Firefox Cross Context Scripting

2010.04.30
Credit: Roberto Suggi Liverani
Risk: High
Local: No
Remote: Yes
CVE: CVE-2010-1585
CWE: CWE-20


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

For the last year, we have been focusing on Firefox Extension security and we have now released a research paper and an addendum on the topic of Cross Context Scripting (XCS). The research paper "Cross Context Scripting with Firefox" demonstrates different ways of attacking Firefox extensions via Cross Context Scripting (XCS) vulnerabilities. Several XCS cases are detailed, including vulnerable extension code and exploit. Cross Context Scripting with Firefox - Roberto Suggi Liverani Link: http://www.security-assessment.com/files/whitepapers/Cross_Context_Scrip ting_with_Firefox.pdf The addendum "Exploiting Cross Context Scripting vulnerabilities in Firefox" includes a number of exploits tailored for Cross Context Scripting vulnerabilities. Exploiting Cross Context Scripting vulnerabilities in Firefox - Nick Freeman, Roberto Suggi Liverani Link: http://www.security-assessment.com/files/whitepapers/Exploiting_Cross_Co ntext_Scripting_vulnerabilities_in_Firefox.pdf +--------+ |Abstract| +--------+ Cross Context Scripting (XCS) is a term coined for a browser based content injection in the Firefox chrome zone. This term was originally used by researcher Petro D. Petkov (pdp), when David Kierznowski found a vulnerability in the Sage RSS Reader Firefox extension . XCS injection occurs between different security zones, an untrusted and a trusted zone. This paper details several XCS cases. XCS attacks may be possible due to a lack of input filtering controls for example. However, other components may be vulnerable as well, including wrappers, XPCOM components, XUL overlays, the browser sandbox and DOM events. This paper can be seen as complimentary to the presentations given at EUSecWest 2009 , DEFCON 17 and SecurityByte & OWASP AppSec Asia 2009 security conferences. +----------------+ |Acknowledgements| +----------------+ Special thanks go to Paul Craig, kuza55 and Stefano Di Paola for their invaluable feedback. +-----------------------------+ |About Security-Assessment.com| +-----------------------------+ Security-Assessment.com is a New Zealand based world leader in web application testing, network security and penetration testing. Security-Assessment.com services organisations across New Zealand, Australia, Asia Pacific, the United States and the United Kingdom. -- Roberto Suggi Liverani Senior Security Consultant Mob. +64 21 928 780 www.security-assessment.com

References:

http://www.securityfocus.com/archive/1/archive/1/510883/100/0/threaded
http://www.security-assessment.com/files/whitepapers/Cross_Context_Scripting_with_Firefox.pdf
http://wizzrss.blat.co.za/2009/11/17/so-much-for-nsiscriptableunescapehtmlparsefragment/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top