Comments (8)
spielzeugland
commented on July 22, 2024
1
@adob I tried your sample and it works. Can you explain why it is working? I am wondering why it is possible at all that a "bad" parent frame can manipulate the content of child frame coming from a different origin. Is that because of the Access-Control-Allow-Origin: * header on the iFrame's content?
from jailed.
Venryx
commented on July 22, 2024
1
I'm not sure, but I think @spielzeugland's guess above is correct, that the only reason this exploit works is that the access-control-allow-origin header is set to * on both the jailed demo page main html document, as well as the frame within that demo page.
Access header for demo page itself: (seen in dev-tools, after directly opening: https://asvd.github.io/jailed/demos/web/console)
Access header for the frame within that demo page:
Thus, I believe this exploit is not usable in the wild, since normal websites do not have the access-control-allow-origin header set to *.
(Though correct me if wrong, of course.)
from jailed.
asvd
commented on July 22, 2024
Thanks for the point!
The sandbox itself seems to remain secure, i.e. the "untrusted code" (in this case, entered by a user into the console) still cannot affect the main application and reach its data. Right?
Securing the messaging between application and plugin has never been the point of Jailed, though you are right that this concern is a good thing to improve.
from jailed.
adob
commented on July 22, 2024
From the developer's perspective, the issue is that it is not safe to pass
user data to the sandbox because it may be intercepted by a third party.
Suppose the application evaluates some JS and that data contains
information about the currently logged in user. This vulnerability would
allow an attacker to capture that information, hence creating a info leak
vulnerability in that application.
It's not as serious as full sandbox bypass, but still serious.
…On Jun 26, 2017 5:04 PM, "asvd" ***@***.***> wrote:
Thanks for the point!
The sandbox itself seems to remain secure, i.e. the "untrusted code" (in
this case, entered by a user into the console) still cannot affect the main
application and reach its data. Right?
Securing the messaging between application and plugin has never been the
point of Jailed, though you are right that this concern is a good thing to
improve.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#43 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAlEfn22FgDI1UowImZcKqnoJ4ILoib1ks5sIEcmgaJpZM4OF9y1>
.
from jailed.
asvd
commented on July 22, 2024
Sure, you are right. Therefore the issue remains open until fixed.
from jailed.
justinwiley
commented on July 22, 2024
@adob @asvd Can you elaborate on the exact vulnerability here?
Is this attack only possible if the jailed page is run from within another malicious iframe? Would a X-Frame-Options: SAMEORIGIN header prevent this?
from jailed.
adob
commented on July 22, 2024
The vulnerability would be information disclosure. If you use this sandbox
on your site and send non-public data to it, you would have a information
disclosure vulnerability on your site because the data could be captured by
a third party.
The X-Frame-Options setting is not sufficient. The attacker can use
window.open() to open the page in new window, thereby bypassing the framing
restriction. The attacker might need the user to click something on their
page to bypass the pop-up blocker, so that is an added roadblock but not a
big one.
…On Aug 10, 2017 8:34 AM, "Justin Tyler Wiley" ***@***.***> wrote:
@adob <https://github.com/adob> @asvd <https://github.com/asvd> Can you
elaborate on the exact vulnerability here?
Is this attack only possible if the jailed page is run from within another
malicious iframe? Would a X-Frame-Options: SAMEORIGIN header prevent this?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#43 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAlEftGf7uKEW_HAK-OqeWvzgI0T7Gsvks5sWyLtgaJpZM4OF9y1>
.
from jailed.
subversivo58
commented on July 22, 2024
Would not the correct use of CSP solve the presented problem?
from jailed.
Related Issues (20)
- unable to find application object
- Dom manipulation in jailed HOT 1
- Write code without application.remote HOT 2
- Just tried the base example - Getting permission issue HOT 5
- Why is the Web Worker inside an iframe? HOT 4
- Exposing values from the app to the jailed worker. HOT 1
- Best way to pass large data set into jailed script (browser)?
- Cannot read property 'whenEmitted' of undefined
- Add setting for "fallback to iframe jailing only" functionality, and timeout value
- Improve Jail Isolation via Content-Security-Policy HOT 1
- CVE-2022-23923 HOT 2
- Pass values to jailed code HOT 2
- Passing interface with sub functions not working
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jailed.