figure 7. Wikipedia toolbar code.
script = window._content.document.
getElementsByTagName(“script")[0].innerHTML;
eval(script);
attacks on extensions with previously unknown vulnerabilities.
Wikipedia toolbar, up to version 0.5.9: If a user visits a Web
page with the directory display attack script in its <head>
tag, and clicks on one of the Wikipedia toolbar buttons
(unwatch, purge, etc.), the script executes in the chrome
context. The attack works because the extension has the
code given in Figure 7 in its toolbar.js file.
The first line gets the first <script> element from the
Web page and executes it using eval. The extension
developer assumes the user only clicks the buttons when
a Wikipedia page is open, in which case <script> may not
be malicious. But the user might be fooled by a malicious
Wikipedia spoof page, or accidentally press the button on
some other page. Vex led us to this previously unknown
attack, which we reported to the developers, who acknowledged it, patched it, and released a new version. This
resulted in a new CVe vulnerability (CVe-2009-41-27). The
fix involved inserting a conditional in the program to check
if the URL of the page is in Wikipedia’s domain and evaluating the script only if this is true.
Kaizou v-0.5.8: Kaizou is a Web development extension
that allows users to open the source of any Web page in a
separate window, modify the contents and render it again
in the current window by pressing a button. However, this
separate window has chrome privileges, and when the user
saves the changes he made to the page source, the scripts in
the page are executed with chrome privileges. A malicious
Web page can have an attack script, which could result in an
attack when modified using Kaizou.
mouse gestures redox v- 2.0.3: The Mouse Gestures Redox
extension allows users to create shortcuts for frequently
used commands without using keyboard, menu, or tool-
bars. The users can either create new gestures or download
them from an online source. The new gestures are scripts,
which are stored in the browser’s preferences file. When the
gestures are enabled, they are retrieved from the prefs.js file
and sent as arguments to the eval() function, thereby acti-
vating the gestures. If any of the gestures downloaded from
the internet contain attack scripts, they would be executed
in the chrome context when eval is called.
5. 4. flows that do not result in attacks
Figure 8 gives several examples of the suspect flows that
we manually analyzed and for which either trusted sources
were assumed by the extension or we could not find attacks.
The first set has extensions accessing values from Web
sites or sources it trusts, and the values flow to eval or
innerHTML. Of course, if the trusted sources are compromised, then the extensions may become vulnerable. The
second set illustrates examples where the input was sanitized between the source and the sink. We do not know for
sure that the sanitization is adequate, but we were unable
to attack it. The third set of extensions had non-chrome
sinks. The last set has two examples that show false positives
where the flows reported by Vex do not exist in the code.
6. ReLateD WoRK
Maffeis et al.
13 proposed a small-step operational semantics for JavaScript, using which they analyze security properties of Web applications. They also use their operational
semantics for generating safe subsets of JavaScript and to
manually prove that the so-called safe subsets of JavaScript
are in fact vulnerable to certain attacks.
14 Our operational
semantics follows their operational semantics, but works
on an abstract heap. Guha et al.
9 propose an alternate operational semantics.
Louw et al.
12 highlight some of the potential security risks
posed by browser extensions, and propose run time support
for restricting the interactions between browsers and extensions. Our analysis technique is complementary to their
figure 8. extensions that could not be attacked.
Classification
Source is
trusted Web site
Extension
WORLD SMS V- 2. 2
Flow pattern
Unknown var to
eval
BROWSER BACKGROUNDS V-0.3.5
ALPHANUMERATOR V-0.2
Sanitized input
VIEW SOURCE CHART V- 2. 7
Explanation
The source is a Web site: http://worldsms.co.cc/
json?get=info, which is hardcoded into the extension
code.
The user installs background images from the Web site
http://browserbackgrounds.com/
The input string is converted to numbers effectively sanitiz-
ing it.
Input HTML tags are sanitized into custom tags
Non-chrome
sinks
Non-existent
flows
PAGEDIFF V- 1. 3.0
LINK_ALERT V-0.8.2.1
nsIRDFService to
innerHTML
Content Doc to
innerHTML
Content Doc to
innerHTML
Content Doc to
innerHTML
Unknown var to
eval
SKIPSCREEN V-0.1.09102009
Unknown var to
innerHTML
The display page has a chrome url but is marked to be
“content-type.”
eval’s argument is a packed and minified JavaScript string
that VEX could not parse properly. VEX finds an unknown
variable in this incorrectly parsed string.
During the execution, the extension will never follow the
branch that has the sink, as the conditional variable is never
initialized in the program.
