nishimu-lla-makko

1. nishimu-lla-makko
(nishimunea + @llamakko_cafe)
THREAT OF DATA URL SCHEME
THEY ARE STILL HERE

2. nishimunea (cv: Muneaki Nishimura)
Weekend Bug Hunter
Lecturer of Security Camp 2014-2015

3. llamakko (@llamakko_cafe)
Apprentice Bug Hunter
Graduate of Security Camp 2014 (Web Security)

4. The "data" URL Scheme
RFC 2397 (1998)

5. data:image/png;base64,
iVBORw0KGgoAAAANS
UhEUgAAAZAAAAGQCA
YAAACAvzbMAAAgAElE
QVR4nOydZ3wUVRfGJ8
mm103vvZfNplEURF5E
UFHpSBNpihRRikpTQAT
pSE3oIEVUREEBaSpFR…

6. HTML document with data: was
introduced by Netscape 4 (1997)

7. But completely useless
except for exploit or notepad

8. google.com
Generate
Generate
evil.tld
data:
data:
RFC doesn't mention how a browser
should set the origin of data:

9. HOW DOES IT REALLY WORK
ON EACH BROWSER?

10. AVTOKYO2015Nov 14, 2015 1
The differences in
behavior of data: URL
among web browsers
The differences in
behavior of data: URL
among web browsers

11. Major browsersMajor browsers
AVTOKYO2015Nov 14, 2015 2

12. Internet ExplorerInternet Explorer
AVTOKYO2015Nov 14, 2015 3

13. IE cannot open data:text/html
AVTOKYO2015Nov 14, 2015 4

14. The data: URLs can be used only for following
elements and attributes
 object
 img
 input type=image
 link
 CSS properties that accept URL as a value
(e.g., background, background-image and etc.)
AVTOKYO2015Nov 14, 2015 5
IE cannot open data:text/html

15. ↑ Firefox ↑ Chrome
<iframe src=”data:text/html,test”></iframe>
AVTOKYO2015Nov 14, 2015 6
Other web browsers

16. FirefoxFirefox
AVTOKYO2015Nov 14, 2015 7

17.  In Firefox, content from data: URLs inherits the
origin from the document that loaded the URL in
an iframe and etc.
AVTOKYO2015Nov 14, 2015 8
Inherits the origin from the opener

18. AVTOKYO2015Nov 14, 2015 9
DEMODEMO

19.  Its behavior is sometimes completely different
among browsers
 Potential vulnerabilities introduced by such
'self-indulgent' implementations
 Corresponding spec is often not disclosed
AVTOKYO2015Nov 14, 2015 12
data: URL is messy

20. Unuseful behavior of
data: URLs
Unuseful behavior of
data: URLs
AVTOKYO2015Nov 14, 2015 13

21. Browser: Firefox
AVTOKYO2015Nov 14, 2015 14
data: URL can be used as
a bookmarklet
data: URL can be used as
a bookmarklet

22. AVTOKYO2015Nov 14, 2015 15
DEMODEMO

23. Browser: Chrome, Safari (iOS)
AVTOKYO2015Nov 14, 2015 16
The differences in MIME type
of data: URL
The differences in MIME type
of data: URL

24. The differences in MIME type of
data: URL
data:application/octet-stream,test
AVTOKYO2015Nov 14, 2015 17

25. The differences in MIME type of
data: URL
data:application/octet-stream,test
AVTOKYO2015Nov 14, 2015 18
data:application/octet-strea,test

26. The differences in MIME type of
data: URL
AVTOKYO2015Nov 14, 2015 19

27. AVTOKYO2015
At the end
Nov 14, 2015 20
At the end

28. AVTOKYO2015Nov 14, 2015 21
What's going on…

29. ABUSING DATA:
自重版 (Prudence Edition)

30. Cross-site data leakage by blob:
(CVE-2015-6759) on Chrome

31. blob: URL
var text = "<h1>Hello</h1>"
var blob = new Blob([text], {type : 'text/html'});
var url = URL.createObjectURL(blob);

34. Origin in blob: URL can be 'null'

35. Origin in blob: URL can be 'null'
http:
Generate
data: blob:
Generate

36. Origin in blob: URL can be 'null'
http:
Generate
data: blob:
Generate
file:
Generate
blob:

37. blob: pages made by data:
could steal localStorage of file:
http:
Generate
data: blob:
Generate
file:
localStorage
Steal from the internet

38. CENSORED

39. CENSORED

40. CENSORED

41. CENSORED

42. CENSORED

43. CENSORED

44. CENSORED

45. Threat of data: (may) repeats itself
We ought to reconsider
documents with data: are really demanded