Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LavaDome bypass via overridden built-in methods #39

Closed
masatokinugawa opened this issue Apr 24, 2024 · 2 comments
Closed

LavaDome bypass via overridden built-in methods #39

masatokinugawa opened this issue Apr 24, 2024 · 2 comments

Comments

@masatokinugawa
Copy link

masatokinugawa commented Apr 24, 2024
edited
Loading

I'm not sure if LavaDome is intended to provide protection for this kind of bypass but even if developers follow "Defensive coding" mentioned in the README, it can be bypassed using another window.

  • Visit the demo
  • Open console and run the code below
const win = window.open('#', '_blank');
win.Array.from = arg => {
  if (typeof arg === 'string') {
    win.alert(arg);
  } else {
    return Array.from(arg);
  }
}
@weizman
Copy link
Member

weizman commented Apr 25, 2024

Not part of the threat model.

This is something LavaDome (and generally, the Web) can't protect against with its current characteristics unfortunately.

It's one thing to protect the main realm of the application against attacks, but attempting to defend child same origin realms (aka window/popup/iframe/etc) is a challenge yet to be solved.

In fact, Under the LavaMoat organization there's SnowJS which is a security tool designed for that purpose exactly - it takes your JavaScript code and runs it for you automatically to all child same origin realms under the top main realm of your app.

Problem with Snow is that because of how complex Web and DOM APIs are, accomplishing such a mission in JavaScript user land seems to be too difficult (hence the many opened issues against the Snow repo indicating open vulnerabilities).

Because of that, we proposed a browser level solution for this problem in the WICG (see #144).

But until then, there isn't a way to secure all realms from this.

For LavaDome that's fine, because according to the use case, you'd have to trick the victim into interacting with the wrong window for this to work. That's harder to tell via this demo because in the demo the secret is being displayed without any user interaction, but with real use cases, such secret should only be written to DOM after explaining to the user they have to be cautious before the app displays it, and for that the user must acknowledge the realm by interacting with it.

I do agree that if you managed to trick the user into interacting with the wrong realm you can effectively cancel any runtime security tool. But due to it being an unlikely attack vector as well as something web can't protect against atm, this tentatively remains out of scope.

Hope this makes sense!

@weizman weizman closed this as completed Apr 25, 2024
@masatokinugawa masatokinugawa mentioned this issue May 4, 2024
Closed
@eligrey
Copy link

eligrey commented Jul 14, 2024
edited
Loading

attempting to defend child same origin realms (aka window/popup/iframe/etc) is a challenge yet to be solved.

But until then, there isn't a way to secure all realms from this.

This is mostly solvable without RIC but the solution admittedly isn't pretty.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eligrey @masatokinugawa @weizman