Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vulnerability] Scripts containing __hook__ can skip hooking via textContent property #207

Closed
t2ym opened this issue Jan 3, 2018 · 0 comments
Closed

[vulnerability] Scripts containing __hook__ can skip hooking via textContent property #207

t2ym opened this issue Jan 3, 2018 · 0 comments
Labels
vulnerability

Comments

@t2ym
Copy link
Owner

t2ym commented Jan 3, 2018

[vulnerability] Scripts containing __hook__ can skip hooking via textContent property

Root Cause

  • Recognition failure of scripts without hooking when they contain __hook__ strings even in string literals if script.type is set as non-JavaScript MIME types and then reconfigured as one of the JavaScript MIME types or empty.

Possible Fix

  • Script contents are always recognized as JavaScript regardless of their configured MIME types.

Reproducible Code Examples

    {
      // Fake hooked script vulnerability #1 - setAttribute('type')
      addEventListener('load', function () {
        let script = document.createElement('script');
        script.setAttribute('type', 'text/plain');
        script.textContent = `
          chai.assert.throws(() => {
            // __hook__
            {
              let c = caches;
              console.log(c);
            }
          }, /^Permission Denied:/);`;
        script.setAttribute('type', 'text/javascript');
        document.head.appendChild(script);
      });
    }
    {
      // Fake hooked script vulnerability #2 - .type property
      addEventListener('load', function () {
        let script = document.createElement('script');
        script.type = 'text/plain';
        script.textContent = `
          chai.assert.throws(() => {
            // __hook__
            {
              let c = caches;
              console.log(c);
            }
          }, /^Permission Denied:/);`;
        script.type = 'text/javascript';
        document.head.appendChild(script);
      });
    }
t2ym added a commit that referenced this issue Jan 3, 2018
@t2ym
0.0.203 with vulnarability Fix #207 textContent of scripts are always…
f26d396 
… treated as JavaScript and hooked
@t2ym t2ym closed this as completed in 921bd17 Jan 3, 2018
t2ym added a commit that referenced this issue Jan 3, 2018
@t2ym
0.0.204 with vulnerability Fix #207 and corrected links in README
b6377a2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@t2ym