Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bypass using object with no contentWindow #96

Closed
mmndaniel opened this issue Jun 15, 2023 · 11 comments
Closed

Bypass using object with no contentWindow #96

mmndaniel opened this issue Jun 15, 2023 · 11 comments
Labels
vulnerability Introduces snow bypass

Comments

@mmndaniel
Copy link
Contributor 

var obj = document.createElement('object');
Object.defineProperty(obj, 'contentWindow', { value: null });
document.body.appendChild(obj);
obj.data = '/';
obj.contentDocument.defaultView.alert(1);

Basically workaround chromium_bug_workaround.js :) should be easy to fix using this
@mmndaniel
Copy link
Contributor Author

mmndaniel commented Jun 15, 2023
edited
Loading

turns out it even works without Object.defineProperty(obj, 'contentWindow', { value: null }); (which make sense, there's no contentWindow before the obj.data = '/';)!

@weizman
Copy link
Member

weizman commented Jun 15, 2023

yea this doesn't seem to be a chromium_bug_workaround.js problem even, there's just something off with reloading an already attached object to the same origin.. not sure why...

@weizman
Copy link
Member

weizman commented Jun 15, 2023
edited
Loading

I'd expect the load listener to fire but with object it doesn't for some reason

@mmndaniel
Copy link
Contributor Author

Seems like this is the same root cause?

var d = document.createElement('div');
document.body.appendChild(d);
d.innerHTML = `<embed id="tst"></embed>`;
setTimeout(()=>{ tst.src='about:blank'; setTimeout(()=>frames[0].alert(1), 100);},100);

@mmndaniel mmndaniel mentioned this issue Jun 16, 2023
Closed
@weizman
Copy link
Member

weizman commented Jun 18, 2023

does this work for you on https://lavamoat.github.io/snow/demo/? @mmndaniel

@weizman
Copy link
Member

weizman commented Jun 18, 2023

researching #96 (comment) more i learned something sad about objects.
They behave different then iframes, changing their data prop resets the window to an about:blank window synchronously. if the prop was reseted to a "legit" url, the listener will fire afterwards, but that doesn't change the fact that this object resets synchronously to an about:blank window every time data prop is being set and its load event does not fire..
can't think of a solution other than hooking into attributes setting which is something i really don't want to get into...

@mmndaniel
Copy link
Contributor Author

Well, one (risky, non-performant, buggy) hack I can think of is to use mutation events, but that's really not a good idea (they are deprecated for good reasons).

@weizman
Copy link
Member

weizman commented Jun 19, 2023

Are they synchronous? Because if not they are no help unfortunately

@mmndaniel
Copy link
Contributor Author

yes they are, they are really terrible

@weizman
Copy link
Member

weizman commented Jun 20, 2023

yea I'm starting to recall these... I'd like to avoid that if possible :(

@weizman weizman added the vulnerability Introduces snow bypass label Jun 22, 2023
@weizman
Copy link
Member

weizman commented Jul 17, 2023

not scared of objects/embeds anymore thanks to #118

@weizman weizman closed this as completed Jul 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
vulnerability Introduces snow bypass
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@weizman @mmndaniel