Finding Same Origin Method Execution Vulnerabilities

Nathan Walsh
6 min readintermediate
--
View Original

Overview

The article discusses Same Origin Method Execution (SOME) vulnerabilities, detailing how attackers can exploit these vulnerabilities to execute JavaScript functions on behalf of users. It also introduces a BurpSuite extension called SOMEtime, designed to identify such vulnerabilities in web applications.

What You'll Learn

1

How to identify Same Origin Method Execution vulnerabilities in web applications

2

Why using window.postMessage is safer than JSONP for cross-domain interactions

3

How to implement a server-side passlisting approach to mitigate SOME attacks

Prerequisites & Requirements

  • Understanding of JavaScript and web security concepts
  • Familiarity with BurpSuite for vulnerability scanning(optional)

Key Questions Answered

What is Same Origin Method Execution (SOME) and how does it work?
Same Origin Method Execution (SOME) is a vulnerability that allows an attacker to control a reflected function name executed as JavaScript. This can lead to executing sensitive functions, such as deleting an account, by manipulating the DOM and calling JavaScript functions directly.
How can an attacker exploit a vulnerable web application using SOME?
An attacker can exploit a vulnerable web application by using the 'window.opener' reference to interact with any page from the same origin as the vulnerable site. This increases the attack surface by allowing the attacker to execute functions on the victim's page.
What are the recommendations for mitigating SOME attacks?
To mitigate SOME attacks, applications should use a statically defined callback value if possible, implement server-side passlisting for callback endpoints, and prefer using window.postMessage over JSONP for safer cross-domain interactions.

Technologies & Tools

Security Tool
Burpsuite
Used for monitoring HTTP requests and responses to identify vulnerabilities.

Key Actionable Insights

1
Implement server-side passlisting to restrict callback endpoints to known safe values.
This approach helps prevent attackers from exploiting vulnerabilities by ensuring that only predefined functions can be executed, thus reducing the risk of SOME attacks.
2
Consider using window.postMessage for cross-domain communication instead of JSONP.
window.postMessage provides a safer alternative by allowing controlled communication between windows, thus avoiding the risks associated with executing user-controlled JavaScript functions.

Common Pitfalls

1
Directly injecting user input into JavaScript execution contexts can lead to XSS and SOME vulnerabilities.
This occurs when developers fail to sanitize user inputs, allowing attackers to manipulate the execution flow and potentially execute harmful scripts.

Related Concepts

Javascript Vulnerabilities
Cross-site Scripting (xss)
Web Security Best Practices