It's a shampoo world anyway
 
Dienstag, 26. Dezember 2006


Using eval() in Greasemonkey scripts considered harmful

For some time now, there is a vague assumption in the web-security community that browser add-ons like e.g. Firefox extensions can cause security problems. On my flight back from PacSec, I decided to have a closer look on Greasemonkey scripts. I had already downloaded all available Greasemonkey-scripts from userscripts.org a while ago, but never got around to do anything with them. When I was skimming through the files, I noticed that eval() is used quite frequently. It didn't take long to find a userscript that passes non-sanitized user-provided data to a eval()-statement: Mailto Compose In GMail (with choice).

The userscript parses mailto hyperlinks and creates according compose-links to gmail.com. The parsing is done by a simple regexp:

nameValue = param.match(/([^=]+)=(.*)/);
...
emailTo = emailTo + "%2C%20" + nameValue[2];

These values are used in an eval() to create a new global variable:

eval("var " + emailUrlVarName + "
    = 'mail.google.com"
    + (emailTo ... );

As there is no intermediate filtering step, injecting code into this eval is rather simple:

<a mailto="me@th)';your_js_code_here;//>name</a>

If a Firefox with the according userscript installed displays a webpage that contains such a mailto-link, the browser executes the injected JavaScript in the domain of the displayed webpage. Therefore the Greasemonkey-script creates a XSS-problem in all web applications that allow users to create arbitrary mailto-links (as e.g. the default installation of Wordpress does). Go here for a demo. Furthermore, these scripts are executed in the Greasemonkey domain, thus are allowed additional privileges like cross-domain XMLHttpRequests.

I don't consider this issue to be grave or critical. I don't expect the install-base of this particular userscript to be big enough to actually cause any exploitation. Nonetheless I think it is a good example how browser add-ons can create XSS-problems in web apps that are secure themselves.

 
online for 6351 Days
last updated: 09.04.14 16:14
status
Youre not logged in ... Login
menu
... home
... topics

... antville home

März 2019
MoDiMiDoFrSaSo
123
45678910
11121314151617
18192021222324
25262728293031
Juni
about:
the shampoo world is
the personal weblog of Martin Johns.
recent

xml version of this page

Made with Antville
powered by
Helma Object Publisher




...welcome to the long tail...