Safe Browsing flagged site allows javascript execution including redirect prior to displaying warning




13 years ago
5 years ago


(Reporter: biguglyguy, Unassigned)


Firefox Tracking Flags

(Not tracked)




13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a3) Gecko/20060526 BonEcho/2.0a3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a3) Gecko/20060526 BonEcho/2.0a3

A page which is in the Safe Browsing blacklist is able to run javascript and redirect the window to another URL (one not in the blacklist) before the warning is displayed. If the redirect happens in this time no warning is displayed.

Reproducible: Always

Steps to Reproduce:
1.Add a local URL to the Safe Browsing blacklist database (http://mydevserver/fish.htm)
2.Create a sample page at that location.
3.Navigate to that url to verify that the warning appears.
4.Modify the page to redirect to a different url (via window.location).
5.Navigate to that url again to verify that no warning appears.

Sample page.

Fake phishing page.

window.location = "";

Actual Results:  
No warning is displayed if the page on the blacklist redirects to another URL immediately.

Expected Results:  
A page on the blacklist should not be able to silently redirect you to another URL to avoid the phishing warning. It probably shouldn't be allowed to run any javascript at all, but it definitely shouldn't be able to redirect.

Obviously this is a problem because a scam site could use one entry point URL (that goes on the blacklist) which simply redirects every user to a random URL which contains the scam content. Since there doesn't seem to be any wildcard facility in the blacklist (I could be wrong there) it wouldn't be possible to block every possible url on that server.
It's possible to use regular expressions for blacklist/whitelist urls.  This is the enchash style table found in toolkit/components/url-classifier/content/trtable.js.  This is being used in the Google Toolbar, but not yet in Firefox because of licensing issues.

But the general logic is that they keys are encrypted using the domain of the site and the values are any number of regular expressions to apply to any matching domain.
Last Resolved: 13 years ago
Resolution: --- → INVALID

Comment 2

13 years ago
Ok, point taken about the wildcards, but the lack of such a feature is only an exacerbating factor.

The real bug is that blacklisted pages are able to run javascript and redirect to other pages before any warning is given. Even with the ability block by regular expression it's still a problem.
Resolution: INVALID → ---
Can you elaborate on why running JS or redirecting is a problem?  I don't see the problem if the final page is flagged as phishing.

Comment 4

13 years ago
Allowing javascript redirects from a blacklisted site gives the attacker the ability to keep changing the ultimate URL which serves the content to make sure it isn't on the blacklist.

If the scam email (for example) points people to http://mydevserver/fish.htm, then this URL could be added to the blacklist. The scammers could then change fish.htm to redirect to haddock.htm, which could be responded to by adding all of http://mydevserver/* to the blacklist.

But even then the attacker could change fish.htm again to redirect people to http://someotherserver/fish.htm. They would always be able to keep changing the URL of the eventual page to make sure it wasn't on the blacklist, but keep the same entry point at http://mydevserver/fish.htm. Given that attackers get access to the blacklist at the same time as everyone else, they could easily make sure that the page was almost always not blacklisted (provided they have enough URLs to use, which they usually do).

Possibly this should be classified as a feature request rather than a bug, but if a page has a warning before it is shown, then it should also have a warning before it redirects you to somewhere else.

Is a site on the blacklist EVER going to redirect you somewhere that isn't bad?

Comment 5

13 years ago
After reading some more on this feature, it seems pretty clear that the javascript redirection would constitute and Active Adversary and thus explicitly is not covered according the design documents for the Safe Browsing feature.

This bug should probably be closed and the discussion moved to that wiki.


13 years ago
Last Resolved: 13 years ago13 years ago
Resolution: --- → INVALID
Component: Phishing Protection → Phishing Protection
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.