Spoofing Firefox protected objects
Wednesday, 14 November 2007
I’ve been hacking Firefox in my spare time and I thought that it had adequate protection against spoofing properties like document.domain. I was wrong 🙂 This could turn into a browser exploit in future if the spoofed objects are accepted by Firefox internally (I don’t think they are, but you never know 😉 ).
There are two ways of spoofing document.domain, 1) You can define a getter which overwrite the call to document.domain and 2) You can overwrite the prototype
Here’s how it works:-
1)
document.__defineGetter__("domain", function() {
return 'www.google.co.uk'});
alert(document.domain); // returns www.google.co.uk
2)
document.__proto__ = String.__proto__;
document.prototype = String.__proto__;
document.domain = 'www.google.co.uk';
alert(document.domain); // returns www.google.co.uk
The first technique allows you to spoof nearly everything apart from the location object. I think the location provides some extra security checks and I’m currently investigating spoofing that as well.
No. 1 — November 14th, 2007 at 12:43 pm
Nice. have you tried to play with location.history? If you could spoof that and define a getter this issue could have real big impact.
No. 2 — November 14th, 2007 at 1:33 pm
document.location.history = String.__proto__;
document.location.history.back = function() {
alert(1);
}
document.location.history.back();
No. 3 — November 14th, 2007 at 1:37 pm
history.__proto__ = String.__proto__;
history.back = function() {
alert(‘Spoofed’);
}
history.back();
No. 4 — November 14th, 2007 at 5:37 pm
Holy Crap… that’s really bad. Awesome find!
No. 5 — November 14th, 2007 at 6:08 pm
When you post code is there a way to word wrap it @ the size of your blog article column width. Things often extend off the right side where they’re unreadable.
No. 6 — November 14th, 2007 at 6:27 pm
Yeah point taken Thorin, I’ve wrapped the code in the article. If I can be bothered I’ll fix the css.
No. 7 — November 14th, 2007 at 8:14 pm
Sorry I didn’t mean to make more work for you. I was hoping there’d be an easy fix for it. (It’s not like yours is the only blog with this issue).
Both of these have the same problem:
http://myappsecurity.blogspot.com/
http://blogs.msdn.com/hackers/archive/2007/11/12/first-line-of-defense-for-web-applications-part-4.aspx
No. 8 — November 14th, 2007 at 8:22 pm
It’s ok I know how to fix it, it’s the template I’ve used but I prefer hacking Firefox than fixing CSS 🙂
No. 9 — November 14th, 2007 at 10:15 pm
Overwriting the getter/setter for the location object was fixed in 2002. Based on the bug discussion I’m not surprised they didn’t get around to protecting other objects.
https://bugzilla.mozilla.org/show_bug.cgi?id=143369
No. 10 — November 15th, 2007 at 1:56 am
The reason this is not an issue, is because firefox has 2 window objects, an internal window, and an external window.. the external window is modifiable, and the internal window is not, so when you modify document.domain rewriting prototypes and stuff at the external window, the internal window wont be changed..
Greetz!!
No. 11 — November 15th, 2007 at 9:20 am
Same origin policy might not be affected but it’s still a issue because you can spoof any object for that session. I’ve already released a DOS attack based on these issues:-
http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/
No. 12 — November 15th, 2007 at 12:50 pm
Ah yeah, I was talking about S.O.P. but other things can still be an issue.. like exploiting some addons, or DoS attacks, or I dunno hehe 😛
No. 13 — November 15th, 2007 at 1:19 pm
DOS is fun 😀 WebFu self defence 😉