CVE-2016-5135

MEDIUM

Google Chrome < 51.0.2704.106 - Content Security Policy Bypass via Referrer Policy Mismatch

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-5135. PoCs published by OpenSISE.

AI-analyzed exploit summary This PoC demonstrates CVE-2016-5135, a referrer leak vulnerability in Chrome. It uses a combination of CSP, external resources, and an XMLHttpRequest to trigger the referrer leak via the 'origin-when-cross-origin' policy.

Description

WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp in Blink, as used in Google Chrome before 52.0.2743.82, does not consider referrer-policy information inside an HTML document during a preload request, which allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via a crafted web site, as demonstrated by a "Content-Security-Policy: referrer origin-when-cross-origin" header that overrides a "<META name='referrer' content='no-referrer'>" element.

Exploits (1)

github WORKING POC 31 stars

by OpenSISE · cpoc

https://github.com/OpenSISE/CVE_PoC_Collect/tree/master/Browser/CVE-2016-5135.php

View Code ZIP pw:eip

This PoC demonstrates CVE-2016-5135, a referrer leak vulnerability in Chrome. It uses a combination of CSP, external resources, and an XMLHttpRequest to trigger the referrer leak via the 'origin-when-cross-origin' policy.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Google Chrome < 53.0.2785.113

No auth needed

Prerequisites: Victim must visit the malicious page

MITRE ATT&CK