It's a shampoo world anyway
Dienstag, 26. Dezember 2006

Using eval() in Greasemonkey scripts considered harmful

For some time now, there is a vague assumption in the web-security community that browser add-ons like e.g. Firefox extensions can cause security problems. On my flight back from PacSec, I decided to have a closer look on Greasemonkey scripts. I had already downloaded all available Greasemonkey-scripts from a while ago, but never got around to do anything with them. When I was skimming through the files, I noticed that eval() is used quite frequently. It didn't take long to find a userscript that passes non-sanitized user-provided data to a eval()-statement: Mailto Compose In GMail (with choice).

The userscript parses mailto hyperlinks and creates according compose-links to The parsing is done by a simple regexp:

nameValue = param.match(/([^=]+)=(.*)/);
emailTo = emailTo + "%2C%20" + nameValue[2];

These values are used in an eval() to create a new global variable:

eval("var " + emailUrlVarName + "
    = '"
    + (emailTo ... );

As there is no intermediate filtering step, injecting code into this eval is rather simple:

<a mailto="me@th)';your_js_code_here;//>name</a>

If a Firefox with the according userscript installed displays a webpage that contains such a mailto-link, the browser executes the injected JavaScript in the domain of the displayed webpage. Therefore the Greasemonkey-script creates a XSS-problem in all web applications that allow users to create arbitrary mailto-links (as e.g. the default installation of Wordpress does). Go here for a demo. Furthermore, these scripts are executed in the Greasemonkey domain, thus are allowed additional privileges like cross-domain XMLHttpRequests.

I don't consider this issue to be grave or critical. I don't expect the install-base of this particular userscript to be big enough to actually cause any exploitation. Nonetheless I think it is a good example how browser add-ons can create XSS-problems in web apps that are secure themselves.

online for 7217 Days
last updated: 09.04.14, 16:14
Youre not logged in ... Login
... home
... topics

... antville home

August 2021
the shampoo world is
the personal weblog of Martin Johns.

xml version of this page

Made with Antville
powered by
Helma Object Publisher

...welcome to the long tail...