Edge mixed content security policy bypass

Hello readers,

This post is about an edge mixed content security policy bypass.

What is mixed content issue?

According to MDN resource when a user visits a page served over HTTPS, their connection with the web
server is encrypted with TLS and is therefore safeguarded from most sniffers and man-in-the-middle
attacks. An HTTPS page that includes content fetched using clear text HTTP is called a mixed content
page. Pages like this are only partially encrypted,
leaving the unencrypted content accessible to sniffers and man-in-the-middle attackers.
That leaves the pages unsafe.

In short if we request to load any HTTP resources like scripts, stylesheets, video etc. over HTTPS then
browser simply deny the request. Since HTTP resources can be intercepted by the attacker.

For example suppose we have a page over HTTPS let’s call it https://securepage.com/secure.html Now request to create an iframe inside it to load an insecure resource http://demo.testfire.net and see how edge reacts.

[Sample code snippets]

  <h1>Demo Page!</h1>
  <!-- loading HTTP content over HTTPS -->
  <iframe src="http://demo.testfire.net" frameborder="1"></iframe>

As displayed in the console error browser refused to load an insecure content over a secure context.

However loading insecure images are allowed by the browser.

We have few legendary browsers who don’t follow mixed content policy

- Opera mini beta
- CM browser
- UC browser
- MI browser
- Dolphin Browser
- Next Browser

Bypassing mixed content policy

During testing I found that we can use a combination of home button + back button
to load any HTTP resources over a secure page.

In order to load insecure content we can follow below steps.

1. Request to load insecure content over HTTPS.

2. Navigate to home either using home button or by typing about:home in address bar

3. Press the back button

Verified on:

Microsoft Edge 42.17134.1.0
Microsoft EdgeHTML 17.17134

Video proof of concept:

This issue will be fixed in upcoming releases.

Thanks for reading.


Popular posts from this blog

How I bypassed 2-Factor Authentication in a bug bounty program

Story of a JSON XSS