Eduardo Vela Nava



The attacker wants to read the contents of another website.



There are media elements in HTML5 that allow the user to stream content online. When streaming the client can select a subset of the media content (for example, to skip forward to a specific part of song or video without having to download the whole file). This is achieved by making requests that specify a starting point. The server can also decide how much data is returned on each request to save bandwidth if the user doesn't want to download the whole file. In addition, the server can decide to respond to the client with a redirect to another website. At the end, the client simply collects and merges the responses on the client.



The attacker tricks the victim into visiting his website. The attacker requests a same-origin video file which will be split using a Range response, in a way that contains all information required to parse the file except for the video's width. When the browser recognizes it needs more information to parse it, it requests the second chunk of the video. The server responds to the second request with a redirect to a third-party website. The browser repeats the request to this third-party site (this time pointing to a non-video file) to which the server responds to the request with the Range specified by the browser, and the browser parses the response as a video (although it isn't a video, the browser assumes it is). The browser then tries to parse the video with the dimensions specified by the attacker and the other site, which could trigger an error if too large. By listening to the error events triggered by the video the attacker can figure out the bytes in the third-party site response.