Drag and drop of JavaScript payload to the Bookmark bar incompletely blocked leads to XSS attack
Categories
(Firefox :: Bookmarks & History, defect)
Tracking
()
People
(Reporter: junaidfarhan835, Unassigned)
References
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Steps to reproduce:
Steps to reproduce the problem:
1.1.go to www.google.com
2 drag a payload javascript:alert(document.cookie) in bookmark bar (instead of going for search Browser will execute popup alert box which leads to bypass security of browser to XSS attack.
3. I have tried dragging technique with several payloads of JavaScript and all are going execute the vulnerability
I have Uploaded POC of This Vulnerability
Actual results:
while working on Firefox version 102.0.1 (32-bit)I found that dragging anything or any URL on Bookmark bar will save it by default on bookmark history to access our web history but dragging JavaScript payload is executing the XSS attack
Expected results:
here is the POC of full attack scenario with script
attack working the main domain of victim can cause the successful XSS JavaScript payload execution
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Updated•3 years ago
|
|
||
Comment 2•3 years ago
|
||
Dragging to the toolbar is opening the bookmarks dialog SHOWING the javascript url and then you must confirm the operation.
This is already intended as a stop-gap.
The plan long term is to add a visible warning below the location field when it contains a javascript url, so I think this is a dupe of bug 371923.
Reporter, is there any additional concern you would like to point out apart from being able to add a bookmarklet, and then click on it?
|
|
Reporter | |
Comment 3•3 years ago
|
||
hey Marco thanks for the reply
I understand there is a stop-gap before saving a bookmark. but still it can be categorised under self XSS attack.
because attack is executing under the victims browser. possibility is quite a high to make a successful XSS execution
|
|
Reporter | |
Comment 4•3 years ago
|
||
bug 371923 shows about adding a URL.
but my report is about dragging a JavaScript to bookmark bar
|
|
||
Comment 5•3 years ago
|
||
Yes, bug 371923 is our intended long term mitigation, dragging has already been analyzed in bug 1725487 and we think the current stop gap is sufficient, even if implementing also bug 371923 would be better. If you look at the duplicates list in bug 371923 (some may be hidden though) there's many about potential XSS, also dragging a link to the bookmarks toolbar or another bookmarks view.
|
|
Reporter | |
Comment 6•3 years ago
|
||
Thanks but i read all the reports you mention there.
But none of them actually show the POC of exploiting the bug present here.
See again my POC.
|
|
||
Comment 7•3 years ago
|
||
Bug 1668777, that you can't access, is pretty much the same. As well as Bug 1320447 is also about dragging a bookmarklet to the toolbar and executing. The only difference is that now we also open the dialog, making those problems less serious by showing the bookmark url.
|
|
Reporter | |
Comment 8•3 years ago
|
||
What's the result i can expect after the report?
Are you Guy's gonna fix it or not..maybe it required some additional future like not to execut any JavaScript code in bookmark bar
|
|
||
Comment 9•3 years ago
|
||
Engineering thinks the current stop-gap of showing the bookmark dialog is sufficient for now, but we still would like to fix bug 371923, so a more visible warning is provided every time. That bug is blocked on UX.
We don't plan to disable executing javascript, because it's handy for developers and advanced users.
We'll wait for sec-audit anyway, but I suspect this will just end up being resolved as a duplicate.
|
||
Comment 10•3 years ago
|
||
The security team agrees this is a duplicate of many reports, and ultimately depends on a solution like bug 371923. The confirmation we added in but 1725487 was not intended to prevent adding javascript bookmarklets, so it can't be said to "incompletely block" doing so. It was intended to prevent people from being tricked into dragging a bookmarklet without realizing that's what was going on. We know the UI is not quite what we'd like, which is what bug 371923 is about.
Description
•