From 647ed322c6979e98631c4440836eb6619bb4c28d Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 23 Apr 2024 18:45:26 +0100 Subject: [PATCH 01/11] Update navigations.md --- content/docs/attacks/navigations.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/docs/attacks/navigations.md b/content/docs/attacks/navigations.md index 5d31f42d5..92b657c4f 100644 --- a/content/docs/attacks/navigations.md +++ b/content/docs/attacks/navigations.md @@ -71,6 +71,8 @@ The following snippet can be used to detect whether such a navigation has occurr var url = 'https://example.org/'; // Create an outer iframe to measure onload event var iframe = document.createElement('iframe'); +// Don't actually download the file to be stealthy +iframe.sandbox = 'allow-scripts allow-same-origin'; document.body.appendChild(iframe); // Create an inner iframe to test for the download attempt iframe.srcdoc = `<iframe src="${url}" ></iframe>`; From a4361b0235ff191d1f1c900b09f73edd405b2e74 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 23 Apr 2024 21:12:06 +0100 Subject: [PATCH 02/11] Add top level version --- content/docs/attacks/navigations.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/content/docs/attacks/navigations.md b/content/docs/attacks/navigations.md index 92b657c4f..13532292d 100644 --- a/content/docs/attacks/navigations.md +++ b/content/docs/attacks/navigations.md @@ -60,7 +60,7 @@ setTimeout(() => { This attack is only possible in Chromium-based browsers with automatic downloads enabled. In addition, the attack can't be repeated since the user needs to close the download bar for it to be measurable again. {{< /hint >}} -### Download Navigation (with iframes) +### Download Navigation (without Lax cookies) Another way to test for the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header is to check if a navigation occurred. If a page load causes a download, it does not trigger a navigation and the window stays within the same origin. [Run demo](https://xsinator.com/testing.html#Download%20Detection) @@ -96,15 +96,22 @@ When there is no navigation inside an `iframe` caused by a download attempt, the This attack works regardless of any [Framing Protections]({{< ref "xfo" >}}), because the `X-Frame-Options` and `Content-Security-Policy` headers are ignored if `Content-Disposition: attachment` is specified. {{< /hint >}} -### Download Navigation (without iframes) +### Download Navigation (with Lax cookies) A variation of the technique presented in the previous section can also be effectively tested using `window` objects: ```javascript // Set the destination URL var url = 'https://example.org'; + +// Don't actually download the file to be stealthy +var iframe = document.createElement('iframe'); +iframe.sandbox = 'allow-scripts allow-same-origin allow-popups'; +document.body.appendChild(iframe); +openSandboxed = iframe.contentWindow.open; + // Get a window reference -var win = window.open(url); +var win = window.openSandboxed(url); // Wait for the window to load. setTimeout(() => { From 74307cf23437666df6db40d8a6a5002069ccfe28 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 23 Apr 2024 21:22:29 +0100 Subject: [PATCH 03/11] Use var like other places --- content/docs/attacks/navigations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/attacks/navigations.md b/content/docs/attacks/navigations.md index 86968e2d0..cd71dce63 100644 --- a/content/docs/attacks/navigations.md +++ b/content/docs/attacks/navigations.md @@ -83,7 +83,7 @@ var url = 'https://example.org'; var iframe = document.createElement('iframe'); iframe.sandbox = 'allow-scripts allow-same-origin allow-popups'; document.body.appendChild(iframe); -openSandboxed = iframe.contentWindow.open; +var openSandboxed = iframe.contentWindow.open; // Get a window reference var win = window.openSandboxed(url); From 4729c6bfd5f6ce5b1f497d298995d64ac0c3e979 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Wed, 24 Apr 2024 00:10:04 +0100 Subject: [PATCH 04/11] Add comment instead of more code --- content/docs/attacks/navigations.md | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/content/docs/attacks/navigations.md b/content/docs/attacks/navigations.md index cd71dce63..01cc7fd3f 100644 --- a/content/docs/attacks/navigations.md +++ b/content/docs/attacks/navigations.md @@ -35,7 +35,7 @@ To detect if any kind of navigation occurred, an attacker can: When an endpoint sets the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header, it instructs the browser to download the response as an attachment instead of navigating to it. Detecting if this behavior occurred might allow attackers to leak private information if the outcome depends on the state of the victim's account. -### Download Navigation (without Lax cookies) +### Download Navigation (with iframes) Another way to test for the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header is to check if a navigation occurred. If a page load causes a download, it does not trigger a navigation and the window stays within the same origin. [Run demo](https://xsinator.com/testing.html#Download%20Detection) @@ -47,7 +47,8 @@ var url = 'https://example.org/'; // Create an outer iframe to measure onload event var iframe = document.createElement('iframe'); // Don't actually download the file to be stealthy -iframe.sandbox = 'allow-scripts allow-same-origin'; +// Using window.open from this sandbox will also not download the file. +iframe.sandbox = 'allow-scripts allow-same-origin allow-popups'; document.body.appendChild(iframe); // Create an inner iframe to test for the download attempt iframe.srcdoc = `<iframe src="${url}" ></iframe>`; @@ -71,7 +72,7 @@ When there is no navigation inside an `iframe` caused by a download attempt, the This attack works regardless of any [Framing Protections]({{< ref "xfo" >}}), because