Strip "javascript:" scheme when pasting/dropping into the address bar to prevent socially engineered self-XSS
Categories
(Fenix :: Toolbar, defect)
Tracking
(Not tracked)
People
(Reporter: sharan23103, Unassigned)
References
Details
(Keywords: sec-low)
Attachments
(1 file)
(deleted),
application/octet-stream
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Steps to reproduce:
Self UXSS have been identified in firefox andriod browser
,Normally while pasting javascript:URI in firefox desktop URLBAR/OMNIBOX the Javascript word is removed and also if we type also the XSS won't happen
.But in andriod browser it can be pasted and xss can done
1.Go to any website in firefox
2.Pase the url Javascript:alert(1) or Javascript:alert(document.cookie)
Actual results:
SELF UXSS
Expected results:
SELF UXSS
Comment 2•3 years ago
|
||
Can confirm.
When fixing watch out for various attempts to bypass naïve matching like bug 1402896 and bug 1439396 (for one, be careful about normalizing before matching). Don't forget about drag-and-drop if that goes through a different path than pasting.
Same problem in Focus. It's a different implementation so I'll clone this bug.
Comment hidden (obsolete) |
Comment hidden (duplicate) |
Comment on attachment 9238550 [details]
POC
ISSUE POC FOCUS: https://drive.google.com/file/d/1GuGbG9xrra6BXHPwMtgz8g-uTiO-6bsV/view?usp=drivesdk
ISSUE POC IN FIREFOX:https://drive.google.com/file/d/1EbEaA1DmJTLCfrpqf6RjZR1tvmok-ZA2/view?usp=sharing
Comment 9•3 years ago
|
||
This has not been fixed in Focus, see bug 1726050 comment 1
Reporter | ||
Comment 10•3 years ago
|
||
Sorry for the confusion,This has not been fixed in Focus
Comment hidden (duplicate) |
Updated•3 years ago
|
Comment 13•3 years ago
|
||
This was resolved this by disallowing javascript URIs that the user entered. https://github.com/mozilla-mobile/android-components/pull/11321 and https://github.com/mozilla-mobile/android-components/blob/main/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt#L1114
Updated•3 years ago
|
Reporter | ||
Comment 14•3 years ago
|
||
will i get hall of fame or bounty for this submission ?
Comment hidden (duplicate) |
Updated•3 years ago
|
Comment 16•3 years ago
|
||
I've added the bounty flag so it will be considered in our next meeting.
Reporter | ||
Comment 17•3 years ago
|
||
Fine ,Can i know what is bounty flag.
Regards
Sharan
Comment 18•3 years ago
|
||
The bounty flag indicates the status of a bounty; once a bounty is approved or decline it will be changed to + (plus, approved) or - (minus, declined). Right now it's set to '?' so it will show up in our query of 'issues to evaluate' at our next bounty meeting. If a bounty is approved the flag will be changed, and 1-5 days later I'll email you with details about how payment occurs, which typically takes 3-5 weeks from a bounty being approved.
Comment hidden (offtopic) |
Comment 20•3 years ago
|
||
Same problem in Focus. It's a different implementation so I'll clone this bug.
This turned out to be incorrect: it was not in the front-end UX code as I guessed but in the shared Android Components.
This bug is not eligible for a cash bounty but it is eligible for a Hall of Fame listing.
Reporter | ||
Comment 21•3 years ago
|
||
I don't know how you are saying this is not security bug.
Yes ,this attack need a minimal socail engineering but we can't say this as non security bug.
For attack scenario
the victim need to paste this in the url bar and need to send some sort of img i.e screenshot as [social engineering]to the attacker.
Comment hidden (obsolete) |
Comment 23•3 years ago
|
||
We did not say it wasn't a security bug; it is. But as described in our bug bounty policy vulnerabilities rated moderate or below are not guaranteed a bounty. Because of the level of user interaction required (especially on mobile where it's much more annoying to copy/paste) it was rated sec-low and did not qualify for a bounty; however we will include you in the Hall of Fame.
Reporter | ||
Comment 24•3 years ago
|
||
No the copy paste in mobile can be quiet easy too .
see this
An easy effortless scenario:
likely victim can easily copy in website where easy html /JS copy function i.e click /tap to copy and Victim can easily copy via keyboard clipboard.
https://drive.google.com/file/d/1qxCZk_9AZQS6mTJsSLcaGjuvAAl-V0Sw/view?usp=drivesdk
Reporter | ||
Comment 25•3 years ago
|
||
Updated•3 years ago
|
Updated•3 years ago
|
Comment hidden (duplicate) |
Updated•3 years ago
|
Comment 28•3 years ago
|
||
We discussed it again, but we haven't changed our decision
Reporter | ||
Comment 29•3 years ago
|
||
i don't know why you have not change your decision.
Comment 30•3 years ago
|
||
We reconsidered the submission but it still does not meet the criteria to receive a bounty. Please do not continue to ask.
Reporter | ||
Comment 31•3 years ago
|
||
i do know this is low severity bug.
lastly you only stated that this
" on mobile where it's much more annoying to copy/paste."
So i thought for this reason only this doesn't meet at least a low level severity .
As reporter if i know the reason for decision only , i can avoid reporting this kind of issue.
Even i don't want to waste my time here.
Comment 32•3 years ago
|
||
Bugs are for bug (defect) information; if you want to discuss bounty stuff please don't bother the developers (here in this bug) with it but mail the address given for our Bug Bounty program. You also may find the FAQ answers many of your questions. The program is directed primarily to stimulate research into finding bugs such as memory corruption that can lead to browser or even computer compromise ("0-days").
Please honor our Bugzilla participation rules
Updated•2 years ago
|
Description
•