Spoofing Firefox protected objects

I’ve been hacking Firefox in my spare time and I thought that it had adequate protection against spoofing properties like document.domain. I was wrong :) This could turn into a browser exploit in future if the spoofed objects are accepted by Firefox internally (I don’t think they are, but you never know ;) ).

There are two ways of spoofing document.domain, 1) You can define a getter which overwrite the call to document.domain and 2) You can overwrite the prototype

Here’s how it works:-

1)

document.__defineGetter__("domain", function() { 
return 'www.google.co.uk'});
alert(document.domain); // returns www.google.co.uk

2)

document.__proto__ = String.__proto__;
document.prototype = String.__proto__;
document.domain = 'www.google.co.uk';
alert(document.domain); // returns www.google.co.uk

The first technique allows you to spoof nearly everything apart from the location object. I think the location provides some extra security checks and I’m currently investigating spoofing that as well.

13 Responses to “Spoofing Firefox protected objects”

  1. .mario writes:

    Nice. have you tried to play with location.history? If you could spoof that and define a getter this issue could have real big impact.

  2. Gareth Heyes writes:

    document.location.history = String.__proto__;
    document.location.history.back = function() {
    alert(1);
    }
    document.location.history.back();

  3. Gareth Heyes writes:

    history.__proto__ = String.__proto__;
    history.back = function() {
    alert(‘Spoofed’);
    }
    history.back();

  4. Nathan McFeters writes:

    Holy Crap… that’s really bad. Awesome find!

  5. thorin writes:

    When you post code is there a way to word wrap it @ the size of your blog article column width. Things often extend off the right side where they’re unreadable.

  6. Gareth Heyes writes:

    Yeah point taken Thorin, I’ve wrapped the code in the article. If I can be bothered I’ll fix the css.

  7. thorin writes:

    Sorry I didn’t mean to make more work for you. I was hoping there’d be an easy fix for it. (It’s not like yours is the only blog with this issue).

    Both of these have the same problem:
    http://myappsecurity.blogspot.com/
    http://blogs.msdn.com/hackers/archive/2007/11/12/first-line-of-defense-for-web-applications-part-4.aspx

  8. Gareth Heyes writes:

    It’s ok I know how to fix it, it’s the template I’ve used but I prefer hacking Firefox than fixing CSS :)

  9. Brandon Eisenmann writes:

    Overwriting the getter/setter for the location object was fixed in 2002. Based on the bug discussion I’m not surprised they didn’t get around to protecting other objects.

    https://bugzilla.mozilla.org/show_bug.cgi?id=143369

  10. 排 尾 DaCat writes:

    The reason this is not an issue, is because firefox has 2 window objects, an internal window, and an external window.. the external window is modifiable, and the internal window is not, so when you modify document.domain rewriting prototypes and stuff at the external window, the internal window wont be changed..

    Greetz!!

  11. Gareth Heyes writes:

    Same origin policy might not be affected but it’s still a issue because you can spoof any object for that session. I’ve already released a DOS attack based on these issues:-
    http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/

  12. 排 尾 DaCat writes:

    Ah yeah, I was talking about S.O.P. but other things can still be an issue.. like exploiting some addons, or DoS attacks, or I dunno hehe :P

  13. Gareth Heyes writes:

    DOS is fun :D WebFu self defence ;)