I’ve been hacking Firefox in my spare time and I thought that it had adequate protection against spoofing properties like document.domain. I was wrong 
This could turn into a browser exploit in future if the spoofed objects are accepted by Firefox internally (I don’t think they are, but you never know 
).
There are two ways of spoofing document.domain, 1) You can define a getter which overwrite the call to document.domain and 2) You can overwrite the prototype
Here’s how it works:-
1)
document.__defineGetter__("domain", function() { return 'www.google.co.uk'}); alert(document.domain); // returns www.google.co.uk
2)
document.__proto__ = String.__proto__; document.prototype = String.__proto__; document.domain = 'www.google.co.uk'; alert(document.domain); // returns www.google.co.uk
The first technique allows you to spoof nearly everything apart from the location object. I think the location provides some extra security checks and I’m currently investigating spoofing that as well.
Comments 13
Nice. have you tried to play with location.history? If you could spoof that and define a getter this issue could have real big impact.
Posted 14 Nov 2007 at 12:43 pm ¶document.location.history = String.__proto__;
Posted 14 Nov 2007 at 1:33 pm ¶document.location.history.back = function() {
alert(1);
}
document.location.history.back();
history.__proto__ = String.__proto__;
Posted 14 Nov 2007 at 1:37 pm ¶history.back = function() {
alert(’Spoofed’);
}
history.back();
Holy Crap… that’s really bad. Awesome find!
Posted 14 Nov 2007 at 5:37 pm ¶When you post code is there a way to word wrap it @ the size of your blog article column width. Things often extend off the right side where they’re unreadable.
Posted 14 Nov 2007 at 6:08 pm ¶Yeah point taken Thorin, I’ve wrapped the code in the article. If I can be bothered I’ll fix the css.
Posted 14 Nov 2007 at 6:27 pm ¶Sorry I didn’t mean to make more work for you. I was hoping there’d be an easy fix for it. (It’s not like yours is the only blog with this issue).
Both of these have the same problem:
Posted 14 Nov 2007 at 8:14 pm ¶http://myappsecurity.blogspot.com/
http://blogs.msdn.com/hackers/archive/2007/11/12/first-line-of-defense-for-web-applications-part-4.aspx
It’s ok I know how to fix it, it’s the template I’ve used but I prefer hacking Firefox than fixing CSS
Posted 14 Nov 2007 at 8:22 pm ¶Overwriting the getter/setter for the location object was fixed in 2002. Based on the bug discussion I’m not surprised they didn’t get around to protecting other objects.
https://bugzilla.mozilla.org/show_bug.cgi?id=143369
Posted 14 Nov 2007 at 10:15 pm ¶The reason this is not an issue, is because firefox has 2 window objects, an internal window, and an external window.. the external window is modifiable, and the internal window is not, so when you modify document.domain rewriting prototypes and stuff at the external window, the internal window wont be changed..
Greetz!!
Posted 15 Nov 2007 at 1:56 am ¶Same origin policy might not be affected but it’s still a issue because you can spoof any object for that session. I’ve already released a DOS attack based on these issues:-
Posted 15 Nov 2007 at 9:20 am ¶http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/
Ah yeah, I was talking about S.O.P. but other things can still be an issue.. like exploiting some addons, or DoS attacks, or I dunno hehe
Posted 15 Nov 2007 at 12:50 pm ¶DOS is fun
WebFu self defence 
Posted 15 Nov 2007 at 1:19 pm ¶Post a Comment