Cross Context Scripting

published: August 23rd, 2006

I was thinking about alternative ways of exploiting the browser without going through the process of finding overflows or other common vulnerabilities. The first most obvious thing I come across is exploiting the user space plugins. There are many reasons why attackers might go for this type of targets, one of which is that plugins are not written with security in mind.

Let’s have a look on Firefox extensions security implications. Because extensions make use of standard technologies such as JavaScript, XML, RDF, CSS, it could be possible to transfer malicious code from a remote page into the browser context. Here is a simple scenario:

the user visits evil.com
the malicious site detects the currently installed Firefox plugins
upon detection complete a vulnerable plugin is targeted
based on the plugin type and version, a malicious content is written inside the current document
this content is read by the vulnerable plugin
because the plugin does not perform any data sensitizations, the malicious JavaScript code jumps from the restricted sandbox into the browser context, which is unrestricted.

The result of this kind of attack is quite obvious. Once restricted web script cross into your browser context, higher access permissions are granted. From this point on, the script can install other scripts and modify your file system. Attackers will be able to hijack your browser and backdoor every page you visit using greasemonkey script for example. This means that every page you visit will leak sensitive information about you. It is also worth mentioning that once your browser is compromised the attacker can use it as part of a botnet to attack other machines.

» more | » comments rss | posted by pdp | syndication and integration ( )

comments

Aviv responds:

Why bother detecting the plugin? If there is a vulnerable plugin, an attacker can always try to exploit it. If the victim doesn’t have the plugin installed, the exploit will just fail (or quietly fail, using try..catch clause).

pdp responds:

In a way you are right. Just registering the malicious content should trigger exploitable condition. On the other hand, I believe that extra checking is always good. Exploits are software after all. Software should fail gracefully no matter what it does. Extra checks are required pretty much always, IMHO.

There is a tendency in the computer security community to create hacks (things that work but also fail because of number of reasons). Most worms and exploits I have seen are hacks as well. I wonder what a graceful and beautifully written worm or exploit can achieve.

	Blogsecurify is a devision of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.
	Netsecurify is a devision of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.
	Websecurify is a devision of GNUCITIZEN. The initiative was established to provide a fee web application security framework for automated and manul penetration testing. The service is still in private-beta.
	Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.

GNUCITIZEN

navigation

Cross Context Scripting

comments

trackbacks

respond

GNUCITIZEN Products