Ayoub ELMOKHTAR

Senior Offensive Security Engineering @noon

Home Research
CVE-2020-9915 – Failure to properly process form-action ‘self’ leads to CSP bypass in Safari | Ayoub ELMOKHTAR

CVE-2020-9915 – Failure to properly process form-action ‘self’ leads to CSP bypass in Safari

September 18, 2021

Content Security Policy (CSP) is an added security layer that helps detect and mitigate specific attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribute malware.

To enable CSP, you need to configure your webserver to return the Content-Security-Policy HTTP header. Alternatively, the <META> element can be used to configure the CSP policy, as is the case with our scenario.

The following article will describe an issue I found a year ago while investigating a potential security vulnerability. The malicious user can control the action attribute of a specific form containing a CSRF token.

For example, The following behavior would allow us to ex-filtrate that token since it throws the POST data to which is already defined in the action attribute.

<form action="" id="XSRF" method="post">
   <input type="text" name="TOKEN" value="TOKEN_VALUE">
   <input type="submit" id="submit" value="submit">

Unfortunately, It is not the case when the CSP defines the following rule.

Content-Security-Policy: Form-Action 'self'

In order to evade the protection and leak the token to an external instance; We’ll need to find a way to bypass that CSP-protected page.

Primarily; We’ll need to confirm how different browsers will treat this. Mozilla Developers documentation doesn’t give us much since it affirms that all widely used web browsers support the form-action rule.

That wasn’t the case when we’ve decided to go through each browser to confirm the behavior manually. The results were surprisingly incredible.

Safari Browser was not acknowledging the Form-Action when it’s been set to ‘self’.

As a result of that behavior, we can ex-filtrate the CSRF token from the victim’s Safari browser to our controlled server.

The security issue was reported to Apple Security, and they assigned CVE-2020-9915 to it. https://support.apple.com/en-us/HT211292

References:

https://developers.google.com/web/fundamentals/security/csp

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP