bug-librejs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-librejs] LibreJS corner cases / blacklist bypasses

From: Niels Warnars
Subject: [Bug-librejs] LibreJS corner cases / blacklist bypasses
Date: Fri, 14 Jun 2019 11:42:17 +0200
`ResponseTextFilter.canProcess` is determined in an insecure way and can be influenced in at least three different ways.
Because the value of `ResponseTextFilter.canProcess` can result in returning `ResponseProcessor.ACCEPT`, this can result in a blacklist bypass.

LibreJS is not security focused and is only a small Firefox extension, so addressing these corner cases is probably not that important, but I still want to share my observations.

----

# Bypass 1 - 3xx response without redirect
## Affected code
ResponseProcessor.js - Line 68
https://github.com/librejs/librejs/blob/525e3a562348813ca11a135cbc640825579af709/bg/ResponseProcessor.js#L68

## Bypass Description
A web server can serve an http response with a forged HTTP status code >= 300 and < 400, which results in a bypass.
If Firefox encounters an http response with status code 3xx and without `Location` header, Firefox will just load the responses html code.

----

# Bypass 2 - `Content-Disposition: inline` header
## Affected code
ResponseProcessor.js - Line 69
https://github.com/librejs/librejs/blob/525e3a562348813ca11a135cbc640825579af709/bg/ResponseProcessor.js#L69

## Bug
First of all, this line contains a bug that prevents the check from ever functioning correctly:
- `!md.disposition` should be `!md.contentDisposition`, because `ResponseMetaData.constructor()` can only set the values `ResponseMetaData.contentDisposition` and `ResponseMetaData.contentType`.

## Bypass Description
A web server can serve a response with a `Content-Disposition: inline` header and html code as body, which results in a bypass.

----

# Bypass 3 - Lack of (or altered) `Content-Type` header
## Affected code
ResponseProcessor.js - Line 70
https://github.com/librejs/librejs/blob/525e3a562348813ca11a135cbc640825579af709/bg/ResponseProcessor.js#L70

## Bypass Description
Firefox can load html code without a `Content-Type: text/html` header. A web server can serve a response without `Content-Type` header, which results in a bypass.
Using a `Content-Type` header with empty value also works. (Other variants may exist.)

----

# POC
The three blacklist bypasses are implemented as a Flask web server in the attached `server.py` file.
NOTE 1: Before testing the corner cases, the site `http://localhost:8080/` has to be blacklisted.
NOTE 2: For bypass 2, it is required to use a version of LibreJS in which the `!md.disposition` bug is fixed.

Attachment: server.py.txt
Description: Text document

reply via email to
[Prev in Thread] Current Thread [Next in Thread]