DEV Community

Cover image for Day-3: Bypassing the SOP!💣
FENIL SHAH
FENIL SHAH

Posted on

3 2

Day-3: Bypassing the SOP!💣

Day-3: Yesterday I looked and researched about what actually the SOP is and what actually the SOP does, Today I looked at all the attack vectors for SOP and also watched Nahamsec's Interview with Ngalongc! Nahamsec is one of the famous hackers who frequently does youtube videos as well as goes live on Twitch doing live hacking and interviews and much more. Do check out https://www.twitch.tv/nahamsec!

Attacking the SOP!

  • There are often ways that an attacker can use to manipulate cross-origin communication because of faulty implementation of one of the SOP relaxing techniques. (Refer Day-2 for Relaxing techniques!)

  • This faulty implementation of one of the SOP relaxing techniques, may can cause private information to be leaked and often leads to more vulnerabilities such as authentication bypass, account takeover and large data breaches.

  • I got quite a good result by researching ways of how the attacker can achieve this, Let's talk about some:

1.) XSS!

  • XSS is full SOP bypass because attacker can run malicious script executed on the victim page, the script can access the page’s resources and data. For example: running alert(document.cookie), This will return all the cookies and also we can get this with the help of src vector!

2.) Exploiting CORS!

  • Exploitable misconfigurations:
    • When the site uses weak regex to validate origins. For example, have a look at this blog (Refer to CORS)!
    • Another misconfiguration of CORS that can be exploited is setting allowed origins to NULL or attacker.com.
  • Unexploitable misconfigurations:
    • When custom headers are used for authentication, or when there are random, unguessable keys placed in the request or the URL.

3.) Exploiting postMessage:

  • When using postMessage, both the sender and the receiver of the message should verify the origin of the other side. Vulnerabilities happen when pages enforce poor origin check (weak regex, for example), or lack origin checks altogether.

  • To exploit this issue, an attacker can create a malicious HTML page that listens for events coming from the vulnerable page. The attacker can then trick victims into triggering the postMessage utilizing a malicious link or fake image and make the victim page send data to the attacker’s page. (Refer Medium blog 1 for more details)


Resources:

Medium blogs:

Hackerone Report: https://hackerone.com/reports/47495
Fedora bypassing SOP docs: SOP DOC
Mozilla web docs: Same-Origin Policy
Tool to Remove SOP issues: Proxrox (This tool removes same-origin policy issues that typically occur during development.)
Nahamsec's Interview with Ngalongc: YouTube

Contact:

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

Top comments (0)

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay