Improperly handling lazy loading of content.

mandatoryprogrammer / CursedChrome

Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies, allowing you to browse sites as your victims.

MIT License

1.46k stars 220 forks source link

Improperly handling lazy loading of content. #8

Open mmangione opened 4 years ago

mmangione commented 4 years ago

This plugin fails on pages that load some content after landing and fails to process any loading after a 301 or 302. I suspect it is now confused about the origin of the request. We should probably still process requests from domains where we reside - and that are permitted by the CSP of the page or server.

Try to use this plugin to visit Twitter or Facebook. You'll see the issue right away.

mmangione commented 4 years ago

I suggest we can fix this by changing this :

if (details.initiator !== location.origin.toString()) { ... }

to this:

if (details.initiator !== location.origin.toString() && details.type !== 'xmlhttprequest') {...}