Title: Bypassing Mozilla Firefox Data URL blocking
Summary:
As data URLs was abused for bypassing Same-Origin-Policy or Phishing attacks in the past, They are limited in the newer versions of Mozilla Firefox. It's possible to bypass the limits.
Tested On:
Mozilla Firefox 64.0(64-bit) On Windows 10 Mozilla Firefox 64.0.2(32-bit) On Windows 10
Other Versions may be affected.
Description:
We are not allowed to open a windows that its location is data URL and the type is executable (text/html,image/svg+xml,etc).
Here are examples:
This is allowed as its type is plain text:
This is not allowed as its type is executable(as it may be used for bypassing SOP or Phishing attacks):
Note:If you get this message,allow the page to open pop-up windows:
There are two facts you should know:
1-We can't create a window that its location is an executable data URL, but we can create an iframe(or an embed) element that its location is an executable data URL.
2-If an iframe creates a blank window and writes to it by calling document.write() function,the blank window will inherit its location from the iframe(its parent).
We use these facts to bypass the limit:
1-We create an iframe that its location is an executable data URL.
2-The Iframe Creates a new blank window and writes the data to it.
3-All is done! Now we have an opened window that its location is an executable data URL.
Here is an example shows how we can bypass the limit:
this trick can be used for bypassing SOP or Phishing attacks.
Proof of Concept:
I've used the mentioned bypass and provided a Phishing exploit. Here are the codes written in JavaScript language(You can open this file with your text editor to edit codes if you want):
1-We create an embed(or an iframe) element and set its location to the data URL:
2-The embed element loads the data URl and executes JavaScript codes:
3-JavaScript codes create a link element that its href is the trusted URL "https://bank.com/payments/login/":
and its onclick event is set to call OpenPhishingWindow() function that avoids pop-up blocking and opens the new window for phishing attack(by using the mentioned bypass):
And:
Here is the link:
Click the link to open the phishing page.The opened page is similar to this:
As Many people don't know what data URLs are,attackers can use them to trick their victims that the page is trusted and steal their information.
Expected Result:
The opened window should not inherit its location from the parent if the location is a data URL.
Observed Result:
The opened window inherits data URL as its location from the parent and this can be abused.