Paid Advertising is
ha.ckers sla.cking
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Firefox Extension Javascript Question
Posted by: emonk
Date: August 11, 2008 01:14PM

I'm playing with writing a FF extension, and I'm curious if there's any way besides exploiting an unsanitized 'eval()' that someone could make my javascript execute their javascript in the chrome context?

For instance if I'm doing something like this, is there a way they could embed malicious JS inside the variable and get it to run?

var = somecrapfromarandomwebpage;


I'm new, and I hope I put this in the right place.

Edited 2 time(s). Last edit at 08/11/2008 01:51PM by emonk.

Options: ReplyQuote
Re: Firefox Extension Javascript Question
Posted by: DoctorDan
Date: August 12, 2008 03:12PM

Is that "crap" a string enclosed in single/double quotes? Are both those lines in the same script? Is there any filtering done on the "crap" before placed into the page? This sounds like it has lots of potential to be exploited, but we need some more info. XSS may have been a better forum to post in, by the way, but welcome :)


Options: ReplyQuote
Re: Firefox Extension Javascript Question
Posted by: emonk
Date: August 15, 2008 09:14AM

Here's an example from inside the extension:

var target = doc.getElementById("myid");
var le = doc.createElement("li");
le.innerHTML = str;

Now in FF you can't just use prototype to redefine target.appendChild into something malicious, but I'm worried that someone could return something via 'doc.getElementById("myid");' that could get executed in chrome context.

I don't even know if it's possible, but it seems like it should be.

Options: ReplyQuote
Re: Firefox Extension Javascript Question
Posted by: ma1
Date: August 15, 2008 12:55PM

It could happen in Firefox <, unless you explicitely wrapped every DOM node you manipulated into an XPCNativeWrapper (a typical beginner error).

Doing this "the safe way" was quite painful, though (I had very ugly code inside my FlashGot overlay which I still strive to clean up now), so starting with Firefox XPC deep wrapping has been made automatic, i.e. you are guaranteed to call the native metod defined on the DOM interface, rather than any JavaScript override (as a side effect, you can not access any JavaScript expando set by content code).


There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Firefox Extension Javascript Question
Posted by: dveditz
Date: August 15, 2008 08:42PM

You're very wise to worry. Here's some docs:

Due to the downside of XPCNativeWrappers mentioned by ma1 of not being able to reach js properties you may see code examples that use "wrappedJSObject" -- very dangerous, that's explicitly bypassing the protections mentioned above. Don't do it.

If you need to run code in the untrusted window, first try to avoid it, and second if you absolutely must evalInSandbox() tries to be a safe way to do it.

If your very first example "alert(somecrapfromarandomwebpage);" where somecrapfromarandomwebpage is not a DOM object or property you need to be careful. someone can override the default somecrap.toString() and hack you (toString() is implicitly called by alert() and lots and lots of other places). That's why XPCSafeJSObjectWrappers were added to Firefox 3, but you're out of luck in Firefox 2.

Options: ReplyQuote

Sorry, only registered users may post in this forum.