Favicon Redirection Possible Security Flaw

Question

I have the domain example.com

When I enter the URL https://api.example.com, Chrome loads the page and also tries to load https://myapp.example.com/favicon.ico, and that request receives a 301 redirect to **http://**main.example.com, and receives the HTML content of it.

I know how to fix it, but I´m interested in what will be happen, because main.example.com is not on https, anyone could attack (DNS replace) and respond to the 301 redirect with his malicious content.
It was a favicon redirect, so Chrome at least didn´t seem to execute the code.
I changed the main.example.com to respond

<script type="text/javascript">alert("hola")   </script>

but the alert was not executed.

So is this a security flaw?

did you check the URL with other browser? do they execute it? — Ali, May 07 '15 at 13:41
I checked with safari, and doesen´t seems to execute too, but entering directly to the url executed it yes. — Ricardo Umpierrez, May 07 '15 at 13:57

SilverlightFox · Accepted Answer · 2015-05-07T15:54:08.980

According to your question Chrome was loading a plain HTTP favicon in a HTTPS page without any browser warning. Interesting.

Redirecting to a plain HTTP website is not a vulnerability in itself. However, it is a security flaw if the redirect is accidental and you want your users to remain on a secure, trusted channel to your site.

Script content will not be executed in a favicon but the request could leak cookies if the cookie domain isn't set correctly and the secure flag is not set. An attacker could also do this with your site if the user visits any site under plain HTTP.

If there are any browser exploits that can be triggered from a favicon you could be putting your users at risk here, although the initial redirect and the browser exploit are really flaws in the browser rather than your site.

This is the only one that is actually a vulnerability. – Ry- May 07 '15 at 18:35 — Ry-, May 07 '15 at 18:35

S.L. Barth · Answer 2 · 2015-05-07T14:09:30.363

There is indeed a vulnerability, because as you observed, an attacker could intercept the traffic on the unsecured line and change it.

The reason your script didn't execute is that this came in the favicon, and Chrome (apparently) does not execute scripts in the favicon.

To exploit this, you would have to get Chrome to execute the code in the favicion.
One way to do this would be to use a buffer overflow in the code that renders the favicon, to make Chrome execute the payload in the favicon.
Another way to do this would be to get Chrome to accept an SVG file as a favicon, and then put the script inside a foreignObject tag inside SVG. (Disclaimer: I haven't tried this).

Ali · Answer 3 · 2015-05-07T14:04:29.467

Redirection with Javascript or META tags

... You can not send a 301 status code via Javascript or META tags. Since the HTTP status code of the page will remain 200 OK ...

... Another disadvantage is that some browsers disable Javascript or META refresh. Therefore, one must include a link to the destination page in the body of the page ...

URL redirection

... HTTP headers or the refresh meta tag may be preferred for security reasons and because JavaScript will not be executed by some browsers and many web crawlers.

These links say that many browsers do not execute javascript an META tags in redirection(301)

I don't see this relate to the question ... – Hagen von Eitzen May 07 '15 at 17:13 — Hagen von Eitzen, May 07 '15 at 17:13

Favicon Redirection Possible Security Flaw

3 Answers3