Improper javascript URL search leads to XSS
Categories
(Firefox for iOS :: General, defect)
Tracking
()
People
(Reporter: nikhil.mittal641, Unassigned, NeedInfo)
Details
(Keywords: csectype-spoof, sec-low)
Attachments
(1 file)
|
439 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Steps to reproduce:
- Setup attached exploit.html on a server
- Open exploit.html in any browser
- Select text
javascript:alert(1)search it using firefox IOS as shown in the video POC - User will be xssed on the blank page
Video POC: https://drive.google.com/open?id=1XzwS1qtrCK8ZjpQc-N4f81OABpM_h_XB
Actual results:
XSS on the blank page, which can allow accessing information from other pages, and can also be used to trick the victim to navigate to any malicious domain.
Expected results:
Most of the browser replaces javascript keyword while searching or pasting, In this case, Mozilla should search the selected string on the default search engine instead of treating as javascript URI's.
|
||
Comment 1•5 years ago
|
||
Not wonderful, but if it's always on a blank page it's actually harmless. Still, we should not accept "javascript" links from external apps. In fact we should ONLY accept http: and https: links, nothing else.
Hi Dan, Yes it's on a blank page, but still using this bug you can trick the users to navigate to any other pages and similar possible attacks, which itself create a lot of new attack surface.
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Comment 3•5 years ago
|
||
The priority flag is not set for this bug.
:farhan, could you have a look please?
For more information, please visit auto_nag documentation.
javascript urls are disabled as of v20
|
|
||
Updated•5 years ago
|
Description
•