search

ThomasArdal / gInfinity

gInfinity extends your favorite search engine Google with infinite scroll. Scroll down to the bottom of the search result and the following 20 search results are automatically added to the search result.
10 stars 9 forks source link

DOM Based XSS Vulnerability #6

Open juanschallibaum opened 6 years ago

juanschallibaum commented 6 years ago

I accidentally discovered a security flaw in your extension. When the TreeWalker object takes text from the page and adds it back to the DOM inside span innerHTML, if the text is a script, it is executed. A malicious user could steal cookies from google.com, redirect user's browser to a malicious site, among others things. Proof:

alert google

Chrome with gInfinity:------------------------------------Chrome without gInfinity:

lmjol4b

As you see, the <.svg onload=alert(1)>, that appears in google index content is executed when i using your extension.

Vulnerable section of code:

chrome.runtime.sendMessage({ method: "getLocalStorage", key: "enable_links" }, function (response) {
        if (response.data == "true" && document.getElementById && document.createTreeWalker && typeof NodeFilter != "undefined") {
            var tw = document.createTreeWalker(document.body, NodeFilter.SHOW_TEXT, null, false);
            var node;
            var rem = [];
            while (node = tw.nextNode()) {
                if (node.nodeValue.match(reg) && node.parentNode.tagName != 'A' && node.parentNode.tagName != 'TEXTAREA' && node.parentNode.tagName != 'STYLE' && node.parentNode.tagName != 'SCRIPT' && node.parentNode.tagName != 'META' && node.parentNode.tagName != 'NOSCRIPT' && node.parentNode.tagName != 'PRE') {
                    var parentElem = node.parentNode;
                    var val = node.nodeValue.replace(reg, '<a href="$1">$1</a>');
                    var aNode = document.createElement("span");
                    aNode.innerHTML = val;
                    parentElem.insertBefore(aNode, node);
                    rem.push(node);
                    continue;
                }
            }
            for (i in rem) {
                rem[i].parentNode.removeChild(rem[i]);
            }
        }
    });
ThomasArdal commented 6 years ago

Thank you for reporting this. Unfortunately, this repo is no longer maintained. If you want I will merge a PR, but no new releases of gInfinity are created. Thanks!

juanschallibaum commented 6 years ago

You are welcome! I'm here to help.

Since there will be no more releases of ginfinity, the solution for users would be disable converting urls in text to clickable links from gInfinity option panel:

securizando