of January 18th, 2019. Chrome: v72.0 Firefox: v64.0
Chrome has an interesting bypass that does not follow the CSP policy by utilizing the “link prerendering”.
The following payload leaks an HTTP request from the client’s agent.
<link rel="prerender" href="https://mazinahmed.net/" />
This loads resources within a URL in the background. It appears that Chrome is not enforcing CSP on the link prerendering process.
Firefox is much better in protecting against backchannel communication leaks. However, after further testing, I have found that this payload bypasses this protection:
<meta http-equiv="refresh" content="1; url=https://mazinahmed.net">
Update: Safari is vulnerable too to the Meta refresh vector.
While having CSP to fundamentally protect against backchannel communication leaks sounds generally true, it appears that the CSP implementation on browsers does not provide this sort of protection. The bypasses I stated on the post is currently working against the latest versions of modern browsers.
These payloads can be good for testing and exploiting vulnerabilities that rely on OOB (out-of-band) requests, such as blind XSS, in a scenario where Content-Security Policy is blocking outbound requests to untrusted hosts.