Bug Bounty Stories #1: Tale of CSP bypass in an electron app!
Talking of a bug I found long time back which led to the bypassing of CSP in an electron app :)
I have been working on developing an APIs, and was weeks into it. As a pentester and security researcher, I feel more joyful when I am in action mode. But sometimes I get to do some development work as well. It’s the boring part but that day it helped me!!
So one fine day, I was working on creating a bunch of APIs and used one of the electron-based apps (which I cannot disclose, so let’s name is as EApp) out of habit. I use EApp almost daily and always thought of finding some bugs in it and that day, unintentionally I saw that it was vulnerable to content injection issues! That turned my creative spark into the innovative fire, if you will ;)
And therefore I started fuzzing with the application and tried a lot of payloads — images to exfiltrate data in requests (worked!), content injection (worked!), XSS (didn’t worked :/ )!
The XSS attack didn’t worked due to a CSP policy that was enforced on the application.
So my goal was to bypass CSP now! And having quite a lot of experience with bypassing CSP policies, I was damn sure I could do it! But wait — the CSP policy looked flawless… It was as perfect as I could write, so I was a bit disappointed.
All this stuff that I explained in a minute or so took a some time, so once I exhausted all my resources, I just looked at the CSP for a while, in case some magic happens and I get to bypass it. Hahahaha, I am sure it must have happened with you too — waiting to see some dots getting connected, so it all falls in place.
And while I was in hope, I saw the obvious bypass!
The CSP Bypass
The CSP policy didn’t allowed ‘unsafe-eval’ or ‘unsafe-inline’. But, it allowed scripts with nonce. The nonce looked very large and random.
And so I just modified the payload, just to see the nonce getting changed and then it occurred to me that the initial part of the nonce is the epoch! And so with that aside, I was left with 6 characters = 6 bytes of entropy!
So I quickly developed a PoC for it and it worked perfectly! CSP bypassed via the weak nonce generation algo.
If I leave you with just the issue, that won’t be fair right — so the fix that was proposed is to get the nonce with high entropy — a UUID helps. Also, the main issue was content injection and there’s no reason user input should be rendered as is, so it had to be encoded when the user-input gets reflected in the application!
And with those 2 fixes, this issue was fixed and application became a bit more secure :)
Just want to say that I was quite shy to try pentesting that application due to its huge codebase and I didn’t had any knowledge of the application’s inner workings. Plus it was an electron app, and I didn’t had much prior experience then, to debug an electron app. But the experience came once I set out to pentest it :)
So my advice would be to not get overwhelmed by the target and just go for it — even if you end up finding nothing, you gained some knowledge of the application’s working and there’ was nothing to loose!
So with that, I would close this post. I hope this post was informational and fun to read. In case you enjoyed it, please share it among your friends in the infosec community :)
Let me know your feedback in the comments below and feel free to connect on twitter: @_SecurityGOAT
Until next time my friend, keep learning and happy hacking.