nishimu-lla-makko

(nishimunea + @llamakko_cafe)

THREAT OF DATA URL SCHEME

THEY ARE STILL HERE

nishimunea (cv: Muneaki Nishimura)

Weekend Bug Hunter

Lecturer of Security Camp 2014-2015

llamakko (@llamakko_cafe)

Apprentice Bug Hunter

Graduate of Security Camp 2014 (Web Security)

The "data" URL Scheme

RFC 2397 (1998)

data:image/png;base64,

iVBORw0KGgoAAAANS

UhEUgAAAZAAAAGQCA

YAAACAvzbMAAAgAElE

QVR4nOydZ3wUVRfGJ8

mm103vvZfNplEURF5E

UFHpSBNpihRRikpTQAT

pSE3oIEVUREEBaSpFR…

HTML document with data: was

introduced by Netscape 4 (1997)

But completely useless

except for exploit or notepad

google.com Generate

Generate evil.tld

data:

data:

RFC doesn't mention how a browser

should set the origin of data:

HOW DOES IT REALLY WORK

ON EACH BROWSER?

AVTOKYO2015 Nov 14, 2015 1

The differences in

behavior of data: URL

among web browsers

The differences in

behavior of data: URL

among web browsers

Major browsers Major browsers

AVTOKYO2015 Nov 14, 2015 2

Internet Explorer

Internet Explorer

AVTOKYO2015 Nov 14, 2015 3

IE cannot open data:text/html

AVTOKYO2015 Nov 14, 2015 4

The data: URLs can be used only for following

elements and attributes

object

img

input type=image

link

CSS properties that accept URL as a value

(e.g., background, background-image and etc.)

AVTOKYO2015 Nov 14, 2015 5

IE cannot open data:text/html

↑ Firefox ↑ Chrome

<iframe src=”data:text/html,test”></iframe>

AVTOKYO2015 Nov 14, 2015 6

Other web browsers

Firefox

Firefox

AVTOKYO2015 Nov 14, 2015 7

In Firefox, content from data: URLs inherits the

origin from the document that loaded the URL in

an iframe and etc.

AVTOKYO2015 Nov 14, 2015 8

Inherits the origin from the opener

AVTOKYO2015 Nov 14, 2015 9

DEMO DEMO

Its behavior is sometimes completely different

among browsers

Potential vulnerabilities introduced by such

'self-indulgent' implementations

Corresponding spec is often not disclosed

AVTOKYO2015 Nov 14, 2015 12

data: URL is messy

Unuseful behavior of

data: URLs

Unuseful behavior of

data: URLs

AVTOKYO2015 Nov 14, 2015 13

Browser: Firefox

AVTOKYO2015 Nov 14, 2015 14

data: URL can be used as

a bookmarklet

data: URL can be used as

a bookmarklet

AVTOKYO2015 Nov 14, 2015 15

DEMO DEMO

Browser: Chrome, Safari (iOS)

AVTOKYO2015 Nov 14, 2015 16

The differences in MIME type

of data: URL

The differences in MIME type

of data: URL

The differences in MIME type of

data: URL

data:application/octet-stream,test

AVTOKYO2015 Nov 14, 2015 17

The differences in MIME type of

data: URL

data:application/octet-stream,test

AVTOKYO2015 Nov 14, 2015 18

data:application/octet-strea,test

The differences in MIME type of

data: URL

AVTOKYO2015 Nov 14, 2015 19

AVTOKYO2015

At the end

Nov 14, 2015 20

At the end

AVTOKYO2015 Nov 14, 2015 21

What's going on…

ABUSING DATA:

自重版 (Prudence Edition)

Cross-site data leakage by blob:

(CVE-2015-6759) on Chrome

blob: URL

var text = "<h1>Hello</h1>"

var blob = new Blob([text], {type : 'text/html'});

var url = URL.createObjectURL(blob);

Origin in blob: URL can be 'null'

Origin in blob: URL can be 'null'

http: Generate

data: blob: Generate

Origin in blob: URL can be 'null'

http: Generate

data: blob: Generate

file: Generate

blob:

blob: pages made by data:

could steal localStorage of file:

http: Generate

data: blob: Generate

file:

localStorage Steal from the internet

CENSORED

CENSORED

CENSORED

CENSORED

CENSORED

CENSORED

CENSORED

Threat of data: (may) repeats itself

We ought to reconsider

documents with data: are really demanded