在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称:c0d3G33k/Firefox-QR-Code-Reader-XSS开源软件地址:https://github.com/c0d3G33k/Firefox-QR-Code-Reader-XSS开源编程语言:开源软件介绍:Firefox IOS QR Code Reader XSS (CVE-2019-17003)One of the most common ways to navigate to a website or URLs is by typing website address in the browser address bar But this might be frustrating if you have to type a complex web address that includes some kind of tokens. And hence QR code scanner comes handy. You just need to scan a QR code and you will be redirected to specified URL or the fetched information will be displayed on your screen. Almost every one of us uses random QR codes at so many places, but have you ever wondered what could go wrong if the trusted QR scanner software not implemented correctly? According to this tweet by firefox <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> QR scanner is supported in firefox since version 10
Here is a quick image that shows how we can use QR for the navigation So what could go wrong? As an evil mind, the first strategy is to always look for the different Will the browser treat them like normal text? or it will execute as javascript code? Let's figure it out. Now, all we need is a website that can generate QR code based on our input I found this website https://www.the-qrcode-generator.com/ pretty easy. Next, let's navigate to
It could be more simple in the following way
But i like fetch API. The above code will try to fetch the source of last visited domain by the user. Let's suppose our user is on google.com After he decided to navigate to another address by scanning the QR code. so in this case as soon as the user scans the QR code source of the current domain will be prompted to the user since firefox evaluated the
Since we have javascript code execution on the current domain, we can steal user's data, cookies and what not! So If you are thinking this is limited to the web address you might be wrong! Let's explore other places The first thing that came to my mind is the browser's reader mode XSS In Reader Mode
I tried the same exploit while the document rendered in the reader mode and it worked as demonstrated in the below image Did you noticed the javascript code executed in reference to
XSS In Local FilesNext, we can try the same attack in local files as well, that too worked fine for us as demonstrated in the below image. One more thing that we can do here is we can also load the local files by making QR code with local file URI like
XSS In Internal PagesApart from domains, reader mode and local files we can also XSS internal pages of browser in case of firefox they run under
CSP BypassIt turns out this vulnerability also bypass the CSP Let's suppose a website only allowing content that comes from the site's own content as given below
even if you are on Other sourcesNext, I have tried to find other sources as well, and I found that we can search selected text using the same or other browsers.
Here also if the selected text is But still, we can navigate the user to other malicious websites. Other browsersApart from Mozilla, Opera mini for IOS devices was also affected, We have reported this vulnerability to opera but they have not responded back to us. Root causeTill the version 19 firefox was supporting After reporting this bug firefox has removed Advisiory:https://payatu.com/advisory/firefox-ios-qr-code-reader-xss |
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论