Parity SOP Bypass

Same-Origin Policy Bypass in Parity's Dapp Browser


/* This program is free software. It comes without any warranty, to
 * the extent permitted by applicable law. You can redistribute it
 * and/or modify it under the terms of the GNU General Public License,
 * Version 2, as published by the Free Software Foundation. See
 * for more details. */ 

Issue #1

Same-Origin Policy (SOP) bypass vulnerability due to parity proxying websites

Every webpage you browse to with parity's built-in browser ( is proxied via For example, when you browse to
  •'s the websites origin changes to
  • Navigating to changes the origin to as it is proxied via parity.
Both websites therefore share the same origin rendering a core feature of modern web browsers - the Same-Origin Policy - ineffective. A website is same-origin if proto, host and port (iexplore does not check port) match. Bypassing the SOP gives full control over XHR and DOM of child nodes (including iframe source) with the same origin.
DEMO #1 Cookies shared with other websites

Display Cookies

Issue #2

Parity WebProxy Token Reuse vulnerability

When navigating to a website with the built-in parity webbrowser a webproxy request token is requested and sent along an encoded request for an url. For example, navigating parity to the url gets turned into a proxy url like of the form[base32_encode(token+url)].

DEMO #2 Full control of arbitrary websites via token reuse and SOP bypass Notes:

Spawn SOP Iframe

DEMO #3 (Chrome) get local lan ip and service scan for web-enabled devices on the LAN to mess with them
e.g. search for local router interfaces with default passwords and reconfigure it to perform DNS based redirection attacks (mitm) or similar

Find LAN-Local WebInterfaces