search

Letractively / domsnitch

Automatically exported from code.google.com/p/domsnitch
Apache License 2.0
0 stars 0 forks source link

DOM Snitch seems to call itslef Untrusted code #24

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. Enable DOM Snitch
2. Open google.com
3. Look at DOM Snitch output. It found Untrusted code vulnerability (see 
http://i.stack.imgur.com/oriy5.png)

What is the expected output? What do you see instead?
Expected: There is no Untrusted code vulnerability
Actual: When opening google.com, DOM Snitch sends many requests (see 
http://i.imgur.com/V8UF2.png). Maybe, then it calls it Untrusted code

What version of the product are you using? On what operating system?
DOM Snitch v0.740, Windows 7 64 bit

Additional information:
Previously I asked this question at 
http://security.stackexchange.com/q/11696/5501

Original issue reported on code.google.com by botalov....@gmail.com on 18 Feb 2012 at 6:58

GoogleCodeExporter commented 8 years ago 
The "Untrusted code" heuristic is intended to flag the inclusion of any 
resources that are hosted outside the immediate origin or a pre-defined list of 
safe origins 
(https://code.google.com/p/domsnitch/wiki/ConfigFiles#safeOrigins). The basis 
of this heuristic is to provide a signal if you're including resources from an 
origin you're not supposed to. It does not evaluate whether an included 
resource is insecure or not.

As for the sample above, the included script is not from DOM Snitch as the 
extension itself uses inline JavaScript when it needs to pass JavaScript code 
into the page itself (see 
https://code.google.com/p/domsnitch/source/browse/trunk/glue/Loader.js#26). 
Please confirm if other extensions are running and if they inject JavaScript 
into the page by appending <script src=...> elements to the DOM tree.

Original comment by r...@r-n-d.org on 19 Feb 2012 at 1:50

GoogleCodeExporter commented 8 years ago 
Untrusted code vulnerability report was caused by "Skype Click to Call" 
extension. Vulnerability isn't reported when "Skype Click to Call" is disabled.
Nevertheless this report looks like false positive. I think it makes sense to 
place note somewhere in Wiki that Untrusted code may appear if other extensions 
besides DOM Snitch are running

Original comment by botalov....@gmail.com on 21 Feb 2012 at 8:24

GoogleCodeExporter commented 8 years ago 
There is code checked into the repo that handles Chrome extensions 
specifically. It will also show up in the next release.

As for documentation, there is an action item to show why a specific finding is 
reported. It's a bit away, so stay tuned. :)

Original comment by r...@r-n-d.org on 21 Feb 2012 at 8:43