Backchannel Leaks on Strict Content-Security Policy

- 3 mins

Abstract

Content-Security Policy (CSP) is one of the most vital protection layers in client-side web security. A strict policy should not allow external communications to non-permitted hosts. This blog post demonstrates a bypass I found in Chrome and Firefox that permits backchannel communication leaks by requesting non-permitted domains.

Background

I recently had a discussion on how CSP can secure web-applications against backchannel leaks. The concept sounded reasonable from the first sight; CSP is designed to block unauthorized content from loading, which generically blocks XSS attacks, unsafe loading of remote JavaScript (and various resources and contents) from unauthorized origins.

This discussion led me to conduct research on methods for issuing backchannel communications with non-permitted hosts.

Research

The first step for the research is to set up the testing bed. I prepared an application with a strict Content-Security Policy. The policy is:

Content-Security-Policy: default-src 'self'

This should block all requests (outbound connections) from unauthorized origins and hosts.

The tests were focused on the latest versions of Chrome and Firefox as of January 18th, 2019. Chrome: v72.0 Firefox: v64.0

Result

Chrome

Chrome has an interesting bypass that does not follow the CSP policy by utilizing the “link prerendering”.

The following payload leaks an HTTP request from the client’s agent.

<link rel="prerender" href="https://mazinahmed.net/" />

This loads resources within a URL in the background. It appears that Chrome is not enforcing CSP on the link prerendering process.

Firefox

Firefox is much better in protecting against backchannel communication leaks. However, after further testing, I have found that this payload bypasses this protection:

<meta http-equiv="refresh" content="1; url=https://mazinahmed.net">

Redirection using the Meta tag is possible on CSP, and it can not be blocked. Therefore, I can redirect users to other sites without the involvement of JavaScript and typical active content. It’s also working on Chrome. Once a client is redirected, we will receive a connection back to our server.

Update: Safari is vulnerable too to the Meta refresh vector.

Conclusion

While having CSP to fundamentally protect against backchannel communication leaks sounds generally true, it appears that the CSP implementation on browsers does not provide this sort of protection. The bypasses I stated on the post is currently working against the latest versions of modern browsers.

Final Thoughts

These payloads can be good for testing and exploiting vulnerabilities that rely on OOB (out-of-band) requests, such as blind XSS, in a scenario where Content-Security Policy is blocking outbound requests to untrusted hosts.

Mazin Ahmed

Mazin Ahmed

Thoughts of a hacker

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora