1350951 - UXSS through Bookmark + Spoofing

Status: RESOLVED INVALID

(Firefox :: Bookmarks & History, defect)

Description

[Anas Mahmood]

Attachment: m.f.avi

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20161208153507
Firefox for Android

Steps to reproduce:

VULNERABILITY DETAILS

Firefox "Edit Bookmark" dialogue window strips the opening "http://" from the URL field, if it exists.  If the URI also contains user (auth) information, then saving the bookmark will change the URI scheme of the bookmark.  This bug can be exploited to introduce XSS into the currently open page whenever the bookmark is clicked.

VERSION

Firefox Version: 52(all+latest)
Operating System: Windows 7

1. The victim clicks on a specially crafted link whose URL contains malicious javascript disguised as user (auth) information:

   <a href='http://javascript:eval(atob("YWxlcnQoIlhTUyIp"))-"@example.com"'>Click Me!</a>

2. The browser loads the page at example.com.
   The victim's URL bar only displays the (innocuous looking) text: example.com"

3. The user, in an attempt to bookmark the page, performs the following actions:
   a. Click the star icon in the above header.
   b. Click "Done"
   

4. If the user then clicks on the bookmark, the injected javascript from Step 1 will be executed in the context of whichever domain is currently loaded in the active tab.




Actual results:

URL bar only displays "example.com" but bookmarked the payload http://javascript:eval(atob("YWxlcnQoIlhTUyIp"))-"@example.com


Expected results:

If we manually visit example.com and bookmark this url browser bookmark the link example.com
If URL bar displays example.com so browser should bookmark the domain "example.com"

Comment 1

[Anas Mahmood]

Expected results:

If we manually visit example.com and bookmark this url, browser bookmark the link example.com
If we visit through this method by clicking this link browser bookmarked the payload
If URL bar displays example.com so browser should bookmark the domain "example.com"

Comment 2

[:Gijs (he/him)]

(In reply to Anas Mahmood from comment #0)
> Created attachment 8851628 [details]
> m.f.avi
> 
> User Agent: Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0
> Build ID: 20161208153507
> Firefox for Android
> 
> Steps to reproduce:
> 
> VULNERABILITY DETAILS
> 
> Firefox "Edit Bookmark" dialogue window strips the opening "http://" from
> the URL field, if it exists.  If the URI also contains user (auth)
> information, then saving the bookmark will change the URI scheme of the
> bookmark.  This bug can be exploited to introduce XSS into the currently
> open page whenever the bookmark is clicked.
> 
> VERSION
> 
> Firefox Version: 52(all+latest)
> Operating System: Windows 7
> 
> 1. The victim clicks on a specially crafted link whose URL contains
> malicious javascript disguised as user (auth) information:
> 
>    <a
> href='http://javascript:eval(atob("YWxlcnQoIlhTUyIp"))-"@example.com"'>Click
> Me!</a>
> 

This doesn't work as-is. Clicking a link like this in a simple HTML page does nothing. Are the quotes wrong? Can you attach the test page you're using?

Comment 3

[Anas Mahmood]

<a href='http://javascript:eval(atob("YWxlcnQoIlhTUyIp"))-"@example.com'>Click Me!</a>

Comment 4

[:Gijs (he/him)]

(In reply to Anas Mahmood from comment #3)
> <a
> href='http://javascript:eval(atob("YWxlcnQoIlhTUyIp"))-"@example.com'>Click
> Me!</a>

When I use this and follow the steps, I get a bookmark that consistently takes me to example.com. I also get a warning dialog when clicking the link that I will "log in with the username javascript" on example.com, and to only proceed if I'm sure that's what I want. 

In your screencast, there's also still "http://" in front of the bookmark when inspecting its properties, and you don't show the results from comment #0. Please clarify.