the `X-Frame-Options` and `Content-Security-Policy` headers are ignored if `Content-Disposition: attachment` is specified. {{< /hint >}} -### Download Navigation (with Lax cookies) +### Download Navigation (without iframes) A variation of the technique presented in the previous section can also be effectively tested using `window` objects: @@ -79,14 +80,8 @@ A variation of the technique presented in the previous section can also be effec // Set the destination URL var url = 'https://example.org'; -// Don't actually download the file to be stealthy -var iframe = document.createElement('iframe'); -iframe.sandbox = 'allow-scripts allow-same-origin allow-popups'; -document.body.appendChild(iframe); -var openSandboxed = iframe.contentWindow.open; - // Get a window reference -var win = window.openSandboxed(url); +var win = window.open(url); // Wait for the window to load. setTimeout(() => { From 087ac506a5c511bb4db6e3bd1236e651a58a095e Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Wed, 24 Apr 2024 00:11:12 +0100 Subject: [PATCH 05/11] Update navigations.md --- content/docs/attacks/navigations.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/docs/attacks/navigations.md b/content/docs/attacks/navigations.md index 01cc7fd3f..517d3ad63 100644 --- a/content/docs/attacks/navigations.md +++ b/content/docs/attacks/navigations.md @@ -79,7 +79,6 @@ A variation of the technique presented in the previous section can also be effec ```javascript // Set the destination URL var url = 'https://example.org'; - // Get a window reference var win = window.open(url); From 9feefdad4edc2e85d35da1878544f213659f8219 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Wed, 1 May 2024 16:48:32 +0100 Subject: [PATCH 06/11] Update navigations.md --- content/docs/attacks/navigations.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/content/docs/attacks/navigations.md b/content/docs/attacks/navigations.md index 517d3ad63..19bb45cbf 100644 --- a/content/docs/attacks/navigations.md +++ b/content/docs/attacks/navigations.md @@ -35,7 +35,7 @@ To detect if any kind of navigation occurred, an attacker can: When an endpoint sets the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header, it instructs the browser to download the response as an attachment instead of navigating to it. Detecting if this behavior occurred might allow attackers to leak private information if the outcome depends on the state of the victim's account. -### Download Navigation (with iframes) +### Download Navigation (without Lax cookies) Another way to test for the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header is to check if a navigation occurred. If a page load causes a download, it does not trigger a navigation and the window stays within the same origin. [Run demo](https://xsinator.com/testing.html#Download%20Detection) @@ -47,7 +47,6 @@ var url = 'https://example.org/'; // Create an outer iframe to measure onload event var iframe = document.createElement('iframe'); // Don't actually download the file to be stealthy -// Using window.open from this sandbox will also not download the file. iframe.sandbox = 'allow-scripts allow-same-origin allow-popups'; document.body.appendChild(iframe); // Create an inner iframe to test for the download attempt @@ -72,15 +71,21 @@ When there is no navigation inside an `iframe` caused by a download attempt, the This attack works regardless of any [Framing Protections]({{< ref "xfo" >}}), because the `X-Frame-Options` and `Content-Security-Policy` headers are ignored if `Content-Disposition: attachment` is specified. {{< /hint >}} -### Download Navigation (without iframes) +### Download Navigation (with Lax cookies) A variation of the technique presented in the previous section can also be effectively tested using `window` objects: ```javascript // Set the destination URL var url = 'https://example.org'; + +// Don't actually download the file to be stealthy +var iframe = document.createElement('iframe'); +iframe.sandbox = 'allow-scripts allow-same-origin allow-popups'; +document.body.appendChild(iframe); + // Get a window reference -var win = window.open(url); +var win = iframe.contentWindow.open(url); // Wait for the window to load. setTimeout(() => { From 489b4491e56a1570eef12b2cd98d6ec4118550b5 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Wed, 1 May 2024 17:13:33 +0100 Subject: [PATCH 07/11] Revert head --- content/docs/attacks/navigations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/docs/attacks/navigations.md b/content/docs/attacks/navigations.md index 19bb45cbf..b53b2d7af 100644 --- a/content/docs/attacks/navigations.md +++ b/content/docs/attacks/navigations.md @@ -35,7 +35,7 @@ To detect if any kind of navigation occurred, an attacker can: When an endpoint sets the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header, it instructs the browser to download the response as an attachment instead of navigating to it. Detecting if this behavior occurred might allow attackers to leak private information if the outcome depends on the state of the victim's account. -### Download Navigation (without Lax cookies) +### Download Navigation (with iframes) Another way to test for the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header is to check if a navigation occurred. If a page load causes a download, it does not trigger a navigation and the window stays within the same origin. [Run demo](https://xsinator.com/testing.html#Download%20Detection) @@ -71,7 +71,7 @@ When there is no navigation inside an `iframe` caused by a download attempt, the This attack works regardless of any [Framing Protections]({{< ref "xfo" >}}), because the `X-Frame-Options` and `Content-Security-Policy` headers are ignored if `Content-Disposition: attachment` is specified. {{< /hint >}} -### Download Navigation (with Lax cookies) +### Download Navigation (without iframes) A variation of the technique presented in the previous section can also be effectively tested using `window` objects: From e3542837f93951df27d033d962370ea30b8bc910 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Wed, 1 May 2024 17:21:48 +0100 Subject: [PATCH 08/11] Update navigations.md --- content/docs/attacks/navigations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/attacks/navigations.md b/content/docs/attacks/navigations.md index b53b2d7af..eff7d371d 100644 --- a/content/docs/attacks/navigations.md +++ b/content/docs/attacks/navigations.md @@ -73,7 +73,7 @@ This attack works regardless of any [Framing Protections]({{< ref "xfo" >}}), be ### Download Navigation (without iframes) -A variation of the technique presented in the previous section can also be effectively tested using `window` objects: +A variation of the technique presented in the previous section can also be effectively tested using `window` objects, this also uses a sandboxed iframe to prevent a visable file download: ```javascript // Set the destination URL From 5d3fa0790e31d2755446663cdddf53e1b7d757f6 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Wed, 1 May 2024 17:33:18 +0100 Subject: [PATCH 09/11] And prompt + fix spelling --- content/docs/attacks/navigations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/attacks/navigations.md b/content/docs/attacks/navigations.md index eff7d371d..f44feb666 100644 --- a/content/docs/attacks/navigations.md +++ b/content/docs/attacks/navigations.md @@ -73,7 +73,7 @@ This attack works regardless of any [Framing Protections]({{< ref "xfo" >}}), be ### Download Navigation (without iframes) -A variation of the technique presented in the previous section can also be effectively tested using `window` objects, this also uses a sandboxed iframe to prevent a visable file download: +A variation of the technique presented in the previous section can also be effectively tested using `window` objects, this also uses a sandboxed iframe to prevent a visible file download or prompt: ```javascript // Set the destination URL From e297fba6d5d1defe433f75e09c4928d5672464da Mon Sep 17 00:00:00 2001 From: terjanq <terjanq@users.noreply.github.com> Date: Sat, 6 Jul 2024 23:24:04 +0200 Subject: [PATCH 10/11] Update navigations.md --- content/docs/attacks/navigations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/docs/attacks/navigations.md b/content/docs/attacks/navigations.md index f44feb666..099821403 100644 --- a/content/docs/attacks/navigations.md +++ b/content/docs/attacks/navigations.md @@ -39,7 +39,7 @@ When an endpoint sets the [`Content-Disposition: attachment`](https://developer. Another way to test for the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header is to check if a navigation occurred. If a page load causes a download, it does not trigger a navigation and the window stays within the same origin. [Run demo](https://xsinator.com/testing.html#Download%20Detection) -The following snippet can be used to detect whether such a navigation has occurred and therefore detect a download attempt: +In the snippet below , we've added a sandboxed iframe with downloads disabled to prevent downloading modal from appearing. ```javascript // Set the destination URL to test for the download attempt @@ -73,7 +73,7 @@ This attack works regardless of any [Framing Protections]({{< ref "xfo" >}}), be ### Download Navigation (without iframes) -A variation of the technique presented in the previous section can also be effectively tested using `window` objects, this also uses a sandboxed iframe to prevent a visible file download or prompt: +A variation of the technique presented in the previous section can also be effectively tested using `window` objects. In the snippet below, we've added a sandboxed iframe with disabled downloads to prevent downloading modal from appearing. ```javascript // Set the destination URL From f733803404794a4473bc6c218d9df21e5ae8d7aa Mon Sep 17 00:00:00 2001 From: terjanq <terjanq@users.noreply.github.com> Date: Sat, 6 Jul 2024 23:25:01 +0200 Subject: [PATCH 11/11] Update navigations.md --- content/docs/attacks/navigations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/docs/attacks/navigations.md b/content/docs/attacks/navigations.md index 099821403..e23de424d 100644 --- a/content/docs/attacks/navigations.md +++ b/content/docs/attacks/navigations.md @@ -39,7 +39,7 @@ When an endpoint sets the [`Content-Disposition: attachment`](https://developer. Another way to test for the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header is to check if a navigation occurred. If a page load causes a download, it does not trigger a navigation and the window stays within the same origin. [Run demo](https://xsinator.com/testing.html#Download%20Detection) -In the snippet below , we've added a sandboxed iframe with downloads disabled to prevent downloading modal from appearing. +In the snippet below , we've added a sandboxed iframe with downloads disabled to prevent a download modal from appearing. ```javascript // Set the destination URL to test for the download attempt @@ -73,7 +73,7 @@ This attack works regardless of any [Framing Protections]({{< ref "xfo" >}}), be ### Download Navigation (without iframes) -A variation of the technique presented in the previous section can also be effectively tested using `window` objects. In the snippet below, we've added a sandboxed iframe with disabled downloads to prevent downloading modal from appearing. +A variation of the technique presented in the previous section can also be effectively tested using `window` objects. In the snippet below, we've added a sandboxed iframe with disabled downloads to prevent a download modal from appearing. ```javascript // Set the destination URL