Friend
Professional
- Messages
- 2,669
- Reaction score
- 942
- Points
- 113
Attackers have learned how to use Trusted-Types against users.
In mid-2024, cybersecurity specialists from Confiant drew attention to a new malicious actor called MutantBedrog. This threat actor has raised alarm bells due to its active campaigns of forced user redirects to malicious sites, accompanied by unique JavaScript scripts to scan devices and send them to fake pages.
Experts paid special attention to the numerous references to content security policies (CSPs) and Trusted-Types in the code of these scripts. Trusted-Types is a security mechanism used to prevent XSS attacks and other harmful JavaScript execution scenarios. However, MutantBedrog has found a way to bypass this protection at every stage of script execution.
An example taken from the MutantBedrog code demonstrated that the script uses the Trusted-Types policy to generate malicious URLs and run them through dynamically generated elements on the page. This gave attackers the ability to perform redirects and script injections even under strict CSP restrictions.
When experimenting with this code, experts confirmed that Trusted-Types CSP can be circumvented as part of a multi-stage scripting strategy. Such scripts are not blocked because they are executed in a Friendly Frame, where policy rules are not always fully enforced.
However, further tests showed that the browser blocks some scripts that attempt to create DOM elements and modify their contents directly. To circumvent this limitation, MutantBedrog uses additional Trusted-Types injection steps, creating even more complex scripts to bypass protection.
After an in-depth analysis of this case, experts concluded that the problem was not a browser bug. According to the specifications, content security policies do not apply to iframes downloaded through network requests, which opens the door to abuse if the iframe content originates from a trusted source.
This case shows that even advanced security mechanisms such as CSP and Trusted-Types can be vulnerable to bypass in the face of sophisticated attacks. Tech-savvy threat actors like MutantBedrog are actively researching and exploiting weaknesses in browsers' security mechanisms, underscoring the need for continuous improvement of these technologies to counter new threats.
Source
In mid-2024, cybersecurity specialists from Confiant drew attention to a new malicious actor called MutantBedrog. This threat actor has raised alarm bells due to its active campaigns of forced user redirects to malicious sites, accompanied by unique JavaScript scripts to scan devices and send them to fake pages.
Experts paid special attention to the numerous references to content security policies (CSPs) and Trusted-Types in the code of these scripts. Trusted-Types is a security mechanism used to prevent XSS attacks and other harmful JavaScript execution scenarios. However, MutantBedrog has found a way to bypass this protection at every stage of script execution.
An example taken from the MutantBedrog code demonstrated that the script uses the Trusted-Types policy to generate malicious URLs and run them through dynamically generated elements on the page. This gave attackers the ability to perform redirects and script injections even under strict CSP restrictions.
When experimenting with this code, experts confirmed that Trusted-Types CSP can be circumvented as part of a multi-stage scripting strategy. Such scripts are not blocked because they are executed in a Friendly Frame, where policy rules are not always fully enforced.
However, further tests showed that the browser blocks some scripts that attempt to create DOM elements and modify their contents directly. To circumvent this limitation, MutantBedrog uses additional Trusted-Types injection steps, creating even more complex scripts to bypass protection.
After an in-depth analysis of this case, experts concluded that the problem was not a browser bug. According to the specifications, content security policies do not apply to iframes downloaded through network requests, which opens the door to abuse if the iframe content originates from a trusted source.
This case shows that even advanced security mechanisms such as CSP and Trusted-Types can be vulnerable to bypass in the face of sophisticated attacks. Tech-savvy threat actors like MutantBedrog are actively researching and exploiting weaknesses in browsers' security mechanisms, underscoring the need for continuous improvement of these technologies to counter new threats.
Source
